Name of the application as it’s known in the industry, preceded by a summary of the SaaS application’s capabilities as expressed by the vendor.

Default domain of the SaaS application.

Product’s service category for filtering. For example, Google Chart Tools is categorized as

Analytics

with

Business Intelligence

Level 2 subcategory and

Data Visualization

Level 3 subcategory.

Categories and subcategories are dynamic, changing over time as the product evolves or new industry categories become available. If you need custom categorization, use custom tags.

A value derived from social media statistics, including likes, followers, and reviews and used to gauge a product’s perceived quality.

Total employee count as compiled by various registries. The total is an approximation.

Date company incorporated or opened for business and as outlined in the company’s Articles of Incorporation.

Geographic location of company’s strategic planning and executive management.

Ownership shares are publicly traded vs. privately held.

You can only create recommendations for enforcement on your firewall for SaaS apps that are detected using App-ID classification. Therefore, the total number of SaaS apps in the

Application Dictionary

will be greater than the number displayed in

Select Applications

when you create a recommendation because your firewall uses App-IDs to identify traffic on your network, and a subset of the SaaS apps in the Application Dictionary do not have App-IDs.

Company’s Linkedin account where you can find more information about the company’s profile.

Indicator of future growth as measured by customer experience and loyalty: % of Promoters - % of Detractors = Net Promoter Score (NPS). For example, if a SaaS application has 35% Promoters and 25% Detractors, the SaaS application’s NPS score is 10. Passives are neutral and do not impact the score.

SaaS application is opensource. Some analysts argue that there is no evidence that open source is riskier, but there is operational risk if a SaaS vendor doesn’t have infrastructure in place to quickly apply patches to known vulnerabilities.

Privacy statement that outlines how the company’s product gathers, uses, discloses, and manages customer data is publicly available.

Website link to get more information about the SaaS application.

The niche that the SaaS product meets in the marketplace. For example, cloud storage and backup.

When in compliance with Germany’s Cloud Computing Compliance Controls Catalog (C5) recommendations, the vendor implemented operational security controls to protect against common cyber-attacks.

When in compliance with US FBI’s Criminal Justice Information Services (CJIS) policy, the SaaS application adheres to data security for sensitive criminal justice data.

When in compliance with Control Objectives for Information and Related Technologies (COBIT), the vendor implemented a security framework to ensure quality, control, and reliability of information systems.

When in compliance with US Children's Online Privacy Protection Act (COPPA), the SaaS application adheres to US Federal privacy law that governs what type of information online services can and cannot request from children age 13 and under without parental consent.

When certified with Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR), indicates that the vendor implemented advanced best practices to ensure a secure cloud computing environment. Certification is based on self-assessment and a third party audit.

When in compliance with Federal Risk and Authorization Management (FEDRAMP) program, which provides security assessment, authorization, and continuous monitoring of cloud products and services, SaaS application is authorized for Federal Agency cloud deployments.

When in compliance, with US Federal Education Rights and Privacy Act (FERPA) privacy law, the SaaS application complies with parental protections with regard to children's education records, academic and disciplinary reports, and personal and family information.

When in compliance with the Federal Industry Regulatory Authority (FINRA), a broker appears in the Central Registration Depository (CRD) system and is an indication of a security firm’s business integrity.

When in compliance with Canadian-US Generally Accepted Privacy Principles (GAPP) data privacy framework, which outlines how accounting professionals collect, use, retain, and disclose identifiable information (PII), indicates that the vendor adheres to principles that manage and prevent privacy risks in accounting, as defined by Canadian Institute of Chartered Accountants (CICA) and the American Institute of Certified Public Accountants (AICPA). Also included in SOC 2.

When in compliance with EU’s General Data Protection Regulation (GDPR), the SaaS application complies with EU privacy laws governing the transfer of personal data outside Europe and European Economic Area.

When in compliance with Gramm-Leach Bliley Act (GLBA), the SaaS application complies with US Federal privacy laws that govern the sharing and protection of customer data.

When in compliance with Health Insurance Portability and Accountability Act (HIPPA), the SaaS application complies with laws that mandate the industry-wide standards for health care information, and protection and confidential handling of health information.

