In today's world, data is arguably the most valuable currency. In fact, selling personal data is a multi-billion dollar industry. If you leave your wallet or purse at the store, you can just turn around and go back. Those items are physical. However, entering your personal data/documents into a technology vendor's servers is entirely different, and there's generally no way to get that data back.
It's time to consider the vendor you're willing to trust, and how much that trust could cost you, your organization and most importantly - your clients. We are now able to sign and notarize documents digitally, which is a tremendous achievement in this unprecedented time we are living in. It's time to consider what is happening with that data. Documents needing to be signed or notarized hold some of the most personal and sensitive pieces of information, and it's important to consider where these documents are stored and for how long.
This is surprisingly simple - just ask for it! Most powerhouse companies, such as larger law firms and healthcare providers, will always conduct a full security review and ask for what's called a Due Diligence package. This allows them to get an inside look at where the data is being stored, how often the security protocols are being reviewed (quarterly/yearly/etc.), previous security breaches and the process for mitigating the impact if there is a breach in the future.
Ideal answer: Yes. We will happily send that documentation for you to review. If you get anything but a "yes" here, avoid this vendor with a 10-foot pole.
Likelihood of getting this answer: 30%
Ideal answer: Yes. Routine access to client data is logged. Static security scans are performed on the source code. Automated and manual dynamic security scans are performed on the running system. An intrusion detection system monitors the network and performs network security scans.
Likelihood of getting this answer: 60%
Ideal answer: All vendor relationships must be supported by a written contract that has been approved by senior management and, for more significant contracts, legal counsel. The relationship manager should review contract terms for all third-party arrangements in sufficient detail as required by the service performed and the level of risk.
Likelihood of getting this answer: 60%
Ideal answer: Yes. We have multiple 3rd party companies that conduct regular assessments.
Likelihood of getting this answer: 20%
Ideal answer: Yes. Documents are encrypted in transit and at rest with 256-bit encryption and are only visible to the sender as well as the party receiving it in that particular session or transaction.
Likelihood of getting this answer: 90%
In my experience, most companies will start off asking the software vendor questions about pricing or functionality. Security comes up most of the time, but it is usually one of the final steps in making a decision. Your clients and their data are the lifeline of your organization, so why wait to bring up such a paramount concern? The best vendors are the ones who relish the opportunity to answer these questions and concerns, because they understand how important your client's data is. If a vendor avoids these questions, you should find an alternative.