5 Essential Security Questions to Ask Before Connecting a SaaS Application to Your CRM

In 2025, your CRM is more than just a contact list; it’s your business brain and holds a lot of employee and customer information. Every time you connect a SaaS app, you extend your risk surface. You’re no longer just protecting one system. You’re relying on the security of every connected database, vendor and API.

Australia has already seen the consequences of this:

• In September 2022, Optus suffered a massive breach when an unauthenticated API endpoint was left exposed on the internet. As many as 9.8 million customers had their personal information,  driver's licences, phone numbers, and email addresses exposed via simple scripting and enumeration.

If your SaaS vendor’s API has a misconfiguration, outdated permissions, or lacks proper authentication, your CRM could be at risk of being breached.

Whether it’s a marketing platform, automation tool, or customer support integration, here are five critical security questions to ask before you hit “connect.”

What formal security standards do you follow?

Why this matters:

Security frameworks such as ISO 27001, SOC 2, and Right Fit for Risk aren't just marketing or a badge on a proposal document; they're proof that your vendor has been audited and is required to maintain strict controls, from encryption to incident response protocols. Without them, you're guessing.

• ISO 27001 and SOC 2 Type II certifications

• Right Fit for Risk alignment if you serve government or highly regulated industries

• Evidence of regular third-party audit reports

Ask for: Upload links to certificates or summaries of compliance assessments.

How often do you conduct penetration testing?

Why this matters:

The ACSC estimates that 43% of Australian cyber incidents in 2023 involved known vulnerabilities, ones that testing could have revealed and fixed. A provider without pen testing is walking blind.

What to look for:

• Minimum annual tests by external, qualified firms

• Updates after any major feature release

• Pen test reports with resolved issue confirmation

Ask for: A redacted executive summary confirming both findings and remediation.

What level of access will your application have to our CRM?

Why this matters:

Over-permissioned apps are a top cause of breaches. In the Optus case, an API with excessive access and weak authentication led to the exposure of 9.8 million records

What to look for:

• Read-only vs read-write vs admin-level access

• OAuth or token-based authentication methods

• Role-based or scope-limited API permissions

Ask for: A scope permission sheet. Restrict the app to the minimum necessary access.

How do you handle data breaches?

Why this matters:

Under Australia’s NDB Scheme, you're legally responsible even if a breach happens at your SaaS vendor. The Privacy Act 1988 requires prompt notification to both the Office of the Australian Information Commissioner (OAIC) and affected individuals when there is unauthorised access or disclosure of personal information likely to cause harm. It doesn’t matter whose fault it is; you’re accountable, and delays or incomplete disclosures can lead to significant fines and reputational damage.

What to look for:

• A written incident response plan with defined roles and timelines

• A commitment to notify you within 72 hours of detecting a breach

• Evidence of past breach handling and outreach processes in line with NDB requirements.

Ask for: Their breach management policy or incident response playbook, showing how they support you in meeting your notification obligations.

How do you ensure data privacy and compliance with Australian laws?

Why this matters:

Under the Privacy Act 1988 and the Australian Privacy Principles (APPs), handling personal data improperly can result in significant penalties. The Latitude and MediSecure breaches sparked investigations and class actions, costing companies millions.

What to look for:

• Data storage location (Australia or compliant overseas storage)

• Encryption in transit and storage

• Retention/deletion policies

• Formal Privacy Impact Assessments (PIAs)

Ask for: Their privacy policy and a data handling statement.

Want to see a standout example?

HubSpot’s Security Overview is a benchmark. It details their ISO and SOC certifications, encryption standards, API controls, data residency, and incident response processes. If your provider can’t match that transparency, it's time to rethink .

Already Connected Apps? Time to Audit

If you’ve already integrated apps, now is the time for a security check:

• Review permissions: Remove any excessive access

• Request security documentation: Certificates, pen test reports, breach policies

• Enable Security Features

• Enable monitoring and alerts for suspicious activity

• Run a vendor risk assessment: Emerging IT's in-house security team run a great assessment to review this.

Your CRM is the lifeblood of your business. Every app connection is a trust exchange. If it hasn’t been appropriately security-checked, it could be your undoing.

Emerging IT helps Australian businesses assess integration risk, align with Essential 8 and ISO 27001, and secure their CRM. Ready to be secure?