Software-as-a-service applications are really booming these days in our digital economy and they're powering many businesses of all sizes. We're all using online cloud-hosted CRM systems, emailing platforms, document sharing and others like that. A lot of startups literally run on tools like Notion, Air Table, MailChimp... and now even the enterprise clients are craving for those platforms.
Due-diligence always comes last
Every time we pick one of those new tools, we focus on its usability and the shiny features, the flexible pricing... but we often forget about the due diligence. In my office, I'm usually the one raising the alarm: where will our data be stored? How is it backed up? Can we restore it if it goes offline? Will it match our clients' data protection requirements and all the clauses we agreed in contracts?
So let's look in more details about the challenges around those SaaS platforms.
Where is my data stored / processed?
When we look at all those software as a service platforms, I really wanted to share with you today three example. Those applications we recently started using in our office (or explored using), all had very different outcomes in our due diligence review.
- The first one is a survey platform that we looked at to store, customer information. As we were submitting questions and receiving answers, they would have personal details. We looked at a tool called JOTFORM, that built a very smart feature that automatically spins up your account in the right AWS data center region, even on their free plan. There are also ISO 27001 accredited, and all of that increase the overall trust that we had in the product.
- The second option is a very famous project management tool, very popular, has a lot of features and run global accounts. However, they could not guarantee where our data would be stored: it couldn't commit to a "Europe region" only. We knew that for our corporate clients, that was a hard requirement. We couldn't upgrade and we couldn't use them for all our clients.
- Other popular no-code tools like Zapier are also exploding, but you really need to look at where the data would be stored. They are providing a clear policy on data privacy, but are you really checking to make sure that you are happy with their data retention rule? Are you really sure that they're doing the right thing by explicitly excluding and not informing users about where the data is? They highlight that they're not HIPAA compliant, so that's a good point, but as listed on their GDPR table here, they have sub-processors and they will process your data, that data will be shared with other providers, so you need to keep that in mind.
The problem that I have is that it's what I see across most other software as a service tools. They all have a data privacy policy, that's the law now, and they all claim that they can comply with GDPR, but that does not mean much unfortunately.
SaaS claim to GDPR compliance is not enough
You might argue, and we had that pushback from some of those companies, arguing that GDPR and PECR do not legally enforce that the data has to be stored in the UK or in Europe. But the problem we have, us as users in the middle, is that it's a red flag for compliance people, both in the enterprise sector and public organisations.
Our biggest clients require that their data is stored in Europe. No matter what those platforms and the tools claim, if it's not hosting in the EU, it won't get past our clients' legal team
To go back to the example of JotForm, it's all about the architecture and how they develop their products. AWS has over 25 geographic locations, so I believe that every app targeting the European market, for example, should develop it accordingly and make use of this feature. Yes, it will cost a bit more to implement, but it would open up a much bigger market across all the large enterprise accounts and government clients, because you would comply with their strict due diligence.
What can SaaS platforms do?
My message today to all SaaS platforms, most of them being based in the USA is about three things.
- First, make it easy for yourself and invest in the right hosting architecture for compliance outside of the US;
- Second, get the right ISO and SOC compliance and all the certifications, just to make sure you can pass the due diligence from key clients;
- Third, is to provide all the core security features, such as two-factor authentication, data exports... All of that should be in your standard package. You shouldn't force us to upgrade to your most expensive enterprise plan to benefit from those.
At the end of the day, this will only boost your total addressable markets outside of the US. Think about the UK and the entire European market: you will open new opportunities in the enterprise markets and with all the government clients. It can only be a benefit, seriously, so why don't you do it today?
What can we, as users, do?
Finally, my message to everyone else, working in the digital space and signing up for those tools in one click with their social login: wherever you are in your company, whether it's in the marketing team, in HR or sales, you really need to think about data privacy and data security. Always have that in the back of your mind before signing up for the latest shiny SaaS application and before you upload all your customer data!
So that's it today. If you are considering using any of those tools and you want some advice about their compliance or how you're planning on using it, or migrate some of your systems to it, just get in touch. Don't forget to subscribe to my YouTube channel and follow me on Twitter to keep learning with me and grow your career in digital.
Until next time, stay safe and see you soon.
