The vault is client side encrypted so it doesn't actually matter. My host provider could be the robot devil living in North Korea and it wouldn't matter, that's literally the defined purpose of encryption, secure communication across adversarial channels.

I don't really understand why people bother with this security theater, all the self hosting is completely redundant.

I don't self host because of "security theater". I do it because I want to control my data and not be at the behest of a third-party to resist the siren song of enshittification.

1) I’m going to go out on a limb and guess Lastpass, Okta, et al., WERE and ARE SOC2 type II certified. Didn’t stop them from getting breached.

2) SOC2 is defined by the American Institute of Certified Public Accountants. That it is held up as some sort of exemplary cyber security standard is absolutely ridiculous.

> So long as you can sue them for your full damages when it goes wrong.

Generally, you cannot.

And to add to that: suing someone for damages does not undo any damage.

Your identity is still stolen, your private photos leaked, your company destroyed, etc.

The whole point of saas is someone the CTO can blame when things go wrong.

Doesn't matter if the downtime is higher, doesn't matter if there are more succesful attacks.

If a CTO goes in-house, they carry the risk. If they outsource it to a vendor, especially one with a Gartner report, they can play golf and not risk their bonus.

Or, you might pay an insurance company to cover you for the risk - and so long as you have the right attestations from your SaaS providers, your insurer pays out in the event of a problem (and maybe goes after the SaaS if they feel the need to).

I’m sure you signed an arbitration agreement

> That's the whole point of SaaS isn't it?

Pretty sure the entire point of SaaS is that sweet recurring revenue.