Guest author Luke Burns is a partner at Ascent Venture Partners.
Security and privacy are often mentioned in the same breath, but when it comes to cloud computing, security tends to be the dominant subject. But should it be? While there are seemingly endless security threats, cloud providers are becoming increasingly sophisticated and capable in addressing them.
When it comes to privacy, though, cloud vendors have not made the same progress. In fact, it’s more than likely that Software-as-a-Service (SaaS) companies breach the customer’s perception of data privacy regularly.
I’m not referring simply to consumer companies and their problems with privacy, e.g. Facebook sharing personal data with advertisers. Enterprise SaaS companies face their own unique challenges around customer data usage, even though those issues have not received the same level of scrutiny.
Enterprise Services Know A Lot About Their Customers
The challenging aspects of SaaS privacy arise from the close relationship between vendor and customer - a situation vastly different than in days of on-premise software. As the name suggests, SaaS vendors provide a service, and with that service comes the ability to log every keystroke and mouse click that a customer makes using their software.
Why would a SaaS vendor do that?
Think about customer relationship management (CRM) software as an example. What would you think if your CRM took note every time you updated a contact, and then made that updated contact information available to other users with that same business connection? Sounds like a pretty useful service for customers, doesn't it?
What Are Your Expectations For Data Privacy?
But does it breach your expectation of data privacy? SaaS opens up the door to increased interaction and partnership between a customer and a vendor, but it also opens the door for misuse.
One particularly interesting area with privacy concerns is the use of the metadata (data about the data). Let’s say, for example, there is a clear agreement that all data is owned by the customer and can’t be used by the vendor. But would that agreement also include things like the number of users (salespeople) actively using a CRM system or the number of new sales leads entered in a given quarter or the number of meetings booked?
This type of data could yield tremendous insight to an individual trying to gauge sales activity at a given company or within a given sector. Would use of this metadata be covered under data ownership or could the SaaS vendor sell those insights to the highest bidder with a clear conscience?
Then there’s obfuscated or anonymized data. Is it OK for a SaaS provider to use your data to create unattributed market statistics? Imagine a financial SaaS vendor that could create a composite view of all the private companies using its system and publish average earnings growth over various periods of time. Or a customer-service SaaS vendor that could create benchmarks on average time to close a trouble ticket. In each case, the vendor is producing valuable data points it can use for profit. Should there be any type of reimbursement for customers, or is it just a cost of doing business?
Who Owns The Intellectual Property?
Many SaaS platforms offer robust tools to customize the experience for individual customers and companies. These customizations often reflect significant investment in design and development and sometimes reflect proprietary business processes. How much exposure to these customizations does a SaaS vendor have? Could it use these customizations as templates for future product enhancements that might be offered to competitors of the customers that originally created them?
We’re just scratching the surface of potential privacy issues that can arise with SaaS vendor relationships.
Don’t get me wrong; I’m not saying companies should avoid SaaS. In fact, I think the benefits of embracing software in the cloud far outweigh the potential risks. The close relationship developed between a SaaS vendor and its customers has the potential to deliver significant payback, especially for companies embracing SaaS not for cost savings, but for business transformation.
But both sides of that equation, the vendor and the customer, need to fully understand the bargain and the trade-offs made between privacy and business value.
Asking The Tough Privacy Questions
Similar to their IT security due diligence, companies need to ask questions about the privacy of their data before they enter into a cloud vendor relationship.
Who owns the data? How many copies of the data are there? How can you ensure that data is erased or unreadable in the event that a customer chooses to decommission or change service providers? And especially, What is the vendor's acceptable use of a company’s cloud-based data?
Hopefully, better awareness and transparency about these issues will build trust and help business-facing cloud vendors avoid the lawsuits that have afflicted their consumer-facing cousins.