ISpectra Technologies
Vendor Risk · Baseline

What is MVSP?

A vendor-neutral minimum security baseline — backed by Google, Salesforce and others — for what every B2B product should implement.

Definition

MVSP (Minimum Viable Secure Product) is a minimalistic, vendor-neutral security checklist for B2B products. Developed by a consortium including Google, Salesforce and Okta, it defines the baseline controls every product should have — simple enough to complete quickly during procurement and vendor security reviews.

MVSP is intentionally lightweight: a common minimum bar rather than an exhaustive framework, useful both for buyers assessing vendors and for vendors demonstrating basic security hygiene.

The four control areas

1

Business controls

Vulnerability reports, pen testing, compliance and incident handling.

2

Application design

Authentication, authorisation, encryption in transit and security headers.

3

Application implementation

Secure development, dependency and vulnerability management.

4

Operational controls

Logging, patching, backups and physical/data-centre security.

Who needs to comply?

MVSP is used by B2B software vendors wanting a quick, credible baseline, and by buyers standardising their vendor security questionnaires.

How ISpectra helps

ISpectra assesses your product against the MVSP checklist, remediates gaps, and helps you use it as a stepping stone toward SOC 2 or ISO 27001.

Talk to an advisor