← All guides
SOC 28 min read15 May 2026

SaaS Vendor Security Due Diligence Checklist (2026)

What enterprise customers ask for before signing your SaaS contract — and how to prepare. Security questionnaires, SOC 2 reports, DPAs, pen tests, and more.

You've built a great product. The enterprise prospect loves it. Then their procurement team sends you a 200-question security questionnaire. Deal stalled.

Vendor due diligence is one of the biggest hidden conversion blockers for B2B SaaS — especially in regulated industries like finance, healthcare, and legal. This guide covers exactly what enterprise buyers ask for, when they ask, and how to get ahead of it so you close deals faster.

Why Enterprise Customers Run Vendor Due Diligence

Enterprises have their own regulatory obligations — GDPR, HIPAA, SOC 2, PCI DSS, ISO 27001, financial services regulations — that require them to assess and manage third-party risk. When they sign a contract with your SaaS, they're taking on risk: if you're breached and their customer data is exposed, it's their problem too.

Their legal and compliance teams require them to document that they've assessed vendor risk before onboarding. A vendor security review isn't personal — it's their compliance requirement.

The 5 Categories of Vendor Due Diligence

1. Security posture (most common)

Questions about your technical security controls:

  • Do you have MFA enabled for all systems? For all employees?
  • Do you have a SOC 2 report? Type 1 or Type 2? What period?
  • Do you conduct penetration tests? How frequently? By whom?
  • How do you handle vulnerability patching? What are your SLAs for critical CVEs?
  • How is data encrypted at rest and in transit?
  • Do you have a WAF / DDoS protection?
  • Do you use a SIEM or centralised logging?
  • What is your incident response plan? Have you ever had a breach?

2. Data handling and privacy

Questions about how you handle their data:

  • Where is data stored? In what regions / countries?
  • Do you have a GDPR DPA (Data Processing Agreement) available?
  • Do you have sub-processors? Who are they? Do you notify when you add new sub-processors?
  • What data do you access and for what purposes (production vs support access)?
  • How long do you retain data? What happens at contract termination?
  • Do you process special categories of data / sensitive personal information?
  • Do you comply with CCPA? HIPAA? (depending on their jurisdiction and use case)

3. Business continuity and reliability

  • What are your RTO (Recovery Time Objective) and RPO (Recovery Point Objective)?
  • How frequently do you test backups and disaster recovery?
  • What is your uptime SLA? Can you provide historical uptime data?
  • Do you have a BCP (Business Continuity Plan)?
  • What happens if you go out of business — can we export our data?

4. Access and personnel controls

  • Do employees undergo background checks?
  • Do you have a security awareness training programme?
  • What is your offboarding procedure to revoke access?
  • Who has access to production systems and customer data?
  • Do contractors have the same security requirements as employees?
  • Do you have a clean desk / clear screen policy?

5. Legal and compliance

  • In which jurisdictions are you incorporated? Where is data processed?
  • Are you subject to any government data access laws (e.g., CLOUD Act, FISA)?
  • Do you have cyber liability insurance? What is the coverage amount?
  • Have you had any regulatory investigations, enforcement actions, or material breaches?
  • Do you have written information security policies?
  • Are you ISO 27001 certified? SOC 2 audited?

The Trust Stack: What to Prepare

Rather than scrambling when a questionnaire arrives, build this stack in advance. It's what separates SaaS companies that close enterprise deals from those that lose them to compliance friction:

Document / EvidenceWhat it provesHow to get it
Information Security PolicyYou have documented security controlsWrite one — use a template or generator
SOC 2 Type 2 ReportIndependent audit of your security controls over timeEngage a SOC 2 auditor ($10–30k, 6–12 months)
SOC 2 Type 1 ReportFaster, cheaper starting point for audits$5–15k, 1–2 months once controls are in place
Penetration test reportExternal validation of your application securityAnnual pentest from reputable firm ($8–25k)
GDPR DPALegal contract governing how you process EU customer dataGenerate free at complykit.com
HIPAA BAA (if applicable)Legal contract for US healthcare customersGenerate free at complykit.com
Sub-processor listTransparency about who else touches their dataList all services: AWS, Stripe, analytics tools, email, etc.
Privacy PolicyLegal disclosure of data handling practicesGenerate free at complykit.com
Incident Response PlanYou have a documented process for handling breachesPart of your InfoSec Policy or separate document
Business Continuity PlanYou can operate and recover from disruptionsDocument RTO/RPO, backup testing, recovery procedures
Security questionnaire (pre-answered)Speeds up due diligence significantlyUse a standard format (CAIQ, SIG, or your own)

