1. Is your service multi-tenant? Can an enterprise manage their users and data independent of other enterprises using their service or is your
service more like a consumer service?
2. Do you support any sort of enterprise identity? If so, do you support SAML, openID or user provisioning APIs?
3. What level of audit logging do you perform? All read/write of data? Do you support ability for customers to view only their activity logs?
4. What level of penetration testing do you perform? Is it done by 3rd parties? How often are these tests performed?