Choosing an API Company: 14 Points for Due Diligence

Technical depth. Benefits. Security. These are a few things that you will have on a checklist when choosing an API company. As we mentioned in part three of the Danger for Data series, taking time for due diligence is essential for your systems security as well as your overall business needs. In this blog post, we’re picking up on the recommendations we made previously and sharing a few questions and points of consideration for your diligence discussions. Consider this a pocket guide to refer back to when evaluating a potential API vendor. We’ve also linked to a few helpful resources for additional points of reference.

Below, you will find a list of recommended questions to ask when choosing a potential API company, and a little context as to why these are important points.

1. Is the API documentation available publicly, and does it cover methods and error codes? Documentation makes it easy to integrate your workflows with the API. Essentially, this is the blueprint detailing how to use the vendor’s API. The documentation should include information such as BaseURLs, HTTP methods, header values, request body parameters, error codes and more. DataMotion offers a comprehensive knowledge base and ample documentation for all of our services. Our knowledge base covers all bases, giving devs the information that they need at their fingertips. Here is an example of what you should expect from your vendor.
2. Does the company offer a pre-production sandbox environment, or other means to try the API before purchasing? You will want an opportunity to test the API before you buy. Having this option, or some other pre-production sandbox, will give you an idea of ease of use, and how to best integrate into your existing workflow without disrupting day-to-day operations.
3. What kind of purchase plans are available, and is billing a flat rate, or related to use? Your usage needs are likely going to fluctuate, perhaps on a daily, weekly, or monthly basis. Companies will offer a variety of pricing models for you to choose from, but you should ask about tiers, and what the company offers if you do not use all of the API calls in a package. Ask what happens if they have a flat rate, and you go over the ceiling. Are there additional fees, or will these retain the same rate?
4. What kind of rate limits does the company have? Having the right limit helps ensure that your API continues to provide a consistent experience, even as usage increases. In addition, rate limits can protect your systems against DoS attacks and improve your application’s end-user experience.
5. What kind of consulting and support do they provide? As your organization evolves, your needs will as well, and your vendor should be prepared to consult on new solutions, or adjust to meet your changing needs. Additionally, an evolving business means evolving support requirements. Ask not only about their overall support availability, but if support scales based upon your package.
6. What is their escalation process like? If there is an emergency in the wee hours, you will want to know exactly who is responsible for what, how you can reach support, and how long it will take for updates and fixes. This question, in addition to Question 5, should be part of a comprehensive discussion about support, and what will be available to you.
7. What kind of monitoring and reporting is offered? You will want to know in real time how your API is functioning and if there are any service interruptions or other operational issues. You will also want to have reports on your users’ activity for audit tracking purposes. DataMotion recognizes the critical nature of this area and offers 24/7 activity monitoring of the DataMotion API platform, whether deployed as a public PaaS or on our customers’ private instances managed by DataMotion. A wide range of built-in reports that cover key aspects of system functionality and users’ activity are also available.
8. Does the company offer an API that uses OAuth or SAML authentication for Single Sign On (SSO)? To keep your systems secure, it’s important to select an API that follows the proper security precautions. Choosing an API company who uses an identity provider such as OAuth or SAML allows you to verify who is making an API call without revealing their credentials.
9. Is there an SDK? The SDK is a getting-started point when integrating the API into your workflow, so if this, or any helper libraries are offered, you will want to ensure that that they align with your programming language.
10. What kind of internal security model does the provider use? You should approach this exercise with a security-first mindset, and ask the provider about their security architecture. We recommend asking if the provider uses the zero-trust model, or any of its aspects. As part of this, ask about separation of duties, who can see what, who has access to the servers, and who is able to physically access any data centers.

1. Encryption for Data in Motion: As we’ve discussed in previous blog posts, a data breach is a matter of when, not if. Encrypting your data while in motion acts as an insurance policy. If your system is compromised, encryption makes your data and documents unreadable, and therefore useless to would-be thieves. If your solution will be exchanging any type of sensitive data, you need to choose an API that encrypts the information exchanged from one endpoint to another.
2. Breadth and Depth: The greater the depth and breadth of an API, the more control you have over various aspects of how it interacts with your app. You will want to look for multiple types of APIs that operate at varying levels. DataMotion offers exactly this, including secure messaging, administrative, and provisioning APIs. You can read more about this in the blog “3 Things to Look for When Selecting Email Encryption APIs”.
3. Verifiable Compliance Certifications: Any reputable API company should operate with security and compliance top-of-mind. A good indicator of this is their verifiable compliance certifications. Ask what kind of certifications the company has and where this documentation is available. By visiting our homepage, you can learn more about DataMotion’s certifications including:
   • • DirectTrust/EHNAC RA, CA, HISP 
     • ONC-HIT 2015 Edition Health IT Modular Certification 
     • Using SOC 2- and FedRAMP-certified cloud service provider to deploy DataMotion PaaS
4. Internal Security: To reiterate Question 10, the importance of internal security cannot be stressed enough. Ask about the company’s internal methods to keep your enterprise’s data safe when in motion. For instance, do they follow a zero-trust strategy or a similar type of security model? Get specific and granular – the vendor should be candid about their security practices.

We hope that you found these recommendations helpful. We invite you to tour DataMotion services and explore the self-service portal to learn about and trial our APIs. If you have any questions, we are happy to assist – please feel free to contact us.

Explore More

Danger for Data, Part Two: Seven Pain Points in Your Processes

What is Angular (and Why Are We So Excited About It?)

SaaS vs. PaaS: How to Choose What Type of Secure Exchange Solution is Right for You

Additional Resources

10 Questions To Ask About An API

9 Questions for Top-Level API Security Auditing

How to Handle API Rate Limits: Do Your Integrations Work at Scale?