Fine Print Matters: 5 Tips for Asking Vendors About Their Security Practices

Ivan Milovidov, QTalo Co-Founder & Chief Information Officer

In our never-ending quest to develop QTalo into a trustworthy and reliable companion for project managers, we’re continuously learning from other key players in the business analytics market. We’ve done this through conversations and just by reading through marketing materials, terms of service, and privacy policy documents. 

Terms of service might not be high on most folks' reading lists, but I view it as a crucial tool for surveying the landscape, allowing me to identify business trends and practices. The use of AI has become incredibly useful in this regard—reading and comparing 10 documents is no longer a time-consuming task; it's done for you, and you only need to read a summary.

In this post, I’ll share the insights that you can gain from these documents along with the questions you should ask any vendor that you work with. If you’re interested in staying up to date on all of our blog posts sign up for QTalo's newsletter right here.

I find this reading particularly insightful for three reasons:

• Predictability of Data Availability: it's rare to find an established business that doesn't publish these documents. This uniformity provides a reliable source of information.
• Predictability of Data Content: both documents usually follow known frameworks and templates, meaning we can anticipate a discussion of very specific areas.
• Intentionality of Content: nothing is "accidentally" missing. Access to this data enables us to make informed and educated decisions, while a lack of data introduces uncertainty and ambiguity. If something I expect to see is missing, I take it as a sign of the vendor's reluctance to communicate certain information.

What insights can you gain from reading marketing and legal documents? You'll see the good, the bad, and everything in between. The bad examples are usually more fun. For example, I remember looking at a website full of purely photoshopped images provided as proof of existence of a superior technology, blatantly copied to the letter from an HBO show "Silicon Valley.”

Other questionable examples include topics like:

• Obscured business identities, foreign ownership, and data storage locations
• Intent to share client data with anyone willing to pay for it
• Requirements for unnecessary permissions
• Outsourcing everything to the lowest bidder
• Making statements not validated by 3rd parties (security for example)
• Having no or limited experience and expertise in their product or service area

Think that's bad? Wait until you encounter a "no value" AI disclaimer.

I was reading the Terms of Service on a website selling AI-enabled business analytics. Then I came across this: "No action should be taken based upon any information contained in the Service. You should seek independent professional advice from a person who is licensed and/or qualified in the applicable area." I remember thinking, "How do I subscribe? Do they accept Visa?"

And yes, it can get worse, especially when it comes to protecting the client's Intellectual Property (IP), with some IP disclaimers appearing as half-hearted promises not to commit a crime. What concerns me most is that, somehow, we, the users, have started to view this minimal level of commitment as adequate for addressing our genuine IP concerns, such as: "What measures will you take to prevent unauthorized disclosure?" and "How do you manage risks associated with increased vulnerability to breaches, given your practice of collecting and storing client Intellectual Property?"

This last point is a significant worry for me, having progressed from a system administrator to a Chief Information Security Officer (CISO) responsible for protecting clients operating in advanced threat environments. In cybersecurity, the term "watering hole" is used to describe a targeted attack that aims to compromise a specific business entity known for providing services or products to a particular group of users—a strategy designed to compromise many through a single point of attack. Make no mistake, business intelligence solutions that blindly collect and store client information are high-value targets. 

So, how do you survive this jungle? If you come across a great vendor and find yourself impressed by their team and product, take the time to review the fine print. Here are my five tips for what you should ask any of the vendors that you’re working with: 

1. Reach out to them with questions about their approach to safeguarding what's crucial for your success—your data. 
2. Inquire about their code management: who develops it, how it is protected, and who retains ownership. 
3. Ask whether they outsource their operations, to whom, why, and how do they ensure trust with their vendors. 
4. Request tangible proof for their claims regarding security management, compliance, and testing. 
5. Explore your rights and options for controlling your data, including the ability to encrypt it with your key and remove it at will from all locations, including backups.

You'll find that some vendors may not have answers, some may provide a few, while others, like QTalo, will not only address every question raised but also offer multiple options for many of them. We do this because we elevate transparency and choice, understanding deeply that attention to fine print is fundamental. Vendors contribute to a pool of possibilities, and some, like QTalo, are aspiring to see their reflection in this pool as the steadfast and trustworthy companion.

To stay up to date on all of our blog posts and get great resources, insights, and more, sign up for QTalo's newsletter right here.