SaaS and Compliance
If your business is subject to compliance, whether it’s based on the law or industry rules, your Software-as-a-Service (SaaS) applications will be part of the picture. Like any other area of the IT estate, your SaaS apps must enable compliance. This article explores the issue and offers some recommendations for how to keep your SaaS apps in compliance with relevant regulations and standards.
What is SaaS compliance?
To understand what SaaS compliance is, it’s worth stepping back and considering the relationship between technology and compliance in general. While certain kinds of compliance are not specifically about technology at all, such as financial controls in Sarbanes-Oxley, in reality nearly every aspect of compliance connects to some type of information technology. Given that businesses use computers for virtually all operational and financial processes, whatever software, infrastructure, and data that affects those processes is subject to compliance.
SaaS is no exception. Just as consumers’ personal identifiable information (PII) is regulated by privacy laws when it’s stored in on-premises data systems, it is also subject to those laws when it is stored on a SaaS application. It does not matter that the SaaS app runs on the SaaS vendor’s infrastructure. You are still responsible for ensuring compliance. The difference with SaaS is that some of the compliance is your job, while other things, like security of infrastructure, is the duty of the SaaS vendor.
In practice, this means ensuring that your business meets the criteria set by a compliance certifying organization. For example, with Payment Card Industry Data Security Standard (PCI DSS), your SaaS vendor will have to pass a PCI DSS certification audit. And, whatever systems you have that integrate with that SaaS app will need to possess controls that can pass a PCI DSS certification audit.
Examples of SaaS compliance
Here are some of the more common areas of compliance that bear on SaaS applications:
The General Data Protection Regulation (GDPR) — This European Union (EU) law is intended to protect individuals’ privacy. It ensures data rights for EU residents, which translates into compliance obligations on the part of businesses. Violating GDPR can result in serious fines. The law gives EU residents a great deal of control over their personal data. For example, they can access their data, erase it, or correct errors in it. SaaS comes into play if a business is storing EU residents’ private data on the SaaS app, e.g.,through a customer relationship management (CRM) system. To be SaaS compliant, the SaaS vendor has to provide the kind of data access and reporting that the law requires. On a related front, some European laws require “data sovereignty,” which calls for storing a Citizens’ data in their country of residence e.g., German citizens’ data must be stored in Germany, and so forth. In this case, a SaaS vendor must be able to store data in the right country—and be able to demonstrate to auditors that it has done so.
Service Organization Control 2 (SOC2) — SOC2 is an audit process based on the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board’s Trust Services Criteria (TSC). SOC2 verifies if a company’s IT systems follow TSC principles, which mostly have to do with secure management of customer data. Becoming SOC2 certified means developing and enforcing stricture data security policies. Many popular SaaS applications, particularly those that deal with business transactions, have passed a SOC2 audit.
The International Organization for Standardization (ISO) ISO/IEC 27001 — This is nota regulation or industry-specific set of rules. Rather, ISO/IEC 27001 is a standard, a collection of guidelines for information security. In terms of SaaS, ISO/IEC 27001 recommends policies for entrusting data to a third party, such as a SaaS vendor.
Health Insurance Portability and Accountability Act (HIPAA) — This 1996 US law requires certain kinds of healthcare data, such as patient medical records, to be stored on infrastructure owned by the healthcare provider. The provider must pass aHIPAA audit, which may involve demonstrating that the provider is not storing patient data in a SaaS system.
PCIDSS — this multi faceted security standard was developed by The PCI Security Standards Council, which represents the payment card industry. It is not a law like GDPR, but it is required for businesses that process payment card transactions.Any SaaS vendor that wants to handle payment cards must pass a PCI DSS certification. For SaaS customers, the PCI DSS audit process may examine how a SaaS provider handles customer card information. It looks at security management, software design, policies, and procedures.
Other regulatory schemes that can affect how SaaS vendors operate, as well as how their customers interact with SaaS, include the New York Cybersecurity Regulations, which deal with financial services firms’ cybersecurity, and rules from the Federal Financial Institutions Examination Council (FFIEC).
Getting SaaS compliant
Making sure your company’s SaaS is compliant need not be a major undertaking. In some cases, it will merely involve checking that your SaaS vendors are compliant with relevant compliance requirements. On your end, you have to understand where SaaS apps handle data that’s applicable to compliance. For example, if you have a SaaS-based enterprise resource planning (ERP) system, you need to know what financial and customer data it stores. You may also need to map out how a SaaS ERP handles controls over accounting procedures, if that is necessary for compliance.
Getting SaaS compliant tends to be across-organizational process. Stakeholders from IT, security, audit, and legal need to get involved and collaborate. This is true for many areas of compliance, but with SaaS there is the added risk of business units arranging for SaaS on their own, without telling IT or security. The potential exists for accidental lapses in compliance due to such “shadow IT” situations. An open dialogue about SaaS compliance can avoid these risks.
Use of SaaS can affect compliance. SaaS apps may store data that’s subject to compliance rules, such as GDPR and EU residents’ private information. It is essential to know what data is being handled by SaaS vendors in your organization—and that they are able to pass compliance audits or certifications. Getting to success involves including SaaS in existing compliance preparation and audit processes, which may necessitate cross-organizational cooperation.
Co-Founder & COO