Next up, drill into the technical aspects of your provider’s security, disaster recovery, and operations, such as: - Encryption. Ensure your integration provider encrypts all data, authentication, and tokens in transit and at rest - Network security. Your provider should confirm that it can encrypt all communications between its embedded integration platform, your company, and end customers via HTTPS Customizable log data retention. The vendor should offer flexible log data retention policies designed to fit your customer data processing requirements - Session management. Your provider should monitor sessions by IP address, location, time, browser, and operating system and should be prepared to revoke access to prevent unauthorized access to your account - Two-factor authentication. For your developers, services, or administration team building and managing integrations, the provider should offer two-factor authentication for a second layer of protection - Behavior modeling. Your provider should have the capability to auto-detect unusual or suspicious activity on a user’s account - Penetration testing and vulnerability scans. Your provider should undergo regular penetration testing by independent third parties to ensure that its platform is secure. The vendor should also perform vulnerability scans on internal and external cloud-hosted systems. In addition, your provider should perform dynamic app security testing to ensure your data is safe from outside threats. - Daily offsite backups. Your provider should perform backups at least daily, and store them in a separate geographic location. Backups should have at least the same level of security and encryption as above. - Strong RPO and RTO for disaster recovery. Look for vendors whose disaster recovery (DR) procedures are designed for a Recovery Time Objective (RTO) of 14 hours and a Recovery Point Objective (RPO) of 24 hours. 24