[secretwho]

At minimum, implement your application to address the OWASP Top ten: https://owasp.org/www-project-top-ten/ Document how you addressed these. Check with every new feature or change if you create a new vulnerability. Don‘t store data without a clear purpose Don‘t invent your own encryption. Think how data is erased or archived Separate the data of different tenants Implement a proper audit trail Once you gain traction: ask an independent party to do a penetration test. Be transparent to customers about vulnerabilities discovered and patched. Limit third party dependencies to components that get regular security patches. You need to proof your security is better than what your customers have in-house.