What Nonprofits Should Look for in a SaaS Provider
By selecting a vendor that has made an investment in its support infrastructure, nonprofits ensure that they are partnering with a provider for which service and support is a priority. In addition, vendors with multiple customer support tiers offer nonprofits the flexibility to obtain the support that’s right for them.
State-of-the-art data security
The question on most nonprofit professionals’ minds surrounding software as a service is, “Will my data be secure with a SaaS provider?” The answer is: It depends on the vendor.
Data security is one area where no nonprofit can afford to compromise or skimp in their vendor selection. To ensure their SaaS vendor upholds the highest level of security available on the Internet, nonprofits must insist on using providers that are both PCI and SAS 70 Type II compliant.
The Payment Card Industry Data Security Standard (PCI DSS) is the result of a collaboration between Visa and MasterCard to create common industry security requirements. All major credit card companies in the U.S. have endorsed the guidelines of this standard. Any entity that stores, processes, transmits or comes into contact with cardholder data has been required to attain PCI compliance as of June 30, 2005.
The 12-point PCI data security standard also requires that organizations provide proof of compliance annually and submit to network scans performed by an independent vendor on a quarterly basis. SaaS providers that are not PCI compliant cannot guarantee the security of sensitive data to the same extent as PCI compliant vendors.
Nonprofits must also insist upon working with SaaS providers that have completed a SAS 70 Type II audit of their controls and procedures to ensure maximum data security. In today’s business environment, service organizations and providers, such as SaaS vendors, must demonstrate that they have adequate controls and safeguards when hosting data belonging to their customers. In addition, Sarbanes-Oxley now mandates that CEOs and CFOs of publicly traded companies take personal responsibility for the effectiveness of internal control over financial reporting. As a result, the SAS 70 audit is a preferred method of providing assurance for service organization clients subject to Section 404 of Sarbanes-Oxley. Private companies do not face the same requirements — and subsequently, data safeguards — as public companies.