Security and compliance basics every software buyer should ask about

Whether you are buying custom development or subscribing to a product, you should know where your data lives, who can access it, and what happens if something goes wrong. You do not need a checklist from a standards body on day one. You need sensible answers.

Ask about encryption in transit and at rest, backup frequency, and how credentials and API keys are stored. Ask how production access is limited and logged.

If you handle personal data, understand retention: what is deleted when an account closes, and whether subprocessors are involved.

At Cyverix, we align engineering choices with the client’s risk profile. Startups may accept different tradeoffs than regulated industries; the important part is that those tradeoffs are conscious and documented, not accidental.

A practical starting point is access control. Who can deploy? Who can view production logs? Who can read the database? The fewer people with broad access, the smaller your blast radius when something goes wrong.

Next, look at secret management. API keys should not live in plain text on laptops or in chat. Use a secrets manager, restrict permissions, rotate regularly, and log access where possible.

Backups are only useful if restores work. Ask how often restores are tested and what the recovery time objective (RTO) looks like for your product. A backup that cannot be restored is not a backup.

For compliance conversations, clarity beats buzzwords. Even if you are not pursuing SOC 2 today, you can still adopt the habits: documented processes, least privilege, and audit trails for sensitive actions.

Security is not a one-time checkbox; it is a rhythm. The goal is to make secure behavior the default, not an exception that depends on one careful engineer.