What every SaaS business should know about compliance

Compliance and Security

Vendr | SaaS compliance
Written by
Emily Regenold
Published on
April 7, 2021
Read Time

Vendr | TwitterFacebook iconVendr | LinkedIn

Compliance doesn’t have to be an intimidating 10-letter word. In fact, meeting SaaS compliance requirements could bring security to your infrastructure and protect your customers. Being compliant could also instill trust with your customers and potential clients, helping grow your company.

Let’s take the car lease analogy we used for the service level agreement fundamentals post as an example. (If you’re unfamiliar, hop over and take a look—it’s right in the introduction.)

After you’ve leased the car, you might be responsible for basic maintenance. But where will you have your car maintained? You’ve invested in a new car, one that you’ll want to keep running reliably. Also, you’re responsible for keeping the car in good condition up until you return it. So will you want to take your car to any maintenance shop? Maybe not.

Our guess is you’d feel better if your car went to a certified mechanic. Why? Because that certification tells you that the mechanic and facility underwent study, training, and testing and reached a proficiency level deserving of a certificate. In other words, you can trust that your car is in good hands.

SaaS compliance works similarly. But what exactly is SaaS compliance?

What is SaaS compliance?

SaaS compliance means your company meets a certifying organization’s set of standards and policies. Often, SaaS compliance involves the use, storage, and sharing of data, and meeting compliance means that your company has taken steps to protect its and your customers’ assets and data.

Usually, independent third-party organizations establish a set of standards and guidelines for the industry to follow. They can also certify companies that comply.

Why consider implementing SaaS compliance?

From another perspective, you could view compliance as a form of security or risk management.

For example, as your company grows, you might add more SaaS tools to your SaaS stack. Without the proper security measures for your team, each app user could become a potential security risk. Apps developed outside of security requirements could open your and your customers’ data to cyberthreats or data leaks, leaving your assets vulnerable to cyberattacks.

Moreover, according to a 2025 forecast by Gartner, 99% of cloud security failures will be the users’ fault (read: your employees’ fault).

To further stir the pot, operating third-party SaaS solutions adds responsibilities that software developers didn’t have to worry about in the past. Now, SaaS providers must provide proof of a dependable and safe environment.

And as proof that you provide a safe and reliable SaaS product or service, your customers might require certification from a third-party firm. The certifying firm might examine your product’s availability, confidentiality, privacy principles, processing integrity, and security.

Needless to say, your company may find it challenging to meet compliance. However, the rewards could be worth the effort because compliance could mean:

  • Opening up new markets
  • Making quicker sales
  • Establishing trust with customers that ensures renewal
  • Building up your company’s data security

When it comes to improving your data security and growing your business, compliance can be a valuable part of your strategy. Whether you’re looking to expand in a particular industry or other nations, you need to stay on top of the latest regulations to stay competitive. We cover these in the next section.

See our 2024 guide to the best compliance management software for detailed information on the best software solutions.

Examples of SaaS compliance (in alphabetical order)

General Data Protection Regulation

The General Data Protection Regulation (GDPR) is a comprehensive European data protection law. It provides data rights for individuals and increases compliance responsibilities for organizations. At its core, the GDPR grants European Union (EU) residents greater control over their data. It also gives national regulators new powers to impose significant fines on organizations that breach this law.

Under the GDPR, EU residents can:

  • Access their data
  • Correct errors in their data
  • Erase their data
  • Object to the processing of their data
  • Export their data

ISO/IEC 27001

The International Organization for Standardization (ISO) prepares standards through ISO technical committees. ISO also collaborates with the International Electrotechnical Commission (IEC) on electrotechnical standardization matters. Specifically, ISO provides a family of standards for information security management systems (ISMS). ISMSs manage information risks and provide a framework that identifies, analyzes, and mitigates these risks.

While ISO/IEC 27001 isn’t a regulation exactly; it’s a standard your SaaS company can use as a guideline to manage security risk compliance. Per ISO, “Using [the standards in the ISO/IEC 27000 family] enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.” You can also use them as formal compliance assessments to achieve certification by accredited auditors.

Service Organization Control 2

Service Organization Control 2 (SOC 2) is an auditing process. It’s based on the Auditing Standards Board of the American Institute of Certified Public Accountants’ (AICPA) existing Trust Services Criteria (TSC). A SOC 2 report evaluates an organization’s information systems to check if the company follows its principles. Organizations that are SOC 2 compliant adhere to a strict set of principles to manage customer data securely.

