A security analyst is reviewing the security of a SaaS application that the company intends to purchase. Which of the following documentations should the security analyst request from the SaaS application vendor?

A service-level agreement (SLA) outlines the expected level of service provided by the vendor, including uptime guarantees and support response times. While important for understanding service commitments, it does not specifically address the security measures or compliance status of the application, which are paramount for a security analysis.

A statement of work (SOW) details the specific tasks and deliverables the vendor is expected to provide during a project. This document focuses on project management and deliverables rather than security protocols or assessments, making it less relevant to the security evaluation process.

A data privacy agreement outlines how the vendor will handle and protect sensitive data. While it is essential for understanding data handling practices, it does not provide comprehensive insights into the overall security measures or risk management strategies that a third-party audit would cover.