Evaluating Hosted App Providers: Questions to Ask Before They Hold Your Data

A provider promises simpler operations for a legacy line-of-business application. During procurement, details are unclear: who actually hosts the environment, what controls are included, which licenses remain your responsibility, and how hard it is to leave later.

The right response is not "never use hosted services." It is to ask structured questions early and get written answers before technical and contract decisions lock in.

• Ownership: Who owns customer data, metadata, and logs?
• Export format: If you leave, what data is exportable and in what format?
• Tooling: What tools or services are required to use exported data elsewhere?
• Exit costs: What fees apply for export, transition support, or early termination?
• Timeline: How long does full data return take after notice of termination?

• Scope: What exactly is backed up (data only, app config, logs, identity mappings)?
• Controls: Are backups immutable/offline where needed? Who can delete or alter backups?
• Retention: What retention windows and recovery points apply?
• Testing: How often are restores tested, and what evidence can you review?
• Customer backups: Can you maintain your own backup strategy for critical datasets?

Related: Backup & DR testing.

• Visibility: Can your SIEM/logging workflows consume meaningful telemetry?
• Identity: Does the service support SSO/MFA and role-based access control?
• Boundary: Which controls are provider-owned vs customer-owned?
• Access: How are provider/admin support accesses controlled, approved, and logged?

If responsibilities are not explicit, critical controls are often assumed by both parties and implemented by neither.

• Notification: What are incident notification timelines and escalation contacts?
• Response support: What investigation detail and log evidence will be provided?
• Remedies: Are remedies limited to service credits, or do terms cover broader impact?
• Subprocessors: Are third-party hosting/operations dependencies disclosed?

Not every capability is portable one-to-one. That can be acceptable, especially for specialized managed security tooling. The goal is to define portability boundaries clearly before purchase.

• Must transfer: business data, audit-relevant records, core configuration documentation, ownership metadata.
• May not transfer directly: provider-specific detection logic, proprietary workflows, or platform-only features.
• Decision test: Is non-portability explicit, operationally tolerable, and priced/managed as part of risk acceptance?

Provider name:
Service scope:
Business owner:
Technical owner:

1) Data custody and exit
- Who owns data, metadata, and logs?
- Export format and completeness documented? (yes/no)
- Export tools/support included? (yes/no)
- Exit timeline defined? (days)
- Exit fees defined? (yes/no)

2) Backup and recoverability
- Backup scope documented? (yes/no)
- Retention and RPO/RTO defined? (yes/no)
- Restore test evidence available? (yes/no)
- Customer-managed backups allowed? (yes/no)

3) Security integration
- SSO/MFA supported? (yes/no)
- RBAC/admin controls documented? (yes/no)
- SIEM/log export supported? (yes/no)
- Shared-responsibility matrix provided? (yes/no)

4) Incident and commercial obligations
- Incident notification timeline in contract? (yes/no)
- Investigation/log support obligations defined? (yes/no)
- Subprocessor/hosting chain disclosed? (yes/no)
- Remedies beyond credits understood? (yes/no)

Decision:
- Approve
- Approve with conditions
- Accept risk with exceptions
- Reject

Notes / required contract edits: