SaaS Security & Compliance: SOC 2, HIPAA, GDPR Checklist

Published: May 30, 2026 | Read time: 24 min | Category: Compliance

The real cost of skipping compliance due diligence: A healthcare SaaS startup signs a contract with a cloud analytics vendor. The vendor has SOC 2 Type I but no HIPAA BAA. Eighteen months later, the startup's compliance auditors flag the vendor as a Business Associate without a signed agreement. Remediation: breach notification to 40,000 patients, $180K HIPAA fine, $60K legal fees, and a vendor migration that took 8 months. Total cost: $400K+.

This guide explains exactly what SOC 2, HIPAA, GDPR, and PCI DSS actually require from SaaS vendors — and gives you a 20-question compliance checklist you can use before signing any contract.

SOC 2: What It Is and Why Type II Matters

SOC 2 (System and Organization Controls 2) is an audit framework developed by the American Institute of CPAs (AICPA) that evaluates how a SaaS company manages security, availability, and customer data. It is the baseline compliance standard for US enterprise SaaS — but it is frequently misrepresented in sales conversations.

SOC 2 Type I vs. Type II: The Critical Difference

Factor	SOC 2 Type I	SOC 2 Type II
What it covers	Design of controls at a single point in time ("are the controls designed correctly?")	Operating effectiveness of controls over 6–12 months ("do the controls actually work, continuously?")
Audit duration	Point-in-time snapshot (can be achieved in 6–8 weeks)	6–12 month observation period, then audit
What it proves	Vendor has documented security policies	Vendor's security controls function reliably over time
Meaningful protection?	Limited. A vendor can pass Type I by writing policies and immediately ignoring them.	Yes. Auditors verify controls ran effectively throughout the period.
Typical cost to obtain	$15K–$30K for vendor to complete	$30K–$80K for vendor to complete
Acceptable for enterprise?	Only acceptable for very early-stage vendors as a stepping stone to Type II	Yes. The enterprise standard.

Sales tactic to watch for: Vendors often say "We are SOC 2 compliant" without specifying Type I or Type II. Always ask: "Type I or Type II? Can you share the full audit report, not just the attestation letter?" A vendor that only has Type I and cannot share the full report is a security risk.

What SOC 2 Actually Covers: The 5 Trust Service Criteria

SOC 2 audits are built around up to 5 "Trust Service Criteria." Security is mandatory; the rest are optional — and many vendors only get audited on Security.

Criterion	What It Covers	Required?	Why It Matters for You
Security	Logical and physical access controls, encryption, incident management	Yes — mandatory for all SOC 2	Core protection against breaches and unauthorized access
Availability	System uptime, performance monitoring, disaster recovery	No — optional	Critical if uptime SLAs are in your contract. Ask if Availability criterion is in scope.
Confidentiality	How confidential information (trade secrets, PII) is protected and disposed of	No — optional	Important for legal documents, HR data, financial data
Processing Integrity	Data processing is complete, valid, accurate, timely, and authorized	No — optional	Critical for financial processing, payroll, payment SaaS
Privacy	Collection, use, retention, and disposal of personal information	No — optional	Most relevant for SaaS handling consumer PII, marketing data

What to ask: "Which Trust Service Criteria are in scope for your SOC 2 Type II audit?" A vendor audited only on Security and not on Availability does not have a certified uptime guarantee — even if their marketing says otherwise.

GDPR: Data Processing Agreements and What They Must Cover

The General Data Protection Regulation (GDPR) requires that any company processing EU personal data on behalf of another company sign a Data Processing Agreement (DPA). If your company is a GDPR Data Controller and you use a SaaS vendor that processes EU personal data, you must have a DPA in place. No exceptions.

