The Salesforce Partner Questionnaire Checklist

Questions to Ask Before Selecting a Salesforce Partner

The Salesforce ecosystem and Sales and Marketing Operations in general are evolving at a whirlwind pace. It is almost impossible to have an internal team that includes expertise in all the platforms and disciplines required to maximize the value you get out of your platform investments.

Working with a Salesforce Partner can be an excellent way to ensure that your business goals and your Salesforce configuration are aligned, and that you are able to leverage the solutions to problems that have already been solved by them for another client.  But how do you choose the best Salesforce Consultant for your project?

When selecting a Salesforce Partner, it is key to consider some of the following items to ensure the success of your initiative and the overall health and security of your Salesforce org.

1. How much insurance do you have?

Many companies will have the standard $1 Million worth of coverage, but this may not be enough to fully indemnify your organization in the event of a major incident or security breach. We recommend ensuring that all prospective partners carry at least $5M worth of coverage; your organization will likely have a requirement around this. So find out before wasting time having a potential vendor fail during that procurement phase.

2.What kind of experience do you have regarding security, privacy, and compliance?

Consultants should be able to speak with expertise about their policies and practices around data retention and deletion, release management, consent management, and secure development.

3. Are you a Certified Salesforce Partner listed on the Salesforce App Exchange and do you have a high review score from past customers?

Reviewing their AppExchange listing is a great way to vet potential partners and ensure that Consultants are Certified Salesforce Partners, and they actually specialize in the areas of Salesforce in which you need assistance. Salesforce carefully screens every vendor before allowing them to become an official Partner and if a potential candidate is not listed on the AppExchange that can be a red flag.

4. Have you been audited by a third-party?

If Consultants have been audited, they should be able to provide proof of their internal security processes and investment in protecting data in the form of a third party SOC 2 Type 2 or ISO 27001 audit report. Again, this may be required of vendors by your security team during the vendor review process, so ask potential partners in advance if they have this.

5. How will you work with us on release management?

A good partner will recognize the value of training sessions and comprehensive documentation, but also work with you on release management. They will help you to identify improvements, but also remediate the technical debt that will be acquired as your org continues to grow.

6. Will all team members on the project be full time employees or will some be subcontractors? If subcontractors – will you be able to ensure appropriate data residency (the work isn’t being done offshore), security, criminal record policies etc are followed? Are the subcontractors using subcontractors? Where in the world are they located?

Remember, even in a Partial Sandbox, a vendor (or subcontractor) will have access to some of your client data, including PII. You should know how that is being protected and if there’s a possibility that it would be accessed beyond your geographically acceptable borders.

Speak with your own security team and ask for the most common questions they pose to new vendors. Ask these in your initial interviews. If the potential vendor can’t answer them thoroughly you know they won’t pass your security review after you’ve spent the time vetting them in other ways as a vendor. (For reference, we often receive 300-400 question screening documents we have to complete as part of the security review process before doing Salesforce work for clients.)

7. What is your pricing model?

Is it a fixed-rate pricing? Is everything retainer-based or would you be billed hourly? Many companies prefer a predictable payment schedule with a flat rate so that they aren’t surprised with unexpected invoices.

8. Can you answer these security-related questions and requests?

a) Have the services being provided been audited in the past year for Privacy, Information Security, Disaster Recovery, Operations, Technology by an independent third-party? Please provide the letter of attestation or similar from the auditor.

b) List all countries where any team members, subcontractors or vendors applied to this project will be located and/or have access to any data. And will you be storing any data?

c) Provide a sample of five of your organization’s Security and Privacy policies, for example:

• Information Security Policies
• Acceptable Use Policy [Code of Conduct]
• Access Control Policy
• Password Policy
• Vulnerability Management Policy
• Physical Security Policy
• Data Classification and Handling Policy
• Incident Response Policy and Procedure
• Secure Development Lifecycle Policy
• Logging and Monitoring Policy
• Mobile/BYOD Policy

d) Will any subcontractor or other third-party be used to complete the work being discussed? Provide details on where and the work being completed. Provide a list of third-parties & sub-contractors that would be included in the delivery of services. Provide documentation demonstrating due diligence, geography and what services they provide, including types of data involved, NDA, security background checks, etc.

e) Do you conduct annual penetration testing to identify vulnerabilities and attack vectors that can be used to exploit your systems and teams?

f) Are all visitors to the vendor’s (and subcontractor’s) offices required to sign in, and provide a government issued ID? Is a digital, auditable record kept of all visits?

g) Are physical access controls (card keys, biometrics, physical keys, etc.) in place to control access to the vendor’s facilities?

h) Must all employees and subcontractors use vendor issued laptops to complete work?

 

We know. It’s not a short list of questions. BUT it is useful to make sure you get clear answers to all of the above to make sure you’re selecting the right Salesforce Consulting partner/Solution Integrator for your organization. To keep things simple for you, we’ve also created a downloadable “Salesforce Partner Questionnaire” resource for reference.

Any questions? Or need some advice? Get in touch. We’d be happy to hear from you as you work through your selection process.