Is a SaaS company who provides a point of sale to clients still bound to FTC regulations even if we’re technically not the business entity using the data (just storing it?)

I apologize if this seems like a stupid question, but I just started working for this company. They have no IT people, minimal security infrastructure, and are extremely cost-conscious. So before I pull out the FTC Safeguards Rule, I want to make sure I am getting this right so as not to lose trust with the company owner.

Our software allows business owners to sell clients merchandise (but it outsources the actual credit card processing to another company), collect and …

business clients cybersecurity data ftc point of sale regulations saas sale