GDPR DPA Requirements: What Must Be Included

Article 28 of GDPR specifies the minimum content of a DPA. A valid DPA must include:

Subject matter and duration of the processing
Nature and purpose of the processing
Type of personal data and categories of data subjects
Obligations and rights of the controller (your company)
Data location: Which countries/regions will data be stored in? Is data transferred outside the EU/EEA? If so, what transfer mechanism is used (Standard Contractual Clauses, adequacy decision)?
Sub-processor list: Who are all third parties the vendor shares your data with? (AWS, Twilio, Stripe, etc.) You must be notified before new sub-processors are added.
Retention periods: How long is data retained? What happens at termination?
Breach notification: GDPR requires notification within 72 hours of becoming aware of a breach. Your DPA must require the vendor to notify you promptly enough that you can meet this deadline.
Data subject rights: How does the vendor support your ability to fulfill requests for access, deletion, portability, and correction?
Security measures: Specific technical and organizational measures (TOMs) — encryption, access controls, audit logs.

GDPR fine exposure: Fines for GDPR violations reach up to 4% of global annual revenue or 20 million EUR, whichever is higher. The UK's ICO fined Amazon £636 million in 2021. Processing EU personal data without a valid DPA is a material GDPR violation — not a technical paperwork issue.

GDPR: Questions to Ask Every SaaS Vendor

Do you have a standard DPA we can sign? If not, will you sign ours?
Where is EU customer data stored? Can we restrict to EU-only?
Who are your sub-processors? Is this list current and public?
How do you notify us of sub-processor changes? (You need advance notice, not just an email after the fact.)
What is your breach notification SLA? (Must be fast enough to meet your 72-hour regulatory deadline.)
What transfer mechanism do you use for data leaving the EU? (Standard Contractual Clauses must be current EU SCCs, not pre-Schrems II versions.)
How do you handle data subject access/deletion requests passed to you by us?

HIPAA: Business Associate Agreements and What They Require

HIPAA (the Health Insurance Portability and Accountability Act) applies when any SaaS vendor handles Protected Health Information (PHI) — patient names, dates of birth, treatment information, billing codes, insurance IDs, and more. If your company is a HIPAA Covered Entity (healthcare provider, insurer, clearinghouse) or a Business Associate, any SaaS vendor that touches PHI must sign a Business Associate Agreement (BAA).

What a Valid HIPAA BAA Must Include

Permitted uses and disclosures of PHI — exactly how the vendor is allowed to use your data (only to provide the contracted service, not for vendor's own analytics)
Safeguards requirement — vendor must implement appropriate safeguards to prevent unauthorized use or disclosure
Encryption at rest and in transit — AES-256 at rest, TLS 1.2+ in transit, documented in the BAA
Access controls — minimum necessary access, role-based access control, audit logging
Audit logs — who accessed PHI, when, what they did — retained for 6 years
Breach notification — vendor must notify you within 60 days of discovering a breach (HIPAA Breach Notification Rule). Best practice: negotiate faster notification in BAA (24–48 hours).
Sub-contractor requirements — any sub-contractors who access PHI must also sign BAAs
Return or destruction of PHI at termination — data must be returned in usable format or securely destroyed, not just "deleted" from a checkbox

Hidden HIPAA Compliance Costs

Many companies underestimate the ongoing cost of HIPAA compliance when adding new SaaS vendors:

Initial BAA review (legal): $2,000–$8,000 per vendor (attorney time to review and negotiate)
HIPAA risk assessment for new vendor: $5,000–$20,000 (internal security team or consultant)
Annual HIPAA audit across all vendors: $10,000–$100,000 depending on vendor count and complexity
Breach response cost if a vendor fails: $100–$150 per affected record (notification, credit monitoring, legal)
OCR fine for BAA non-compliance: $100–$50,000 per violation, up to $1.9M per year per violation category

HIPAA-compliant vendors to know: Major SaaS vendors that offer standard HIPAA BAAs include AWS, Microsoft Azure, Google Cloud, Salesforce Health Cloud, Zendesk (Enterprise), Slack (Enterprise Grid), and Zoom (Enterprise). Most will NOT offer BAAs on self-serve or standard plans — you must request the enterprise tier or a specific compliance addendum.

PCI DSS: Payment Data Requirements

If your SaaS vendor processes, stores, or transmits cardholder data (credit card numbers, CVVs, expiration dates), PCI DSS (Payment Card Industry Data Security Standard) applies. The key levels:

PCI DSS Level	Transaction Volume	Requirement
Level 1	6M+ card transactions/year	Annual on-site audit by Qualified Security Assessor (QSA). Quarterly network scans.
Level 2	1M–6M transactions/year	Annual self-assessment questionnaire (SAQ). Quarterly network scans.
Level 3	20K–1M e-commerce transactions/year	Annual SAQ. Quarterly network scans.
Level 4	Under 20K e-commerce or under 1M other	Annual SAQ recommended. Quarterly scans recommended.

Practical tip: Most SaaS companies avoid PCI scope entirely by using a PCI-certified payment processor (Stripe, Braintree, Adyen) that handles card data directly — the SaaS vendor never sees raw card numbers. If a vendor stores card data in their own systems, ask for their PCI Level 1 or Level 2 certification and AOC (Attestation of Compliance).

Master Compliance Checklist: 20 Questions to Ask Every Vendor

Use this checklist during vendor evaluations. A "No" or "Not applicable" does not automatically disqualify a vendor — it depends on your use case. Document all answers for your security records.

#	Question	Why It Matters	Red Flag Answer
1	Do you have SOC 2 Type II certification?	Baseline security assurance	"SOC 2 compliant" without specifying Type II or sharing the report
2	Can you share the full SOC 2 Type II report (not just the attestation letter)?	Allows review of specific control failures noted in report	"We can only share the letter" — reports should be available under NDA
3	Which Trust Service Criteria are in scope for your SOC 2 audit?	Availability and Processing Integrity are critical for operational SaaS	"Only Security" for a high-uptime dependency
4	When was your last SOC 2 audit? What period did it cover?	Audits older than 12 months may not reflect current controls	Audit older than 18 months, or unwillingness to answer
5	Will you sign a GDPR Data Processing Agreement?	Required for EU personal data processing	"We have GDPR in our privacy policy" — not the same as a DPA
6	Where is customer data stored? Which regions/countries?	Data sovereignty and GDPR transfer compliance	"In the cloud" without specifics
7	Who are your sub-processors? Is this list current and public?	You are responsible for all processing in your chain under GDPR	No list available or list clearly outdated
8	How quickly will you notify us of a security breach?	GDPR requires 72-hour notification to regulators from Controller	"As required by law" without a specific SLA
9	Will you sign a HIPAA Business Associate Agreement?	Required if you handle PHI	"HIPAA compliant" without offering a BAA is meaningless
10	Do you encrypt data at rest? What encryption standard?	AES-256 is the current standard; anything weaker is a risk	"Yes, we encrypt" without specifying the standard
11	Do you encrypt data in transit? What TLS version?	TLS 1.2 minimum; TLS 1.3 preferred	TLS 1.0 or 1.1 (deprecated and vulnerable)
12	Do you have a bug bounty program or conduct regular penetration testing?	Active vulnerability management reduces breach risk	No pen test in the last 12 months
13	What access controls prevent your employees from accessing our data?	Insider threat is a major breach vector	"Support can access all data" without audit logging or approval workflows
14	Do you support SSO/SAML integration with our Identity Provider?	SSO enables centralized access control and deprovisioning	SSO only available on highest-tier plan at additional cost
15	What is your SLA for data return/deletion after contract termination?	GDPR and HIPAA require verifiable data destruction at end of relationship	"Data is deleted when you close your account" without documentation
16	Do you have ISO 27001 certification or equivalent?	ISO 27001 provides international security management standard beyond SOC 2	Not applicable for all vendors, but important for EU-focused companies
17	What is your disaster recovery RTO and RPO?	RTO (Recovery Time Objective) and RPO (Recovery Point Objective) define how much data loss and downtime you'd face in a disaster	No documented DR plan or RTO > 24 hours for mission-critical systems
18	Do you have a dedicated security team? What is their incident response process?	Vendors without security staff rely on firefighting — reactive, not proactive	"Our engineers handle security" without a dedicated function
19	Have you had any security incidents or data breaches in the last 3 years?	Past breaches are predictive. How they responded matters as much as the incident.	Denial without documentation, or unwillingness to discuss past incidents
20	Will you complete our Vendor Security Questionnaire (VSQ)?	Most enterprise companies have standardized VSQs; vendor willingness signals maturity	"We don't complete customer questionnaires" — a red flag for enterprise procurement

