I would look for a SSAE 16 from vendors that store your customer data at their data center site. Examples: Core processing vendor if you have an outsourced relationship. Online banking vendor, website vendor, or any vendor storing your customer or confidential data on their servers at their data center.