1Are All Web based communication (with the exception of public pages) to the SaaS solution over secure protocols TLS or SFTP (for data/file transfer), including but not limited to:
A. Authentication/ Login Page.
B. File transfer to databases or disk storage
C. Web forms in support of Avery’s application and data, etc
2Are Personnel trained on your Information Security Program? If yes, please describe how Personnel are trained.
3Are there any browser pluggin requirements (Java, Flash, etc) and which version (minimum)?
4Are there clear instructions in your contracts detailing what happens to the data at the end of the contract period?
5Are you willing to provide the reuslts of any recent penetration or vulnerability scans?
6As most SaaS solutions provide applications that can be used with a Mobile device (iPad, Android devices, etc), without proper analysis of the application’s behavior and operation, users should not be allowed to use them until a detailed assessment has been done.

Does the application cache any data on the device?
When the device is backed-up, where is the data stored (local storage, Cloud, etc.)
If the application is removed, does it remove the data?
Is data encypted when sent to a mobile device?
Is data encrypted when stored on a mobile device?
7Briefly describe what security portion of security are Avery Dennison’s responsibility and what portion is vendor’s.
8Could you share the latest 3rd Party attestation report for the attained Security Certification?
9Describe any additional security measures you employ to ensure the availabiity, integrity, and confidentiality of our Data (IPS/IDS, Antivirus software, UTMs, etc.)?
10Describe your change management process and how do you communicate this to your customers?
11Describe your schedule for reviewing and updating your policies for processing data on behalf of your data controllers.
12Do you allow a third party Penetration Test of your application?
13Do you assess / audit the effectiveness of the Information Security Program (e.g., vulnerability assessments, gap analysis, internal audits)? Please describe how.
14Do you conduct regular Penetration Testing of the application? If so, could you share the latest results?
15Do you encrypt all customer data in transmission and ‘at rest’? If not all, what, if any, information is encrypted in transmission and ‘at rest’? Please describe the level and type of encryption used.
16Do you have a documented policy regarding management of Encryption Keys? If so, please summarize this policy.
17Do you have a documented procedures to ensure that deleted customer information has been removed? If so, please summarize.
18Do you have a policy to notify your customers if legal / law enforcement requests data?
19Do you have a security program? Please describe
20Do you offer periodic reports confirming compliance with security requirements and SLAs?
21Do you offer SAML/SSO capabilities for authentication?. If so, is SAML required for all accounts?
22Do you offer training for this solution?
23Do you perform background checks on Personnel, contractors and sub-contractors? If so, describe the nature, scope (roles) and timing of such checks.
24Do you prohibit Personnel from storing customer’s data any mobile computing devices (e.g., laptops, smartphones) or on any removable media (e.g., thumb drives, CDs, external hard drives)? Please describe how this is enforced
25Do you require contractors and sub-contractors to maintain the same safe guards as set out in the Service Provider’s Information Security Program? If yes, please describe how.
26Do you segregate customer’s data at rest from all other customer’s data? If yes, please explain how the data will be segregated.
27Do you use customer’s data in any non-production environments?.. If yes, please describe how and what security process is follows to protect sensitive data.
28Does any staff member has access to unencrypted customer’s Data? If so, what roles have access and what systems / constraints are in place to enforce restriction to those roles?
29During those potential events do you provide company owned equipment to allow for remote work or do you allow employees to use their own equipment
30Explain the data privacy and security training employees in your organization receive, and on what schedule.
31Has your company been involved or customers been involved in a breach as a result of the use of your service?
32How do you dispose of end-of-life hardware?
33How do you dispose of failed data storage devices?
34How do you guarantee operational functionality/support in the event of global disrupting events (pandemics, war, flods, etc)
35How do you guarantee the proper level of security/data protection during that period of time
36How do you respond to legal / law enforcement requests for data related to other customers without disclosing Avery Dennison’s data?
37How long did it take to restore services?
38How many copies of our data are stored, and where are they stored?
39How many dedicated IT Security Professionals do you have?
40How much control does Avery Dennison retain over our data?
41How reliable is your network infrastructure and what certifications do you currently hold for your data centers? Could you share the latest report?
42How soon do you inform your customers of any security breaches, especailly data?
43In the event of a breach, how quickly can you disable access to our data?
44In the event SAML (SSO) is not supported, what settings can we leverage for user credentials and password policies?
45In which country (or countries) is our data stored in – both on your infrastructure and for backups?
46Is your solution based on a dedicated instances/infrastructure (single tenant) or shared instances/infrastructure (muti-tenant)?
47Please describe status of CCPA readiness/compliance.
48Please describe your processes for detecting and communicating data breaches.
49Please identify your appointed Data Protection Officer and their specific responsibilities.
50Should Avery Dennison decide to terminate the contract with your company or the term of the contract reaches an end, what is your policy and procedures around data extraction and move (potentially to another vendor)?
51What actions do you have in place to prevent unauthorized viewing of customer information?
52What are the available RTO/RPO options for recovery?
53What are your disaster recovery processes?
54What are your methods for backing up our data?
55What auditing capabilities are provided? (e.g., Admin/MGMT, Billing, System Information, etc.).
56What certifications for data protection have you achieved (ISO 27001, SSAE16/18 SOC2 or FedRAM certification)?
57What happens in the event of data corruption?
58What is your data retention policy concerning customers data when they are no longer your customers? For how long is the data retained before being purged?
59What is your data retention policy concerning logs, audit trails, and historical transaction? Do we need to provide information for regulatory compliance?
60What is your process for responding to a legal hold request?
61What is your system availability (up time) and SLA?
62What mechanism are in place to detect a data breach?
63What offerings are available to back up data?
64What process or method do you use to assess your Information Security Program?
65What processes and methods are you using to properly anonymize and encrypt personal data?
66What tools are in place to manage the identification, tracking, and destruction of personal data associated with an individual?
67What type of data is consumed/used for your services? (E.g., Marketing, pricing, PII etc.). What GDPR or CCPA related fields/data is stored (First name, Last Name, E-Mail address, etc)
68What types of multifactor authentication do you support?
69When was the last time your system failed, preventing customer to have access to their data/information?
70Where does your organization store the digital personal information you are managing on our behalf? If stored with a third-party subprocessor, please identify them and where data is stored.
71Where is your data center, and what physical security measures are in place?
72Which Security Framework do you use to implement the necessary security control to protect customer’s data assets (NIST, ISO, CSF, COBIT, etc)?
73Which Web browsers (minimum version) are required for proper application functionality?
74Who can see or have access to our information?
75Will our internal and external incident response resources be able to access your infrastructure in the event of an incident? If not, how will you perform the investigation on our behalf?