The CRM security checklist: 10 things to verify before you buy

Your CRM holds the most sensitive data your company touches that isn’t a credit card number: your customer list, your deal sizes, your contract terms, your private notes about every contact. The security posture of the vendor matters — not someday, but on day one. Here are ten questions to put to every shortlist before you sign anything. Each is paired with a short note on what a bad answer looks like so you can spot the dodge in real time.

1. Is two-factor authentication available on the plan you’re buying?

Ask which tier unlocks 2FA enforcement (admin-mandated, not opt-in). A bad answer: “That’s an Enterprise feature.” 2FA is a free open standard. Gating it is a pricing decision, not a cost decision. More on this in why CRMs should ship 2FA by default.

2. How is tenant data isolated?

Ask whether they use a shared database with row-level filters, a schema per tenant, or a database per tenant — and how queries are scoped at the application layer. A bad answer: a vague reference to “industry-standard isolation” with no specifics. The walkthrough we wrote in tenant isolation explained covers what the answer should sound like.

3. Is data encrypted at rest and in transit?

Both should be table stakes in 2026. Ask for the cipher (AES-256 at rest, TLS 1.2+ in transit) and whether they manage the keys or use a managed KMS. A bad answer: “We’re working on it.” Walk away.

4. Are there audit logs — and can you export them?

You want a tamper-evident record of who accessed what, who changed what, and when. You also want to be able to ship those logs into your SIEM if you have one. A bad answer: logs exist but are only visible to the vendor’s support team. If you can’t see them yourself, they don’t count for your audit.

5. Where does the data physically live?

Ask for the cloud provider and the region. If you have GDPR exposure, ask whether EU data stays in the EU. If you have customers in regulated industries, ask about US-only deployments. A bad answer: “Globally distributed” with no specifics. That usually means whatever is cheapest that month.

6. What is the SOC 2 status?

Ask whether they have a SOC 2 Type II report and how recent it is. Type I (controls exist at a point in time) is weaker than Type II (controls operated effectively over a period). A bad answer: “We’re SOC 2 compliant” with no report available under NDA. Compliance without evidence is marketing.

7. What are the password policy and session controls?

Minimum length, complexity rules, breach-list checking (HaveIBeenPwned-style), and session timeout. Can admins configure these org-wide? A bad answer: “Users can pick their own password.” That is not a policy.

8. How are sessions managed?

Are sessions revocable from a single dashboard? Does a password change invalidate active sessions? Are there idle and absolute timeouts? A bad answer: sessions live for thirty days with no way to force-revoke them. That’s a stolen-laptop problem waiting to happen.

9. How are API keys scoped and rotated?

Each integration should have its own key with the minimum required scopes. Keys should be rotatable without downtime, and revocation should be one click. A bad answer: one workspace-wide API key that nobody remembers who provisioned, with no rotation policy.

10. What are your data export and deletion rights?

Can you export your full data set — not just contacts but notes, activities, attachments, custom fields — on demand? How long does deletion actually take after you cancel? A bad answer: “Contact support” with no SLA, or a deletion window measured in “up to ninety days.”

Use it as a scoring sheet

Print this list, send it to your three shortlisted vendors, and score the answers. The vendor that answers all ten precisely and in writing is almost always the better long-term partner — regardless of how the demo went.

Vanta CRM’s answers are on the security page, with no NDA wall. If anything on your list isn’t covered there, ask us.