Know the information, access and responsibilities
A service can offer useful controls while still being unsuitable for the information or responsibilities involved. The assessment needs to cover the data path, people with access, configuration choices, supplier chain, recovery and the terms that apply to your organisation.
Identify what information will enter the service, who needs access, where permissions and logs are managed, what configuration remains your responsibility, how data is shared or retained and how access can be recovered or removed. Obtain current supplier and contractual evidence appropriate to the risk and your jurisdiction.
Ask questions about the whole data path
- What information, metadata and files will be created, imported, processed or connected?
- Which people, teams, administrators, support staff and third parties can access each type?
- Which roles, authentication, audit, recovery and alerting controls are available in the intended plan?
- Which security configuration and safe use responsibilities remain with the customer?
- How is data shared with sub-processors or related services, and where is that described?
- What backup, export, retention, deletion and incident-support routes are available?
- Which contract, privacy, regulatory or professional obligations apply to your organisation and location?
Separate evidence from assurance language
Ask for the applicable detail
Check the plan, region, configuration and service you would actually use—not only a generic trust page.
Understand shared responsibility
Access, settings, data classification and safe use may remain with the customer after selection.
Seek appropriate advice
For sensitive information or regulated work, involve the relevant security, legal, privacy or professional adviser.
Use primary guidance for material decisions
The NCSC’s cloud supply-chain guidance recommends understanding how data and metadata are shared and how suppliers manage their own suppliers. For organisations subject to UK data-protection law, the ICO’s controller–processor contract guidance explains the need for appropriate contractual terms; it is UK-specific, so check local requirements elsewhere.
Security, privacy and data FAQs
Does a security certification settle the assessment?
No. It can be useful evidence, but check whether it applies to the service, plan, region and configuration you will use, and whether the customer responsibilities are clear.
Who owns configuration after software is selected?
Responsibility varies by service and contract. Name the people who administer access, settings, integrations, logs, recovery and reviews before rollout.
Is this legal or data-protection advice?
No. This page is a practical selection guide. Laws and contractual duties depend on the organisation, data and location, so seek appropriate professional advice for a material decision.
Continue the software decision
Keep the workflow, evidence, people and exit route visible until the decision is made. The next useful step is usually the one that reduces the uncertainty most likely to cause expensive rework later.