Hidden Compliance Costs: What Procurement Teams Miss

Full Cost of Compliance Due Diligence per New Vendor

Legal review of vendor agreements (DPA, BAA, security addendum): $2,000–$10,000
Internal security review (vendor risk assessment): $5,000–$20,000 (or 40–120 hours of security team time)
HIPAA-specific assessment (if applicable): $10,000–$100,000 for complex healthcare vendors
Annual re-certification and audit: $3,000–$15,000/vendor/year
Remediation if vendor fails audit: $20,000–$200,000 (including migration)

For a company with 40 active SaaS vendors, annual compliance overhead runs $120K–$600K — a cost most finance teams don't see because it's buried in legal and IT budgets.

Cost reduction strategy: Tier your vendors by data sensitivity:

Tier 1 (touches PII/PHI/payment data): Full compliance review, annual recertification. ~$10K–$30K/vendor/year.
Tier 2 (accesses internal data but not regulated): Abbreviated review focused on SOC 2 and security controls. ~$3K–$8K/vendor/year.
Tier 3 (no data access — standalone tools): Minimal review. Annual confirmation of SOC 2 Type II. ~$500–$1K/vendor/year.

Contract Clause Templates for Compliance Requirements

Use these clauses when negotiating SaaS contracts. Present them as addenda or modifications to the vendor's standard agreement.

Clause 1: Security Requirements

SECURITY REQUIREMENTS Vendor shall maintain, at minimum, the following security controls throughout the term of this Agreement: (a) Encryption: All Customer Data shall be encrypted at rest using AES-256 or equivalent, and in transit using TLS 1.2 or higher. (b) Access Controls: Vendor shall implement role-based access control (RBAC) limiting employee access to Customer Data to the minimum necessary to perform contracted services. Vendor shall maintain audit logs of all access to Customer Data for a minimum of 12 months. (c) Annual Assessment: Vendor shall conduct an annual penetration test by a qualified third party and provide Customer with a summary of findings and remediation status upon written request. (d) SOC 2 Type II: Vendor shall maintain SOC 2 Type II certification covering the Security Trust Service Criterion throughout the term. Upon request, Vendor shall provide Customer with the current SOC 2 Type II report under mutual NDA.

Clause 2: Breach Notification

BREACH NOTIFICATION In the event Vendor becomes aware of any actual or suspected unauthorized access, disclosure, use, modification, or destruction of Customer Data ("Security Incident"), Vendor shall: (a) Notify Customer in writing within 24 hours of Vendor's discovery of the Security Incident. (b) Provide Customer with the following information within 72 hours: (i) nature of the Security Incident, (ii) categories and approximate number of data subjects affected, (iii) categories and approximate number of records affected, (iv) likely consequences of the Security Incident, and (v) measures taken or proposed to address the Security Incident. (c) Cooperate fully with Customer in any investigation, regulatory notification, or remediation efforts. Vendor's obligation to notify Customer exists regardless of whether Vendor has completed its own investigation. Preliminary notification is required even if all details are not yet available.

Clause 3: Data Return and Deletion

DATA RETURN AND DELETION Upon expiration or termination of this Agreement for any reason: (a) Export Window: Customer shall have 90 days following the effective date of termination to export all Customer Data in a machine-readable, industry-standard format (CSV, JSON, or XML) at no additional charge. (b) Data Deletion: Upon expiration of the export window or upon Customer's written request, Vendor shall securely delete or destroy all Customer Data within 30 days, including all backup copies. (c) Certification: Within 15 days of completing deletion, Vendor shall provide Customer with written certification that all Customer Data has been deleted, specifying the deletion method used. (d) Survival: HIPAA BAA and GDPR DPA obligations that apply to data handling shall survive termination until deletion is certified.

Never miss a renewal: Get email reminders before each contract renews → Track renewals free