When in compliance with HITRUST CSF security framework, which instructs organizations on how to efficiently meet multiple regulations (such as and HIPAA), the vendor implemented security and privacy controls related to how the organization creates, accesses, stores, and exchanges sensitive and regulated data.

As defined by International Auditing and Assurance Standards Board (ISAE), when in compliance, the vendor’s SOC1 report adheres to the ISAE 3402 reporting standards for auditors. This report covers internal controls for financial reporting.

When adhering to this International Organization for Standardization (ISO) 27001 mandatory standard, the vendor systematically examines its controls and processes related to information security.

When adhering to this International Organization for Standardization (ISO) 27002 optional standard, the vendor considers best practices on how to implement security controls.

When statement of compliance is received, vendor, updated existing controls related to International Organization for Standardization (ISO) 27001/27002 predecessors for cloud security.

When statement of compliance is received, vendor, implemented new controls related to International Organization for Standardization (ISO) 27001/27002 predecessors for cloud security.

Quality definitions and standards for implementing an ISO 9001-certified quality management system.

When certified, indicates that the vendor’s quality management system adheres to a specific quality standard, which is based on gap analysis and internal audits. This certification is globally recognized. Ongoing evaluation and maintenance is required to retain certification, indicating that vendor consistently provides products and services that meet customer and regulatory requirements and demonstrates continuous improvement of the organization’s products, services, and/or processes.

When in compliance with US International Traffic in Arms Regulations (ITAR) export control laws that govern export of defense and military related technologies, indicates that the vendor has the necessary safeguards to protect US national security and foreign policy objectives. Compliance includes registration with US Directorate of Defense Trade Controls (DDTC).

When in compliance with US National Institute of Standard and Technology (NIS SP 800-53) standard and guidelines for FISMA compliance, indicates that the vendor adheres to regulations that govern security and privacy of federal information systems.

When in compliance with Payment Card Industry (PCI), indicates that the provider hosting your credit card data adheres to specific security best practices for storing and transmitting your credit card data in the cloud.

When in compliance with EU-US and Swiss-US Privacy Shield framework, indicates that the vendor has a mechanism in place to comply with data protection requirements when transferring personal data from the EU and Switzerland to the US.

When awarded this compliance mark by JIPDEC, vendor organized its business operations in accordance with safe and secure data standards.

When in compliance, SaaS application complies with EU-US Safe Harbor framework that governs privacy of data transfered within European Economic Area (EEA).

As defined by American Institute of Certified Public Accountants (AICPA) for Attestation Engagement Standards (SSAE), including SSAE 18, formerly SAS70 and SSAE 16, when compliant, indicates that the vendor has effective internal controls for financial reporting compatible with globally accepted accounting principles such as ISAE 3402.

As defined by American Institute of Certified Public Accountants (AICPA), for data centers and SaaS vendors, when in compliance, indicates that an independent auditing firm verified that the vendor passed a SOC 1 audit of internal controls for financial reporting in accordance with SSAE 18 standards, which includes Type 1 (snapshot in time) and Type 2 (6-month period) reports.

As defined by American Institute of Certified Public Accountants (AICPA), for data centers and SaaS vendors, when in compliance, indicates that an independent auditing firm verified that the vendor passed a SOC 2 audit in accordance with SSAE 18 standard and vendor received a SOC 2 report, which is written for a customer audience. This audit offers assurance related to:

As defined by American Institute of Certified Public Accountants (AICPA), SOC 3 audit covers the same audit as SOC 2—including security, availability, processing integrity, and data privacy. However, a SOC 3 audit results in a SOC 3 report, which has less detail and specifically written for a general audience.

When in compliance with Sarbanes-Oxley Act (SOX), vendor had an independent, annual audit whereby vendor provided proof of accurate and secure financial reporting.

Based on the SaaS app’s terms and conditions, one of the following values displays:

IP based restriction is the ability to restrict login access to the SaaS application for specific IP addresses. Based on the SaaS application’s capabilities, one of the following values displays:

Multi‑factor Authentication (MFA) offers an additional layer of security for login access. Based on the SaaS application’s capabilities, one of the following values displays: