Use this list in a vendor call or RFI. Strong answers are specific; weak answers wave at “bank-grade encryption” without naming controls. You are looking for ownership, transparency, and operational maturity—not theatre.
1. How is single sign-on and MFA supported?
Password policies alone are not enough. Ask about SSO protocols and enforced MFA for privileged roles.
2. What is the backup and restore posture?
Frequency, retention, and tested restores matter more than “we backup nightly” on a slide.
3. Where is data stored—and can we meet residency expectations?
For AU/NZ/UK businesses, region choice and subprocessors should be documented, not hand-waved.
4. How are roles and least-privilege enforced?
Segregation of duties is easier when the ERP models real job functions—not one “admin” role for everyone.
5. What is the incident response process?
Ask for notification timelines and example communications from past incidents (redacted is fine).
6. How is encryption applied in transit and at rest?
TLS for browsers is table stakes; clarify database and object storage encryption expectations.
7. Can we export our data cleanly if we leave?
Portability reduces lock-in fear and keeps vendors honest.
8. What certifications or independent reviews exist?
ISO/SOC-style reports are not everything, but they signal repeatable process.
NexWave runs on modern cloud infrastructure with clear regional deployment options and a product team used to answering these questions for finance leaders—not only IT. Read our cloud overview or request a security-focused walkthrough.