What type of data is transmitted, processed, generated and/or stored by application/service?
Does this include sensitive (personal, health, financial, etc.) data?
Is data encrypted in transit?
Is data encrypted at rest?
How are keys/secrets managed?
Who has access to Personally Identifiable Information (PII)?
Who has access to Protected Health Information (PHI)?
Is code stored in source control? Are cleartext passwords present in source control?
What is the data backup strategy?
What are the sanitization processes for things such as back-up tapes, failed hard drives, and other storage media?
How is patching of the software/application implemented?
How does data get to application/service? Do external users have a way to load it? Is there some data synchronization process with other systems?
How does the software/application ensure the integrity of data, input validation, and other related techniques?
Are you participating in a BugBounty program?
Where is data stored? (local, data center, cloud?) If cloud, is it public, hybrid or private cloud?
What encryption is used for data at rest and in transit? How are users authenticated?
Are strong password rules applied?
Is multifactor authentication used? Is Google SSO supported? If so, what access to G-Suite data/services will be used by the application?
How is authorisation of users managed?
Is role based access used?
Are secure code development practices used to develop the product (code reviews, segmented environments, etc).?
Does the vendor have a Responsible Disclosure/Vulnerabilities programs?
Does the vendor conduct pentesting of the product and platform?
Who is responsible for maintenance and update of the software?
Does the vendor have any InfoSec relevant certifications or references to good practices/standards followed?
Data availability: Redundancy/backups/snapshots (this is usually based on the cloud provider's good practices/controls in place).