Access Control Model
Least privilege. Role-based permissions. Regular access reviews. A dormant admin account is a breach waiting to happen.
Data Residency
Know where customer data lives. GDPR, regional data laws, customer contracts often dictate where data must sit.
Audit Logging
Every access, every change, every export. Retained per policy. Alert on anomalies — mass downloads, unusual access patterns.
Encryption
At rest and in transit, standard. Field-level encryption for PII / PHI / PCI. Key rotation per policy.
Regulatory Frameworks
SOC 2, ISO 27001, HIPAA, GDPR. Your CRM’s compliance posture affects what industries you can serve. Get the reports — read them.