Ask HN: How to handle sensitive document uploads as a one-person SaaS?

15 points by wayoverthecloud 7 days ago

I am thinking of a product many businesses would find it useful but my only concern is that the product revolves around sensitive documents(like lawyer's documents but can be extended to other industries too). The product is already built by many companies but I have found a unique angle that I think would benefit my users. I am not a team and I don't know how to handle laws of sensitive documents as a business entity(and those documents might live on AWS S3/similar services).

bootstrpppin 7 days ago

This'll be unpopular, but if you want to keep it super lean and avoid being asked for compliance certs like SOC2/ISO, you could consider building it as an installable app on top of a platform your customers already trust

ie. a Salesforce App.

That way, they already use/trust the environment where the storage/processing of their sensitive data is taking place, akin to an old school 'on prem' solution (but without as much headache for you)

Worth thinking about

  • ISO27Auditor 7 days ago

    IMO just get ISO 27001 to demonstrate that you are managing the sensitive information properly, and you will also improve your client confidence.

    I work as ISO 27001 auditor, and help companies get ISO 27001 certified in no time (1-2 months), with a budget from 5k - 8k in total (external support and certification included). The goal it to keep it simple, save costs, and in the end get the company certified.

    • codingdave 7 days ago

      "Oh, wow, I had no idea it was that affordable, we should talk..." is the response you are hoping for, correct? Self-promotion is not prohibited, but it goes better if you engage with the discussions here beyond just your own marketing.

      Anyhoo, I don't think thousands of dollars for certification makes sense for a solo dev who is kicking an idea around.

  • vdvsvwvwvwvwv 7 days ago

    The helps only if your extendee is providing a PaaS for you and makes guarantees. Last time I made a slack extension, for example, I had to egress and ingress client data.

TBurette 7 days ago

I worked for a company that required security clearances. We used a SaaS to store some documents. The SaaS gave our company a document outlining their security practices and we signed up to a system where their support is unable to access our instance unless we explicitly authorized it. It was enough for our company.

purple-leafy 7 days ago

Gentleman’s agreement that you pinky promise you won’t peek if they don’t

vdvsvwvwvwvwv 7 days ago

In addition to being a 3rd party app as someone suggested, you could make it a desktop app.

You could also make it a control plane and the customers run it in their cloud. You would need a tech savvy customer who already uses say AWS.

Desktop app or Chrome extension is another possibility.

solardev 7 days ago

I don't know what the product is (and you probably don't want to say...?) but is it something that could potentially done clientside in their browser, maybe in JS or WASM? That way you never even have to receive, much less store, their document.

  • wayoverthecloud 7 days ago

    Unfortunately, storing the document is required. Almost an essential feature.

  • bootstrpppin 7 days ago

    That's a good idea - not sure how big the docs are, but would local storage be helpful?

realusername 7 days ago

It's not a technical problem but a paperwork problem, it doesn't matter how do you do it, the client will want to see the ISO certifications even if your app is fully secure.

Security isn't the same thing as compliance.

demarq 7 days ago

I’d say take your time a spend a week learning about S3.

It’s better to piggy back on another teams hard work than build from scratch.

imvetri 7 days ago

Zip with password. Keep passwords in private for now.

nprateem 7 days ago

LOL. Why are you asking us?

Speak to your potential customers and find out what they'd want to see to make them trust it, and what their data requirements are.

What's the angle BTW? Please provide as much info as possible. Thx :D