Things customers ask for
I signed up for a web app this week. I will store and process customer data in there, so I wanted to get some assurances.
Here are some of the questions I had for the product team. These might be relevant to your product, or they might help you consider things from your customer's perspective.
Notice how my primary concern might not be clear from the questions I'm asking.
Someone else entrusted me with their data. If something were to happen, I want to be able to tell them that I made a responsible choice when I signed up for this web app.
You have team members responsible for answering customer requests. If needed, could they access my account to help me troubleshoot a problem?
If that is the case, what permissions does an employee need to access my account? What information will they be able to see? How long will they still have access to it? How do you know that permissions have been revoked? How many employees currently have this level of access to my account?
Sometimes you will need to investigate security incidents. Do you log authorization requests? How much detail do you include in your logs. How long do you keep logs around? How often do you look at them? How do you make sure that no one tampered with the logs?
I'm not the only one with an account on this platform. Is my data isolated from other users? If someone accessed my account due to a bug or human error, how much data would they be able to access? Would you notice an incident like this? How long would it take for you to respond?
Sometimes things go wrong. Are you keeping backups of all my files? How do you make sure that those backups work? How many people have access to these backups? Are the controls used to protect data in the application the same as those used to protect backups?
I might need to exit your platform at some point. Can I export my data if needed? How complicated is it? Does it include everything?
I admit that it's kind of annoying to have to answer questions like these.
Until you get security under control, you'll spend hours struggling so you can close your deal. In the meantime, these questions can help you think things through some more. It's easier (and cheaper!) to design with security in mind than to tack it on at the end.
I hope you found this valuable
I send out an e-mail whenever I publish new content. It's free. No spam. Unsubscribe whenever you want.