These should include:
Also look for auditing certifications, e.g., having been audited against AICPA/CICA standards. Don't just ask to see a list. Ask to see documents that substantiate their claims, such as a SOC2 (Service Organization Control) or SOC3 report.
More to the point, how are data center IT staff and other employees, other customers, and cyber-intruders prevented from viewing, copying, changing or deleting your data? What encryption, keys, and other authentication are used? Where are keys kept?
For any multi-tenant services, ask: