Does your company perform an annual penetration test, external or internal security review or any other documented risk assessment and gap analysis to identify items requiring action?

Do you have capability to recover data for a specific customer in the case of a failure or data loss?

Do you produce audit trail/trace information or are corporate logging facilities protected from unauthorized alteration?

Do you have a program in place that includes the ability to monitor changes to the regulatory requirements in relevant jurisdictions, adjust your security program for changes to legal requirements, and ensure compliance with relevant regulatory requirements?

Do you have the ability to logically segment or encrypt customer data such that data may be produced for a single tenant only, without inadvertently accessing another tenant’s data?

Do you have the capability to recover data for a specific customer in the case of a failure or data loss?

Do you have the capability to restrict the storage of customer data to specific countries or geographic locations?

Are the results of internal and external audits available to tenants at their request?

Do you have an internal audit program that allows for cross-functional audit of assessments?

Do you conduct network penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance?