1. Access control
2. Backups & recovery
3. Vendor risk
4. Monitoring & logging
5. Staff training

Access control

Use MFA, SSO, and role‑based permissions; separate duties for payments vs. reconciliation.

Backups & recovery

Automate daily backups with periodic restore tests; keep at least one offline copy.

Vendor risk

Review SOC reports and DPAs; maintain a vendor inventory with data flows.

Monitoring & logging

Log admin actions and API access; set alerts for unusual export volumes.

Staff training

Annual security and phishing awareness with simulated exercises.