What systems do you have in place to prevent ?

(Any breach is an invitation to phish your executives, Board, and others. Bad guys take advantage of user trust and will make an email look like it is coming from the BCS platform)

Where are the servers physically located? What type of physical security is in place to protect these servers?

(If you wouldn't put your intellectual property there, you don't want your Board communications there either. You will be surprised in some of the answers you get to this question.)

Does the contract state that customers must be informed of any data breach, regardless of whether there are local laws require it?