Security
You will need to initiate a Third Party Security Assessment (TPSA). This should result in a risk profile for the supplier to inform your decision making, and the security schedule for the T&Cs. You can find out whether a TPSA has already been undertaken, but be aware that the assessment might be for a different process or different level of confidentiality.
Part of the TPSA addresses the level of confidentiality of the information you are likely to process through the system and whether this involves identified or identifiable personal data, if this is the case, then you will also need to consider data privacy.