In short, SOC 2 is the guidelines and policies your company complies with daily when handling customer data. SaaS companies often comply with SOC 2 first because it’s a common compliance framework designed for businesses that store customer data in the cloud. To be SOC 2 certified, you must build and follow strict information security policies and trust service criteria.

Other industry-specific regulations

Health Insurance Portability and Accountability Act

According to the US Department of Health and Human Services (HHS): “The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law. It required national standards to protect sensitive patient health information from being disclosed without their consent or knowledge. HHS issued the HIPAA Privacy Rule to implement the requirements of HIPAA. And the HIPAA Security Rule protects a subset of information covered by the Privacy Rule.” This law affects healthcare services primarily.

Payment Card Industry Data Security Standard

The Payment Card Industry Data Security Standard (PCI DSS) is a multifaceted security standard developed by The PCI Security Standards Council.

Its purpose is to help organizations protect customer account data by including requirements for:

  • Network architecture
  • Policies
  • Procedures
  • Security management
  • Software design and more

New York Cybersecurity Regulation

On March 1, 2017, The New York State Superintendent of Financial Services enacted the New York Cybersecurity Regulation (23 NYCRR 500). The regulation establishes cybersecurity requirements for financial services companies. The requirements address growing threats posed to information and financial systems by nation-states, terrorist organizations, and other cybercriminals. As a result, 23 NYCRR 500 affects SaaS companies that operate in the finance or fintech space and licensed under banking, insurance, or financial services laws of New York State.

Federal Financial Institutions Examination Council

The Federal Financial Institutions Examination Council (FFIEC) is a council made up of many agencies to prescribe uniform principles and standards. FFIEC guidance provides a framework for examiners to audit companies like yours. Complying and passing audits can help your organization meet business objectives like expanding into new markets or merging with another company.

SaaS compliance tips

Let’s review a few tips to help you prepare for SaaS compliance.

1. Appoint a chief compliance officer (CCO).

Appoint a chief compliance officer (CCO) to oversee and manage regulatory compliance issues.

The CCO would be responsible for:

  • Leading your company’s compliance efforts.
  • Designing and implementing internal controls, procedures, and policies to comply with local, state, and federal laws and regulations—plus third-party guidelines.
  • Ensuring your company can manage compliance risk, audits, and investigations into applicable regulatory and compliance issues.
  • Responding to requests from certifying and regulatory bodies.

2. Ensure collaboration between the compliance and IT teams.

The compliance department should collaborate with IT and human resources teams. This collaboration should ensure your SaaS environment’s security and organization-wide compliance with security regulations and rules. It should also develop and provide compliance training for relevant team members.

3. Establish a code of conduct.

Establish a code of conduct for your compliance program to define its purpose and set expectations for company behavior.

4. Follow CIS benchmarks.

Ensure you configure your infrastructure following CIS benchmarks and your cloud provider’s best practices guidance.

How Vendr can help with SaaS compliance

While Vendr can’t grant compliance, our tool can help you with compliance management. Support your compliance program with a system of record for all your SaaS applications that always stays up to date with SaaS codex: SOC 2, GDPR, ISO 27001, and more. You can also streamline your compliance program maintenance with workflows and automation.

Emily Regenold
Emily Regenold
LinkedIn icon
Chief of Staff
Emily is the Vendr's Chief of Staff, leading the company's brand and external communications.

Similar posts

Learn more about finding, buying and managing your SaaS stack with resources from our experts.

Built-in vs 3rd Party AI: How to Approach Adding Generative AI to Your Software Stack

David Porter

SaaS Buying
Compliance and Security
Built-in vs 3rd Party AI: How to Approach Adding Generative AI to Your Software Stack

The odds are extremely high that your team has already used the ChatGPT in their work. If that speeds up their work and reduces repetitive busy work, that’s a win for your team’s productivity. If that comes at the expense of data security, though, or opens up your company to potential copyright lawsuits, the benefits might not be worth the risk.

Read post
2023 business priorities: The critical link between new business, security, and compliance

Vendr Team

Compliance and Security
SaaS Trends
2023 business priorities: The critical link between new business, security, and compliance

Learn how businesses prioritize data security, compliance, & growth in 2023. Discover top cybersecurity tools, compliance standards & strategies to build customer trust while protecting your business. Invest in robust security systems, adopt cloud & app security, and leverage data-driven decision-making.

Read post
Your practical guide to SaaS security

Vendr Team

Compliance and Security
Your practical guide to SaaS security

In this guide, we’ll share best practices for building a realistic and usable SaaS security stack that’s focused on how modern organizations conduct business.

Read post