How to Assess Software Security, Privacy and Data

Know the information, access and responsibilities

A service can offer useful controls while still being unsuitable for the information or responsibilities involved. The assessment needs to cover the data path, people with access, configuration choices, supplier chain, recovery and the terms that apply to your organisation.

Quick answer

Identify what information will enter the service, who needs access, where permissions and logs are managed, what configuration remains your responsibility, how data is shared or retained and how access can be recovered or removed. Obtain current supplier and contractual evidence appropriate to the risk and your jurisdiction.

  • Applies worldwide
  • Reviewed by Attach Planet
  • Last reviewed: 17 July 2026

Ask questions about the whole data path

  • What information, metadata and files will be created, imported, processed or connected?
  • Which people, teams, administrators, support staff and third parties can access each type?
  • Which roles, authentication, audit, recovery and alerting controls are available in the intended plan?
  • Which security configuration and safe use responsibilities remain with the customer?
  • How is data shared with sub-processors or related services, and where is that described?
  • What backup, export, retention, deletion and incident-support routes are available?
  • Which contract, privacy, regulatory or professional obligations apply to your organisation and location?

Separate evidence from assurance language

Ask for the applicable detail

Check the plan, region, configuration and service you would actually use—not only a generic trust page.

Understand shared responsibility

Access, settings, data classification and safe use may remain with the customer after selection.

Seek appropriate advice

For sensitive information or regulated work, involve the relevant security, legal, privacy or professional adviser.

Use primary guidance for material decisions

The NCSC’s cloud supply-chain guidance recommends understanding how data and metadata are shared and how suppliers manage their own suppliers. For organisations subject to UK data-protection law, the ICO’s controller–processor contract guidance explains the need for appropriate contractual terms; it is UK-specific, so check local requirements elsewhere.

Security, privacy and data FAQs

Does a security certification settle the assessment?

No. It can be useful evidence, but check whether it applies to the service, plan, region and configuration you will use, and whether the customer responsibilities are clear.

Who owns configuration after software is selected?

Responsibility varies by service and contract. Name the people who administer access, settings, integrations, logs, recovery and reviews before rollout.

Is this legal or data-protection advice?

No. This page is a practical selection guide. Laws and contractual duties depend on the organisation, data and location, so seek appropriate professional advice for a material decision.

Continue the software decision

Keep the workflow, evidence, people and exit route visible until the decision is made. The next useful step is usually the one that reduces the uncertainty most likely to cause expensive rework later.