Saas trust

There are more than 15,000 SaaS companies in the world. Most of us use several every day for work, personal organization, or entertainment. While each SaaS product we use adds a lot of value to our lives, they also create some risk.

SaaS applications store your data in the cloud. This makes it easy to access from any location, but it also puts your data at risk. If you can access it anywhere, so could malicious parties who might want to use your data for nefarious purposes.

But what is “data?” Doesn’t that apply to big companies that collect mountains of information on their customers and users? Yes, but you create data as well. Many people think they do not own or use data in their day-to-day lives, so they do not consider the trustworthiness of their applications.

“In computing, data is information that has been translated into a form that is efficient for movement or processing,” explains Jack Vaughan on TechTarget. “Relative to today’s computers and transmission media, data is information converted into binary digital form. It is acceptable for data to be used as a singular subject or a plural subject. Raw data is a term used to describe data in its most basic digital format.”

Essentially, you create data whenever you put your information into a digital format, like when you add your gym schedule to your calendar, when you log tasks in your time tracking app, or when you tell Alexa to make a shopping list. You probably create a lot of data every day without realizing it.

But not all data is equal. Some data is far more sensitive than others. You probably do not care if anyone knows your shopping list, but you do not want people to access confidential client information. Yet we input our sensitive data into applications all the time. 

This begets an important question: Can we trust our SaaS products with our data? How do we know they have the desire and ability to keep our information private? Do they use our data responsibly, ethically, and accurately?

To determine if you can trust a SaaS product with your data, you’ll need to ask yourself six important questions: 

  • Do they value privacy?
  • Do they have security protocols?
  • How do they handle data breaches?
  • Do they have disaster recovery protocols?
  • Do other users trust the product?
  • What are the risks?

In this article, we will go through each question and help you decide whether a particular SaaS application is trustworthy.

Can we trust our SaaS products with our data? How do we know they have the desire and ability to keep our information private? Do they use our data responsibly, ethically, and accurately? Share on X

1. Do They Value Privacy?

This is the first question you should ask yourself. If you decide that a SaaS app does not value privacy, you do not need to ask yourself the other questions on this list. Just move on to a company that thinks privacy is important.

Data privacy refers to your right to be free from uninvited surveillance or interference. It is your right to create, store, access, and transfer your data under your own terms. Any product that can access your data should be transparent about what they do with it and stick to their own policies.

“Privacy forms the basis of our freedom. You have to have moments of reserve, reflection, intimacy, and solitude,” says Dr. Ann Cavoukian, former Information & Privacy Commissioner of Ontario, Canada. Dr. Cavoukian is one of the creators of Privacy by Design (PbD), a set of principles that guides many pieces of major data privacy legislation.

Opt to use companies that put data privacy at the front of product design. They should mention data privacy in their company values and/or mission statement. Their leaders should talk about data privacy often, to customers, investors, and the press. Every decision they make (regarding their operations, sales, and growth) should begin from a position of data privacy.

2. Do They Have Security Protocols?

Saas trust

Security protocols are “a sequence of operations that ensure protection of data,” explains PCMag. “Used with a communications protocol, [they provide] secure delivery of data between two parties. The term generally refers to a suite of components that work in tandem.”

Security protocols include three main components: Authentication, authorization, and encryption. These are the standard features that apply to all SaaS applications.

Authentication

Authentication is used by the server to know exactly who is accessing the information. It is also used by the client (the app on your phone, for instance) to accept that the server is what it claims to be. Authentication is the practice of each party determining that the other party is legitimate.

Authorization

Authorization is when the server determines if the client has permission to access a particular file or use a resource. It is the process that gives you access to your files, but prevents everyone else from accessing them.

Encryption

Encryption is the gold standard of data security. Here’s the definition of encryption, according to Digital Guardian:

“Data encryption translates data into another form, or code, so that only people with access to a secret key (formally called a decryption key) or password can read it. Encrypted data is commonly referred to as ciphertext, while unencrypted data is called plaintext. Currently, encryption is one of the most popular and effective data security methods used by organizations. Two main types of data encryption exist – asymmetric encryption, also known as public-key encryption, and symmetric encryption.”

When data is encrypted, it is scrambled during transit so only the sender and the recipient can understand it. If a malicious party intercepts the data during the transition, they will not be able to read it.

Even the most basic websites use encryption these days to safely transmit information, so there is no excuse for SaaS applications to fail to use it. Major applications should have no trouble implementing encryption protocols that safeguard all information that is coming and going.

Furthermore, make sure whatever application you use also encrypts data at rest. This means that the data remains encrypted even when it is sitting unaccessed in a database, including all files, content, attachments, libraries, and any other form it takes.

Those three security protocols are non-negotiable. If the application you are using does not use those three tools, they do not deserve your data, your time, or your money.

3. How Do They Handle Data Breaches?

Saas trust

Data breaches are more common than ever. It seems like we hear about a new high-level data breach every day, often compromising thousands or millions of users’ personal data.

No system is unbreakable. Whenever we design a new level of security, hackers and other malicious parties start finding ways to penetrate it. So data breaches are inevitable, especially if you use popular applications that have lots of users.

You can tell a lot about a company, however, based on how they respond to a data breach. Are they upfront with customers? Do they react quickly so other malicious parties can’t breach their security as well? What steps do they take to compensate users for any damages they experience because of the breach?

If you input sensitive information into a SaaS application, check for any past incidents of data breaches. Investigate how they responded to these breaches. If they were honest with their users and fixed the problem promptly, your data is probably safe. But if they failed to respond quickly, or worse, denied the breach altogether, then you should not trust them with your data. A strong incident response plan shows that a company takes these matters seriously, demonstrating their commitment to protecting your data and keeping the lines of communication open when things go wrong.

Furthermore, check to see if any of your applications have public data breach policies. Ask yourself if that policy seems reasonable. Is the policy similar to other applications? When a data breach occurred, did the company follow their own policy?

4. Do They Have Disaster Recovery Protocols?

Disasters are not likely, but they can be devastating. If something catastrophic happens, you want to know that the SaaS applications you use every day have you covered by planning ahead of time to protect your data.

What kind of disaster might happen? Natural disasters, like earthquakes, floods, fire, tornadoes, or hurricanes are always possible. Terrorist attacks are considered as well. Your SaaS apps should also consider internal disasters as well, like corrupted data, employee mistakes, or malicious activity from inside the company.

Competent SaaS applications have disaster recovery plans in place in case something like this happens. They have systems ready to engage in the event of one of those terrible events.

Keep in mind, however, that many SaaS apps use third-party tools to manage their data. For example, a lot of apps use Amazon Web Services (AWS) as their cloud storage provider, including Netflix, Facebook, Twitter, LinkedIn, Twitch, ESPN, and Adobe. If you use any of those apps (and thousands of others), then Amazon has your data.

Obviously your data is pretty safe with Amazon, of course. They have data centers all over the world, with data backed up in multiple places. If your apps use AWS as their cloud storage provider, you can be reassured that you will not lose your data to a disaster. That said, if you want to ensure your data is safe against disasters, you should investigate the disaster response and recovery protocols for any vendor who may house or maintain it.

5. Do Other Users Trust the Product?

No matter how trustworthy the company seems, it is important to take everything they say with a grain of salt. After all, they are trying to sell you something. You can not assume they are always being honest.

So you will need to solicit the opinions of non-biased parties, which includes other people who use the product. If a majority of users think a product is safe, you can be comfortable in your decision to trust the product as well.

How do you get their opinions? By reading reviews. The reviews on the product’s site are always hand-picked by the company, so do not bother with those.

Instead, look for third-party review sites and blogs. Read their reviews carefully and check the comments to see if other users echo their opinions. Make sure any review you rely on is independent, meaning they are not paid by the product for their “opinion.”

If possible, speak directly to other users. This is important if you are considering the purchase of an enterprise SaaS product that you will be locked into for years. Encourage them to tell you what they like and do not like about the product.

If you plan to spend a lot of money with a SaaS app, or if you plan to give it your especially sensitive information, it might be helpful to have someone from their IT team sit down with someone from your IT team to discuss their security systems and how they use your data.

6. What are the Risks?

No matter how secure your SaaS applications appear to be, there will always be some risk when you send them your sensitive information. Ultimately, that information is out of your control the moment you input it into the application. You may have been able to come up with good answers to the above questions, but there will always be some risk you can not eliminate.

So it’s important to understand the risks of handing over your data and take steps to mitigate those risks.

For instance, is your data stored alongside other people’s data? If so, your risk increases because that data set becomes a bigger target. But if it is stored separately, there is less chance a malicious party will target it. The nature of your data changes your risk as well. Your daily meeting schedule is usually not sensitive information. But a list of your customers’ financial information is extremely sensitive. Losing control of it would create a huge risk.

In this case, it might make sense to use some SaaS applications for less sensitive data, but store your most sensitive data in-house. For instance, you might decide to use a cloud-based SaaS app for your company’s human resource system, but keep your clients’ confidential information on a private server.

Carefully consider all of the risks of trusting a SaaS application with your data. What could go wrong? What happens if you lose control of that data? What are the financial, reputational, or physical ramifications of letting someone else have that data?

Is Data Safe in the Cloud?

Generally, yes, your data is safe when stored in the cloud by the SaaS applications you use every day, providing you have good answers to the above questions.

While it is true that data in cloud databases is a bigger target (because there is more of it in one place for hackers to steal), the data is typically stored behind much stronger protections than you have on your home devices.

This is similar to putting your money in the bank. The bank is technically outside of your control, but the bank has much stronger protections than you can provide on your own. Your money is safer in the bank, even though you are asking someone else to hold it for you.

Nevertheless, it is important to ask yourself all of the questions we explained above. Go through them carefully and ask yourself if the SaaS apps you rely on every day meet your standards of trust, security, and privacy.

How Timing Keeps Your Data Safe

Timing is a time tracking app that automatically monitors how you spend time on your computer. Timing produces timesheets you can trust, even when you forget to start a timer.

We are aware of the privacy implications of this kind of tracking, which is why data privacy has always been at the forefront of our product development. We do not take screenshots of your computer. Our app does not store your data online because it is only stored locally on your machine – for your eyes only. We certainly do not sell your data because we never receive it.

Additionally, Timing’s team functionality lets you invite team members and share projects with them, but they can only see how much time you spent, not what you spent it on. No personal or private details are shared.

This means that when you use Timing, you retain full control over your data. It’s up to you whether you export it to send to your employer or your clients.

If you want to do something on your computer without tracking it, you can always pause Timing’s tracking feature at any time. From that point on, Timing is blind to whatever you do. Furthermore, Timing intentionally ignores anything you do in private browsing mode (like Chrome’s “Incognito” mode).

For more information about how we manage your personal information, we strongly encourage you to read our privacy policy.

Ready to try Timing? We offer a free 14-day trial. Download now.