When assessing your vendor, you should ask specific and relevant questions, such as:

1. Who will be accessing your sensitive data? For what purposes?

2. What security practices are in place? Are there physical security measures as well as system-wide measures?

3. What is the data migration process?

4. Where are the physical servers located?

5. Does the vendor remain up to date with industry regulations and compliance?

6. What processes are in place for requesting, approving, logging, and testing changes?

7. What policies does the vendor follow to retain and back up data?

8. Is there an effective disaster recovery plan in place?