General
- Do you test the changes in a test environment before putting them in production?
- How does DESelect keep client specific data and infrastructure apart from other clients? Is DESelect single-tenant/multi-tenant?
- Is sensitive data encrypted (eg. user access tokens)?
- Describe the release management process you use?
- What does the Salesforce Security Review entail?
- Do you support role-based access control (RBAC) for end-users / administrators?
- Are upgrades or system changes installed during off-peak hours or in a manner that does not impact the customer?
- Do you use an automated source code analysis tool to detect security defects in code prior to production?
- Do you review your applications for security vulnerabilities and address any issues prior to deployment to production?
- Are all identified security, contractual, and regulatory requirements for customer access contractually addressed and remediated prior to granting customers access to data, assets, and information systems?
- Do you conduct network penetration tests of your cloud service infrastructure at least annually?
- Do you conduct application penetration tests of your cloud infrastructure regularly?
- Are controls in place to prevent unauthorized access to your application, program, or object source code, and assure it is restricted to authorized personnel only?
- Do you publish a list of all APIs available in the service and indicate which are standard and which are customized?