Is your SaaS provider the weak link in your IT system?

‍

‍

‍

The risks that no one documents enough

‍

1. The invisible attack surface of business APIs

Every business SaaS connected to your IS opens up endpoints. A client appointment management tool is, in concrete terms, an API that queries your CRM, your agency directory, and sometimes your HR schedule. These data flows are rarely mapped in traditional security audits, which focus on the network perimeter.

The figures are telling: 37% of organizations experienced a breach via an API in 2024, compared to 17% in 2023. That's more than double in one year. Only 21% of CISOs report having a real ability to detect attacks at the API layer. (Salt Security / Indusface, State of API Security 2024-2025) SaaS security incidents, meanwhile, increased by 300% between September 2023 and 2024, largely driven by misconfigured API access and poorly managed OAuth tokens. (Obsidian Security, 2024)

Questions to ask without delay: who has mapped the data flows between your business SaaS and your CRM? In the event of an incident at the vendor, how quickly can you revoke their access? Are your connector authentication tokens rotated regularly?

‍

2. Incident management with your subcontractors: who does what, and how quickly

Most SaaS contracts define a platform's availability rate. They do not define notification periods in the event of a breach, nor the chain of responsibility in the event of an incident on the vendor's infrastructure.

The average time between an intrusion and its detection remains 194 days. Containing it takes an additional 64 days, totaling nearly nine months between the attack and resolution. (IBM Cost of a Data Breach Report 2025) NIS2 mandates early notification to ANSSI within 24 hours of discovery of the incident. The real problem, therefore, is not the notification period, but the discovery period. If your SaaS provider detects an anomaly on its servers without a defined contractual client notification process, you could remain unaware for weeks. And it's the day you find out that your NIS2 clock starts ticking.

Beyond notification, continuity issues are just as critical: Does the provider have a tested DRP? A crisis unit that can be activated outside business hours? A documented backup and restoration testing procedure? These elements are required by ISO 27001 and rarely checked by the client.

‍

3. Data Sovereignty: where do your client data really go?

Three levels to check systematically.

Hosting: where exactly is your SaaS hosted? On which cloud, in which country? In June 2025, during a hearing before the French Senate's investigative committee, Microsoft France's legal director stated: "If we are compelled, we hand over the data." This is no longer a legal hypothesis; it's a public confirmation. For a bank, mutual insurance company, or local authority, hosting client data with an operator subject to US law creates a direct conflict with the GDPR and French banking secrecy laws.

Processing: Do your data pass through third-party services for analytics, notifications, or personalization? Each additional component represents a potential transfer outside your control.

Reversibility: In the event of contract termination, can you recover 100% of your data in an exploitable format within 48 hours? Critical vendor dependence and sovereignty rank second among CIO irritants in 2026, and hybrid/multi-cloud/sovereign cloud has become the third priority investment area for the year. (Abraxio CIO Barometer 2026)

‍

The list of requirements to ask any SaaS provider

‍

Faced with these risks, organizations are increasingly relying on structured tools: 85% of CISOs include security clauses in their vendor contracts, 74% use questionnaires, and 46% resort to cyber-rating. (CESIN Barometer 2026) Alain Bouillé, CESIN's general delegate, summarizes the limits of this approach: "You're not going to conduct a penetration test on 12,000 suppliers."

The best practice is therefore to require the vendor to provide you with the proof themselves. Here are the six essential requirements.

ISO 27001 necessary but not sufficient: certification has become an elimination criterion in calls for tenders. Be aware: it covers the vendor's internal scope, not necessarily their own subcontractors. Annex A of ISO 27001:2022 mandates two controls dedicated to suppliers (A.5.19 and A.5.20) — checking that the vendor applies them is the right question to ask. Also, verify that the certificate's scope exactly matches the subscribed service. ISO 27001:2013 certificates are no longer valid as of October 31, 2025. Other frameworks exist depending on the sector: HDS for health data, SOC 2 Type 2 for American vendors.

Data architecture: three non-negotiable questions: Is the data hosted in Europe, with a provider not subject to the Cloud Act? Does the vendor guarantee data isolation between clients? In case of termination, what is the timeframe and format for data retrieval? 52% of CIOs cite difficult-to-negotiate contractual clauses and exposure to extraterritorial laws as the main obstacles to cloud adoption. (Docaposte/Cyblex 2025 Barometer)

Incident management: NIS2 mandates early warning within 24 hours, detailed notification within 72 hours, and a final report within one month. The question to ask the vendor: Is their client notification process aligned with these deadlines? Who is the point of contact in case of an incident, and at what hours are they available? The contract must answer these questions — not just display an availability SLA.

The supply chain: demand from the vendor a complete list of their critical subcontractors and their respective certification levels. NIS2 makes this transparency mandatory for regulated entities — it's better to demand it upfront rather than discovering it during an audit.

Infrastructure resources: Does the vendor have an EDR, a SIEM, and the capability to collect and analyze logs in case of an incident? These elements determine their ability to detect an anomaly and understand its true scope.

Risk management: Does the vendor have a formalized risk matrix and a treatment plan for unmitigated risks? Reference methods like EBIOS RM, compliant with ISO 31000, provide a structured framework for this analysis. A vendor who cannot show you how they identify and manage their own risks cannot provide serious guarantees regarding yours.

‍

What it looks like in practice

‍

PRO BTP, a social protection organization serving 1.2 million protected employees with 110 agencies in France, made sovereign hosting a non-negotiable selection criterion during the deployment of its appointment booking platform. Cyrille de Chalain, Deputy Director of Business Development: Secure SaaS hosting in France was an essential criterion for us. It was important to know that our data remains protected and hosted locally, in compliance with French and European standards.

Deployment results: +30% of appointments booked via self-service by individual customers, over 100,000 appointments generated in 2024, native integration with Efficy CRM and Outlook, full traceability within internal management tools. (Source: Agendize, PRO BTP customer case study)

A major multi-site banking/insurance player has deployed a journey fully integrated with its internal CRM, Microsoft 365 calendars, and BI tools via API, with automatic CRM querying via SIRET number for B2B journeys. Over 10,000 distinct companies have booked appointments online there.

‍

To learn more

‍

These topics: API risks, incident management, sovereignty, and requirements framework will be the focus of a 30-minute technical webinar on Friday, June 26th at 10:30 AM, presented by Cédric Peyruquéou, R&D Director at Agendize, and Arnaud Masson, IT Support and Security Technician / CSSI.

On the agenda: the most common risks in business SaaS integrations, the complete requirements framework to present to any vendor, and real-world deployment cases in regulated multi-site environments.

‍

‍

Register for the webinar 

‍

‍