in regards to item#1 - you may be able to request the SOC2 report that shows their testing - item#2 locking down access by corporate IP address - we have accomplished this using the Azure AD SSO integration and only allowing access by the corporate public IPs. item#3 - can be done via azure ad sso. also #4 MFA was accomplished using azure ad sso integration as well