If you’re a SaaS vendor and you aim at big enterprise, not just web customer, you will need the following in place: information security plan, disaster recovery plan, privacy policy, different insurances like cyber security, SLA, GDPR agreement, accessibility features, and some more. At some point you will also need a soc 2 certificate. It won’t help you to say that AWS has has it you gotta have it.