SaaS providers often have B2B customers and prospects requesting Third-party Proof of Compliance documentation from them on a continual basis. Customers need Third-party Proof from their providers to comply with requirements in compliance frameworks like PCI DSS, GDPR, SSAE 18, HIPAA, and more. For example in PCI DSS v3.2.1 the third-party requirements are 12.8.1-5. This Third-party Proof often takes the form of annual exchanges of Attestation of Compliance and more frequent exchanges of supporting information, like security scan results, on a recurring basis. Most Third-party Proof is also exchanged under an NDA - which also has to be maintained and updated.

There comes a point for most growing SaaS providers when their businesses have scaled to a level at which 1-to-1 manual support for these Third-party Proof requests, related NDAs, and the subsequent flows of recurring data, becomes too costly to maintain without automation.

A Third-party Proof Self-assessment can help determine the current baseline activities, systems, risks, and costs associated with maintaining and exchanging your Third-party Proof, which can then become the basis for improvements.

A Step-by-step Third-party Proof Self-assessment

  1. Identify all the compliance frameworks that your organization uses (e.g. PCI DSS, HIPAA, GDPR, SSAE 18, FedRAMP, SOX, GBLA, ISO, etc.)
  2. Identify all the requirements for providing and collecting Third-Party Proof of Compliance within your compliance frameworks
  3. Estimate time and resources spent on maintaining up-to-date third-party proof for audits, contracts, incident response, and M&A
  4. Estimate time and resources spent on lapses in third-party proof that required additional incident response, investigations, remediation, or re-negotiation activities
  5. Assess the costs of your current technologies used in maintaining and exchanging 3PP - whether by email, data-sharing, enterprise systems, or in supporting third-parties
  6. Assess the percentage of provider, vendor, and B2B customer 3PP communications addressed manually, vs. systematically, and addressed with standard responses vs. customized  or 1-to-1 responses
  7. Evaluate build vs. buy of obtaining specialized automation for publishing and collecting third-party proof
  8. Record all your data and conclusions in a form useful for later periodic review and improvement

In addition, consider taking the 2018 Third-party Proof of Compliance Survey to organize your facts and obtain the survey results for comparison and bench-marking.