General
- Are data recovery processes in place?
- Do you have a written incident response plan in place?
- Do you maintain written disaster recovery procedures / a Disaster Recovery Plan (CRP)?
- Have you experienced a cybersecurity event in the past two years?
- Will you share the results of a cybersecurity audit if you conduct any?
- Will you agree to provide all reasonable assistance with any investigation into a cybersecurity incident affecting our data?
- Will you agree to coordinate with us on any external communications relating to a cyber incident that involves our data?
- Do you have agreements with subprocessors about data breach notifications?
- What is your policy / SLA on breach notifications?
- Please describe the service level agreements (SLA) for disaster recovery (RTO/RPO) and what system performance you guarantee after recovery?
- Have you implemented backup or recovery mechanisms to ensure compliance with regulatory, statutory, contractual or business requirements?
- Have you tested your security incident response plans in the last year?
- Do you have the capability to recover data for a specific customer in the case of a failure or data loss?