VENDOR EVALUATION (15 items) ⏱️ 8-12 hours
Due Diligence:
[ ] SOC 2 Type II report reviewed
[ ] ISO 27001 certificate verified
[ ] Security documentation reviewed
[ ] Data processing agreement signed
[ ] Privacy policy reviewed
[ ] Terms of service reviewed
[ ] SLA acceptable (uptime, support)
[ ] Data residency confirmed (region)
[ ] Subprocessor list reviewed
[ ] Compliance certifications verified
[ ] Recent security incidents researched
[ ] Vendor financial stability checked
[ ] Customer references contacted
[ ] Alternative vendors identified (exit strategy)
[ ] Vendor added to risk register
ACCOUNT CONFIGURATION (30 items) ⏱️ 15-25 hours
Authentication & Access:
[ ] SSO/SAML integrated and tested
[ ] MFA enabled and enforced for all users
[ ] Password policy configured (if passwords allowed)
[ ] Session timeout configured
[ ] IP whitelisting enabled (if available)
[ ] User roles defined
[ ] Admin accounts use separate credentials
[ ] Service accounts created
[ ] API keys generated and secured
[ ] User provisioning process defined
[ ] User deprovisioning process defined
[ ] Quarterly access review scheduled
[ ] Emergency access procedure defined
Platform Configuration:
[ ] Account name/org configured
[ ] Billing configured
[ ] Support tier configured
[ ] Notification emails configured
[ ] Timezone set correctly
[ ] Data retention policies set
[ ] Backup frequency confirmed
[ ] Disaster recovery tested
Credential Management:
[ ] Credentials stored in platform vault only
[ ] No hardcoded secrets in workflows
[ ] Credential naming convention defined
[ ] Credential ownership documented
[ ] Credential rotation schedule defined
[ ] Test vs production credentials separated
[ ] Credential access audit logging enabled
[ ] Emergency credential revocation tested
WORKFLOW SECURITY (20 items) ⏱️ 20-30 hours
Development Process:
[ ] Workflow approval process defined
[ ] Code review checklist created
[ ] Testing environment available (separate account if needed)
[ ] Version control strategy defined
[ ] Workflow documentation standards
[ ] Change management process
[ ] Rollback procedures defined
Security Controls:
[ ] Input validation on user data
[ ] Output sanitization implemented
[ ] Error handling configured
[ ] Sensitive data handling procedures
[ ] Third-party integration security reviewed
[ ] API permissions minimized (least privilege)
[ ] Workflow secrets not logged
[ ] Production workflows approved
[ ] Workflow testing completed
[ ] Security review completed
[ ] Performance testing completed
[ ] Load testing completed
[ ] Disaster recovery tested
MONITORING & AUDIT (20 items) ⏱️ 15-25 hours
Logging & Alerting:
[ ] Audit logging enabled
[ ] Log export configured (to SIEM if required)
[ ] Failed login alerts configured
[ ] Privilege escalation alerts
[ ] Unusual workflow execution alerts
[ ] Credential access alerts
[ ] Admin action alerts
[ ] Billing alerts configured
[ ] Support ticket notification
Monitoring:
[ ] Workflow execution monitoring
[ ] Error rate monitoring
[ ] Performance monitoring
[ ] Cost monitoring
[ ] Security dashboard configured
[ ] Monthly security review scheduled
[ ] Quarterly vendor review scheduled
Incident Response:
[ ] IR plan includes vendor contact
[ ] Vendor security incident notification tested
[ ] Data export procedure tested
[ ] Backup restore tested
COMPLIANCE & DOCUMENTATION (15 items) ⏱️ 15-20 hours
Compliance:
[ ] Data classification completed
[ ] Privacy impact assessment (if PII)
[ ] Compliance mapping documented
[ ] Vendor compliance inherited
[ ] Gap analysis completed
[ ] Risk acceptance documented (for gaps)
[ ] Data processing agreement on file
[ ] Vendor in asset inventory
Documentation:
[ ] Architecture diagram (including SaaS)
[ ] Data flow diagram created
[ ] Security policies updated
[ ] Acceptable use policy created
[ ] User training materials created
[ ] Admin procedures documented
[ ] Support escalation documented
────────────────────────────────────────────────────────────
TOTAL CHECKLIST: 100 items
ESTIMATED EFFORT: 70-110 hours before production
────────────────────────────────────────────────────────────
TIME SAVED vs SELF-HOSTED: 130-190 hours (~60-65%)