[nunobrito]

Usually involves talking with someone on the architectural level (Chief Architect, maybe CTO, VP or head of engineering if knowledgeable enough). Then involves onsite visits, questioning about where the data is hosted and factual verification of these claims.

Depending on company size/challenge, you might do some tests on their claims from the outside over the period of 24 months. For example, registering an account and then verifying if that one-time email got leaked into some other service.

Or, on cases of higher-criticality you will have monitoring of what data is coming out from the datacenter where the apps are running.

Direct access to source code reviews is rare. Albeit depending on the level of cooperation it could be a possibibility.