BlogDevelopers Guide – Protecting user data in SaaS applications

June 2, 2020by netstratum

Subscription as a Service (SaaS)  remains the largest market segment in cloud services, estimated to grow 151.1 billions by 2022 (Gartner). Companies prefer cloud subscriptions for various reasons – pay per usage, low hardware requirements, centralized maintenance and upgrades etc. As subscriptions work in a multi-tenant model, security of user data is a prime concern of customers as well as product development teams. 

Data storage for SaaS applications

As a company which develops SaaS applications, the customer data could be stored in your data centers. This gives more flexibility and control over the user data. In order to leverage the scalability and computational advantage of public clouds, the user data needs to be moved to their data centers, additionally these data might be replicated in multiple locations for high availability and backups.

The internal data policy applies for the data stored in your own data center, while the policies are different for public cloud. You need to understand the risk and liabilities of different data centers, and design-develop your application accordingly to prevent data breaches and regulatory penalties.

Seven best practices to ensure user data safety in SaaS applications.


  • Systemic security review of product

Security cannot be treated as a separate phase in product development, instead compulsory to review at every stage of the product life cycle. The teams responsible for architecture, design,coding and testing should always keep security considerations above the features and functionality.

  • Application deployment

There is a high chance that the modern applications need to be deployed in public and hybrid clouds for various reasons. The engineers should closely examine the security threats and vulnerability of each infrastructure. Don’t hesitate to make design or code level changes to prevent data breaches. 

  • Security and compliance certifications 

There are multiple certifications you can opt according to the state of your business. The major ones are SOC 2 Type 2, PCI DSS and HIPAA.

SOC 2 Type 2 certification is considered as the prime level mark of security, availability, processing, integrity and confidentiality of customer data. These audit reports are attestation of controls at a service organization over a period of time. SOC 2 audits are an important component in regulatory oversight, vendor management programmes, internal governance and risk management.

PCI DSS certification reviews the commonly known best practices such as installation of firewalls, encryption of data transmissions and use of anti-virus systems. PCI DSS specifies12 requirements for compliance, organized into six logically related groups called control objectives.

HIPAA certification is mandatory for data servers dealing with health data. It majorly covers disaster recovery plans, physical access controls, advanced encryption standards (AES), IP address isolation, risk analysis etc. The health information privacy rules are very extensive and compliance is crucial to develop health related applications.

  • Data Transcription

To ensure a high level of security, data transmission within any network should happen through SSL. The encryption should be active on transmission as well as rest. The public cloud vendors provide a wide range of options to encrypt your data. Everyone in your team should be aware about the encryption standards to optimize their activities accordingly.

  • Vulnerability testing

Identifying the vulnerability and loopholes of your application is an ongoing process throughout the lifecycle of the product. Choosing the right testing tool and service is crucial, also ensure the errors, warnings and requests from doubtful sources are escalated to the concerned teams on time. The public cloud offers a wide range of security tools as services. Small companies can partner with Managed Service Providers (MSPs) to perform security audits and services for SaaS applications.

  • Data retention

Data storage and deletion must be performed according to the service level agreement (SLA). Many regulations including GDPR mandates the customer’s right to download the data generated by the user. The application should ensure that the user data is deleted permanently after the lock-in period from all storage locations. 

  • User level data security

SaaS applications incorporate 2-factor logins, authentication apps and OTP for user level security. SSO is preferred by large organizations for the secure management of login credentials. Role based access control  allows to control rights in applications to prevent editing and ownership rights.

Data security is an ever evolving field, always keep an eye on new developments to protect the user data from external threats.

© 2019 Netstratum. All rights reserved.