26^th October 2021

Concern #5: Insufficient Data Security and Confidentiality

Each time you move your data outside of your organization, you risk losing that data or its confidentiality. This is true regardless of where you move your data: to your client, to your cloud provider or to your outsourcing partner. However, this risk does not necessarily mean that your data will be lost or disclosed to unauthorized parties. There is a set of proven measures and practices you can take to protect your data and your confidential information when you work with outside companies.

First, we suggest you execute a data confidentiality and non-disclosure agreement (NDA) with the selected outsourcing partner. This could be a mutual NDA drafted to protect both parties legally. You can borrow practical ideas and clauses from the many good NDA samples and templates on the Internet. It’s important to make sure that the NDA obligations do not expire at the end of the outsourcing contract, but last for a period of time after your cooperation with your outsourcing partner ended.

Furthermore, as a client, you have to make sure that your outsourcing partner pays sufficient attention to their own data security and protection. This is a complex issue that includes physical security, network protection, data backup, disaster recovery, digital hygiene and other aspects. A well-established outsourcing provider should have addressed all the major security issues by creating internal rules and guidelines, assigning corresponding duties and roles, holding staff trainings, etc. Formal security certifications are a good sign. If you find that your potential partner takes care of their data security as well as your own company does, it is a good indicator that your data will be safe.

Finally, we recommend that you follow the principle of least privilege. This means that a client should provide the selected outsourcing partner only with the data and the access needed for executing software development tasks, and not more. In many cases, the outsourcing partner can effectively work even without access to the production environment and the production data. If needed, sensitive data could be distorted/masked before being given to the outsourcing vendor for testing, debugging and other purposes.

And it goes without saying that you need to build an open and transparent relationship with your partner so that they immediately notify you in case of any data security violations or accidents. Together you can resolve most of the problems much faster and with lower losses.

At Solead, we pay the utmost attention to the security of any confidential information we get from our clients, by means of:

• Cutting-edge computer network and system protection practices, including corporate and personal firewalls, regular data backups, password and access policies, etc.
• High data security and isolation on the client and the project levels by using VPN access to the client environment and separate VLAN networks on Solead side
• Physical security with a 24/7 office guard, access control and video surveillance; access to the server room is granted to system administrators only
• Mutual NDAs executed with all our clients prior to any confidential information exchange; mirrored NDAs with all our employees for a consistent legal chain

In our next post we will look at common concerns relating to the cost of outsourcing. Check for our new articles here or on LinkedIn.