6 Security Questions to Ask Your ETL Vendor

The right ETL vendor can have a massive impact on your overall level of data security. As with any professional partnership, it’s essential to get off on the right foot. You can do this by looking at the product features and asking whether they truly align with your needs.

More importantly, try to have a conversation with your vendor. Talk to them and see if they understand your needs. Here are a few questions to ask when you approach a vendor.

How can your platform help protect our PII, PHI, and othersensitive data?

There’s no one-size-fits-all approach to data security, so your vendor shouldn’t offer a one-size-fits-all answer to this question. Instead, they’ll talk to you about your particular needs and explore issues like:

• What kind of sensitive data do you collect?
• How do you store and process this data?
• What territories do you operate in?
• Who is using the data?
• What kind of production systems and storage solutions are you using?
• What are your analytics objectives?

This will help them understand your needs and also to identify potential risks in your data strategy. The vendor should then be able to suggest ways that their ETL solution will be able to help

What examples can you share of how you have helped other clients with their data security?

Many ETL vendors have worked on big projects for major organizations. They’ll have experience with complex data infrastructures, and they’ll know how their solution can address real-world problems.

Ask your vendor for case studies and testimonials to show that they have this kind of background. This will allow you to gauge their reputation and see if you’re working with someone you can trust. Case studies will also let you know if they have dealt with organizations like yours in the past.

What features does your platform have to maintain compliance with regulations such as GDPR, CCPA, HIPAA?

Any reputable vendor will already be compliant with all major regulations. For example, Integrate.io ETL meets the requirements of GDPR, transforming data in the EU, and offers an updated Data Processing Addendum (DPA) to support customers’ GDPR compliance needs.

Your vendor should understand how regulations might impact you and offer advice on how to stay compliant. Remember – you are the responsible party if your third-party ETL service causes a compliance breach. Protect yourself by choosing a partner that understands the law.

How can your data security team assist with our data security strategy and implementation?

If your ETL vendor has a security-first mindset, they’ll be able to offer advice and suggestions about keeping your data safe. They may offer some resources on building an effective data strategy, as well as guidelines on meeting standards such as SOC 2.

The simplest way that ETL vendors can help is by offering a secure one-to-one data pipeline between systems. This is much more secure than the many-to-one architecture of some infrastructures.

How do you remove/encrypt sensitive data in Europe for GDPR before moving data to the U.S. or elsewhere for centralized analysis?

Moving data across national borders is increasingly tricky in terms of compliance. Unfortunately, most organizations need to move data internationally. Even if you don’t have an office abroad, you might use an accounting, analytics, or storage service based in another country. Sending data to them could put you in breach.

ETL makes things much easier by offering tools such as data obfuscation and field-level encryption. These transformations (performed in an EU data center) can make data compliant before transit. You can then allow your data pipeline to run as normal without worrying about breaches.

Does your platform support field-level encryption for sensitive data fields?

Field-level encryption is the most secure way to protect personal information. Encryption happens before data leaves your network, and there’s no way to decrypt it without the relevant key. It’s a failsafe system – if hackers manage to access your data, they won’t be able to interpret it.

It’s important to ask whether your vendor offers field-level encryption. Also, ask them:

• High-speed transformations on a staging server
• Automated integration with most major production systems and data repositories
• No-code data pipeline automation
• 24-hour support and error recovery

With Integrate.io, you can encrypt and decrypt from the expression editor, using the Encrypt() and Decrypt() commands.