IronCore's CEO, Patrick Walsh recently wrote a compelling argument about not overlooking SaaS data privacy. He advocates not treating this as acceptable technical debt:
Your data now requires extra protection, tracking, minimization, data retention, transparency around sharing and selling, and much more. Privacy laws tend to use broad but largely undefined terms and phrases like, "data protection by design and by default" without specifying what does or doesn't qualify as sufficient protection or sufficient design.
Hit replay for a second when all things were SaaS. It makes a lot of sense to reduce server costs, manage large workloads and allow you to scale up or down. Yes, please. But now, we've added a new facet to consider: Where is your critical data living? This question is one that we need to ask ourselves. And, perhaps more importantly, it's one that our customers and partner ask of us. How are you protecting personally identifiable information (PII)? We all have to contemplate the tradeoffs with privacy and security. And, as Walsh says, "there's a significant privacy burden and fatigue" from the issue.
Evan Grabiner, founder and CEO of Aspecto (admittedly the AWS eco-system) puts a finer point on the issue in his article:
Natively, SaaS solutions require organizations to move data out of their hands, to the solution provider, with the result that organizations needed to trust a third-party service provider with their sensitive data, at the same time GDPR is telling them not to.
Although Evan advocates for a virtual private cloud (VPC), I think there's another way. And we've built our technology to balance the need for data privacy with the need for, well, data.
Look at it this way, who do you want to have and use your data? These large SaaS platforms consume large amounts of your own data, on top of what you're already paying for usage. While you may think you're paying for data, I argue you're paying with your data. Logical considerations about privacy and compliance aside, the fact is, the one set of data you want to own and manage is your customer data.
First-party data stewardship is a founding principle at Resurface. Yes, we want to better understand how customers are using APIs, but we've also designed for information protection. Deep monitoring without a privacy-infringing footprint. Out customers own every bit of the entire API interaction – down to the granular individual detail. We're all about data independence, first-party data ownership, and customer-centric data management.
So, yes, SaaS isn't going anywhere. But it's worth looking at the kinds of data you're shipping to a third-party to ensure you can stay on top of ever-changing privacy regulations, and know the most about the customers you want to keep.