Standard Security Questionnaire Formats

Enterprise procurement teams use standardised questionnaire formats. If you pre-complete one of these, you can share it immediately rather than filling out custom questionnaires from scratch for each customer:

  • CAIQ (Consensus Assessments Initiative Questionnaire): From the Cloud Security Alliance. Free, widely accepted, ~261 questions. Good starting point for cloud/SaaS.
  • SIG (Standardised Information Gathering): From Shared Assessments. 800+ questions, more comprehensive. Used by financial institutions.
  • VSAQ (Vendor Security Assessment Questionnaire): From Google — open-source, free, tool-assisted. Good for tech vendors assessing other tech vendors.
  • Custom questionnaires: Most enterprises will still send their own. But if you've already answered CAIQ, you can reference it and fill custom questions only where your CAIQ answers don't cover them.

The SOC 2 Path for Early-Stage SaaS

SOC 2 is the gold standard for SaaS security credibility in enterprise sales. But it's expensive and time-consuming. Here's the practical path:

Stage 1: Pre-SOC 2 (0–6 months)

  • Write and implement core security policies (InfoSec policy, access control, incident response)
  • Enable MFA on all systems
  • Implement RBAC and access reviews
  • Set up centralised logging
  • Run your first internal vulnerability scan
  • Answer the CAIQ and publish a trust centre (Notion, trust page on website)

Stage 2: SOC 2 Type 1 (3–6 months)

  • Engage a SOC 2 auditor (readiness assessment first, then Type 1)
  • Type 1 = point-in-time design audit
  • Get the report, share it under NDA with enterprise prospects
  • Cost: $10–25k depending on auditor and complexity

Stage 3: SOC 2 Type 2 (12 months of evidence)

  • Collect 6–12 months of evidence that your controls are operating effectively
  • Annual re-certification
  • Cost: $15–40k/year ongoing
  • ROI: unlocks Fortune 500 / enterprise customers who require it

Building a Trust Centre (Before SOC 2)

You don't need to wait for a SOC 2 report to start closing enterprise deals. A well-organised trust centre can handle many due diligence requests:

  • Overview of your security controls (reference your InfoSec Policy)
  • Infrastructure summary (cloud providers, regions, encryption)
  • Compliance certifications (SOC 2 once available; GDPR DPA available now)
  • Sub-processor list with links to their security pages
  • Uptime / status page link
  • Contact for security questions
  • Pre-answered CAIQ or security questionnaire

Companies like Drata, Vanta, and Secureframe offer trust centre software, but you can start with a simple page on your website or a shared Notion doc. The content matters more than the format at the early stage.

When You'll Face Due Diligence (by Deal Size)

Deal Size (ARR)Typical RequirementsTypical Timeline
<$10kPrivacy policy review, basic security questions in an email1–3 days
$10k–$50kSecurity questionnaire (50–100 questions), DPA, sub-processor list1–2 weeks
$50k–$200kFull security questionnaire, DPA, InfoSec policy, pen test summary, insurance certificate2–6 weeks
$200k+SOC 2 report required, full CAIQ/SIG, legal review, on-site or video security review, insurance certificate, BC/DR plan4–12 weeks

The lesson: the earlier you build your trust stack, the fewer deals you lose at the finish line.

👉 Generate a SOC 2–ready Information Security Policy — the first document enterprise customers ask for. Free, no account required.

👉 Generate a GDPR Data Processing Agreement for your EU customers — required for GDPR compliance and standard in enterprise vendor reviews.

Key Takeaways

  • Enterprise vendor due diligence typically covers 5 areas: security posture, data handling, business continuity, personnel controls, and legal compliance.
  • Build your trust stack in advance: InfoSec policy, DPA, sub-processor list, and pre-answered CAIQ at minimum.
  • SOC 2 is the gold standard for SaaS — but you can start with documented policies and a trust centre while your audit period accumulates.
  • The cost of not preparing is losing enterprise deals at the finish line — after months of sales effort.
  • A well-prepared InfoSec policy + DPA + sub-processor list closes 80% of <$50k ACV deals without a SOC 2 report.

More guides