data.day

Seven Vendor Questions That Reveal Who Holds the Keys

Sales teams are trained to say 'Yes'. These seven questions are designed to force them to admit 'No', revealing the true security posture of their software.

Do Not Ask “Is It Secure?”

If you ask a vendor “Is your platform secure?”, they will say “Yes.” If you ask “Is it encrypted?”, they will say “Yes.”

These answers are useless. They are true in the same way that a cardboard box is “secure” if you tape it shut. It is technically closed, but it withstands no pressure.

Sales teams are trained to answer the question you think you are asking, rather than the technical reality. To penetrate this fog, we must ask questions that concern the architecture of The Machine, specifically regarding the custody of keys.

The Risk: The Admin Panel.

The greatest risk to your data is not a Russian hacker. It is a helpful support agent.

Most SaaS platforms are built with a “God View.” This allows their support team to “log in as” you to fix bugs. If they can log in as you, they can see what you see. If they can see what you see, they can be compelled to export it.

We need to determine if this side door exists.

The Defense: The Interrogation.

Do not send a questionnaire. They will have a marketing team fill it out. Ask these questions live, on the call, and wait for the silence.

  1. “Can your support team reset my master password?”

    • Desired Answer: “No. If you lose it, your data is gone.”
    • If Yes: They hold the keys.
  2. “Does the encryption happen in the browser or on the server?”

    • Desired Answer: “In the browser.”
    • If Server: They see the raw data before it is saved.
  3. “If we receive a subpoena, can you techncially export our data without our help?”

    • Desired Answer: “No, we physically cannot decrypt it.”
    • If Yes: You are paying for a liability.
  4. “Do you maintain a distinct database for each tenant, or are we rows in a shared table?”

    • Desired Answer: “Distinct database (or at least distinct encryption keys).”
    • If Shared: One coding error could expose your data to another client.
  5. “Can I bring my own encryption key (BYOK)?”

    • Desired Answer: “Yes.”
  6. “Where are the logs stored, and can I export them to my own SIEM?”

    • Desired Answer: “Yes, you own the logs.”
    • If No: You will be blind during an investigation.
  7. “What is your maximum session duration before forced logout?”

    • Desired Answer: “Configurable by the admin.”
    • If Fixed/Infinite: They prioritize convenience over security.

Write down the answers. If the vendor fails questions 1, 2, or 3, they are not a security product. They are a convenience product. Adjust your “Trust Boundary” accordingly.

FAQs

What if the salesperson doesn't know the answer?

Then you pause the meeting. Never buy a security product from someone who cannot explain how it secures the data.

Is certification like ISO 27001 enough?

No. ISO 27001 certifies that they have a process. It does not certify that the process is good. You can have an ISO-certified process for leaving the door unlocked.

Why do I need to be so aggressive?

Because once you sign the contract, the risk transfers to you. You are not being aggressive; you are being diligent.