Experts On Demand

RSS Experton Group on Twitter Experton Group Blog Experton Group on YouTube

SaaS Requirement Checklist

Luis Praxmarer

Luis PraxmarerCIO’s should view the SaaS provider opportunity as a business decision. In other words, there are some basic requirements that a SaaS provider must meet in order to be considered. The following list includes many, but not all of the key characteristics of a potential SaaS partner. While a positive response is expected in most cases, the actual response will vary based on the client and the service/product being offered. Depending on the country and the regulatory requirements special questions may need to be added.

Environmental Stability and High Availability

  • Is the provider’s service hosted on their own equipment, in their own data center?
  • Is the facility scalable? To what extent?
  • Is there redundant power, UPS or generators installed in the Data Center?
  • Is there backup AC installed in the Data Center?
  • Is there emergency lighting in the Data Center?
  • Does the SaaS provider use more than one network provider?

Physical Security

  • Is the Data Center secured using badge access and/or biometric access?
  • Is the list of personnel admitted to the Data Center reviewed at least monthly?
  • Are cameras used within the Data Center to monitor all activities?
  • Are logs kept of all personnel that are admitted to the Data Center?
  • Are intrusion detection or intrusion prevention systems used?
  • Are vulnerability assessments performed every six months by a third party?

System Security

  • Are the hosting facilities SAS 70 Type II Certified?
  • Is the SaaS provider PCI compliant?
  • Is the SaaS provider HIPPA compliant?
  • Are there any other certifications that apply?

Data Segregation

  • Does the SaaS provider offer sufficient data security/segregation controls? What are they?
  • Are data access audit logs maintained for all activity within the environment?
  • Is access to client data limited to senior, vetted SaaS administrators?

Data Management

  • Is data encryption used when data is at rest?
  • Is data archiving available?
  • Is there a plan in place to investigate in case of breach?

Business Continuity & Disaster Recovery

  • Are there provisions for business continuity?
  • Are there provisions for disaster recovery?
  • Is the data replicated to another location?
  • Are these services part of the basic package?
  • Can the data and service be restored within the enterprise’s parameters?

Identity Management

  • Does the SaaS provider offer single sign-on (SSO)?
  • Can the SaaS provider be integrated with Active Directory?

Service Desk Support

  • Does the SaaS provider offer multiple modes of contact, like phone email, online?
  • Is the support desk available when the enterprise needs it? (24 x 5, 24 x 7?)
  • Do the response times meet the enterprise’s requirements?
  • List response times for critical, important and non-critical requests?
  • Is there active monitoring of the processing environment?

Resource Assistance

  • Is there a dedicated account management representative?
  • Is there consulting assistance available for integration, modification, etc.?

Service Interruption Notification and Formal Processes

  • Is there advance notification of upgrades, patches, and maintenance?
  • How is the client notified?
  • Does the SaaS provider have a formal change management process?

Standards, Policies, Guidelines, Procedures

  • Does the SaaS provider follow any architecture frameworks?
  • Does the SaaS provider manage projects using a standard methodology?
  • Are the SaaS provider’s standards, policies, guidelines and procedures documented and communicated throughout their client?
  • Are there formalized change, problem, incident management processes?


  • Are there standard, easy to use APIs?
  • Can the client access the data directly?

Service Level Agreements

  • Does the SaaS provider offer SLAs based on end-to-end performance?
  • Are credits paid if the provider does not meet SLA provisions?
  • Are periodic meetings with the service provider part of the SLA process?
  • Is there an escalation/notification process in place?

SaaS Provider Stability

  • Does the SaaS provider offer dedicated environments?
  • Does the SaaS provider offer shared environments?
  • How many years has the SaaS provider been in business?
  • Are they making a profit?
  • Are they privately held?
  • Are all of their personnel employees of the company?
  • Does the SaaS provider have a formalized product/service development roadmap?
  • Does the SaaS provider solicit customer input for their roadmap?
  • Do they allow potential customers to trial their service/software?


  • Does the base price include implementation, integration, set-up, etc.?
  • Is the pricing structure based on the number of users?
  • Is the minimum contract period one year?
  • Are volume purchase agreements available?

About us

Experton Group is the leading fully integrated research, advisory and consulting company for mid-sized and large organizations, maximizing the business value of their ICT investments through innovative, neutral and independent expert advice.

Experton Group offers consulting services, market surveys, conferences, seminars and publications related to information and communications technology issues.

Our consulting portfolio includes technology, business processes, management and business co operations, investments and mergers.