Tell me more ×
Answers OnStartups is a question and answer site for entrepreneurs looking to start or run a new business. It's 100% free, no registration required.
up vote 3 down vote favorite

We have a SAAS product for a specific industry where we host this application for multiple companies. Since they belong to the same industry one of the key concerns of my potential customers is the data theft or privacy. How can I alleviate these concerns? Any thoughts?

Additional information: We are using Amazon web-services as one of our first step to increase the confidence of our to-be customers. It is NOT technical issue but the potential damage I can do to them by selling their valuable client's data to their competitors.

Again many thanks for your inputs so far.

share|improve this question

4 Answers

up vote 1 down vote accepted

one of the key concerns of my potential customers is the data theft or privacy. How can I alleviate these concerns?

Are you certain that it's a key concern? I ask because enterprise'y people often ask for all kinds of paperwork without really understanding it/needing it. If it's really a key concern, then IMHO you need to consider many things...

On the IT / software side:

  • Consider perhaps not using common application development platforms, but using "accepted enterprise standards" like Salesforce's Force platform.

  • Or, using common tools like SQL databases, but developing a true multi-tenant data architecture, and write a fancy whitepaper about the approach you're using. (Hard to do.)

  • And/or offering a dedicated virtualized environment (one set of EC2 instances exclusively for use by one customer) (sell this as a very expensive add-on if at all possible).

  • Additionally, write some nice whitepapers about your security audit methodology, certifications, etc. Maybe contract a small security audit company somewhere write an objective report on their findings on your architecture. In general, produce paper that shows compliance to industry standards.

On the people & process side:

  • Clear confidentiality agreements with all employees and external temporary contractors. Make them really solid, and use a good lawyer.

  • A clear Privacy Policy and Terms of Service on your site. See the past answers here, fx Dana Shultz's answers. These documents are important in a B2B setting, and getting them right is not trivial -- use a good lawyer.

  • Really design with security and data confidentiality in mind -- have a good process around security audits and architecture reviews.

We are using Amazon web-services as one of our first step to increase the confidence of our to-be customers.

Actually, I don't think that is a positive thing. There is lots and lots of confusion about what "the Cloud" is among my large-company friends. I would not disclose how my service is hosted, but instead focus on methodologies and certifications -- my own methodologies for security audits fx, and the hosting centers certifications (fx SAS 70). But don't take my word for this -- ask some potential customers of yours.

share|improve this answer
The question was about confidence building measure about this new product. I have a solid multi-tenant working model, so the people and process side really makes sense. One more item I would add to the list is some virus and privacy assurance company labels such as Norton etc. – user6133 Jan 17 '11 at 16:54
up vote 3 down vote

Just go through how you have made your service secure and that it has been created in a way that only allows people to access their own accounts. If they have any individual questions beyond that, talk with them and let them know that their data is in safe hands.

share|improve this answer
Thanks Jetti, I am trying to figure this a bit more but seems like they do trust SalesForce than a startup. May be they have concern that our company may sell their information to their competitors. – user6133 Dec 23 '10 at 18:52
@SmartSaas - I just think that they are just concerned about losing valuable information (which is understandable). It is important for you to make them feel comfortable about the whole situation. Once you gain momentum in the industry, you'll probably deal with this issue less (as you mentioned trusting SalesForce more than a startup). Also, they may want to know what you will do with their data if, heaven forbid, your company goes under (you would still be able to do a lot of damage) as they may believe Salesforce will be around forever. – Jetti Dec 23 '10 at 19:29
up vote 0 down vote

I agree with Jetti. It would also help if you are using a reliable hosting/cloud provider company such as Rackspace, Amazon or Microsoft (Azure) to host this SaaS application and all of the data. These companies have gone through a lot of time (and money) to make sure the data and servers are not compromised.

So, even if yours is a startup, you can explain how all of the servers and data are very well protected (physically and electronically) by very high standards by the companies hosting the application and data.

There is also the application security which Jetti already mentioned where you can describe how the data for each customer is kept private, etc...

share|improve this answer
1  
One thing, Rackspace Cloud Servers and Amazon EC2 ar not by default fully managed services -- ie. there is no operating system patching, security updates, security audits, etc. With these providers the security of the base system and custom applications remains your own responsibility. – Jesper Mortensen Dec 23 '10 at 23:44
True, I was referring to the advantage of using servers in a reliable environment, with lots power redundancy, etc... the security of the operating system, updates, etc, is still your responsibility. Thank you for the heads up and clarification. – Ricardo Dec 27 '10 at 3:36
up vote 0 down vote

The solution you describe is also known as a multi-tenant, where multiple customers data is stored in one DB. There are a lot of benefits of this approach (one backup, less DB management, etc)

The big problem I have seen with this in the field is that if you have bugs in your SQL, it is quite easy for a SQL SELECT statement to pull multiple companies' data if you forget (or make a mistake) with the WHERE COMPANYID='xxx'. If you botch this, suddenly your customer may see ANOTHER customer's data on their screens. When this happens, customers freak out!

Similarly, if a hacker manages to perform a SQL injection attack, they may be able to see data for all customers, just by getting into your one database.

So, the alternative is to give each customer their own database. And connect to a different database depending on the company/customer that logs in. Then it is not possible to get data from ANOTHER company by accident. But it can be harder to manage. For example, there are often limits on the number of databases a single database server can handle.

So what to do? Most customers are not going to care that much, and if you do a great job, you'll never see a problem. If you are careful, a multi-tenant solution is easier to maintain and may be easier to develop.

I have also worked at companies where ONE customer was so picky that they required their own database -- even though the solution was multi-tenanted. And we did it for them to get the deal.

There are a lot of resources on this issue on the internet:

  • Stack Overflow discussion
  • Joel Spolsky talked about it on his podcast here
share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.