top | item 41984253

(no title)

tyrw | 1 year ago

> Large companies didn’t want it enough to deal with our lack of “big company features” (enterprise SSO, compliance certifications...

> We spent a bunch of time on multi-tenant infrastructure...

I'm in a position where I talk to SaaS businesses all day about both of these. Probably over 1,000 at this point.

We help a lot of these companies add the enterprise features they need, but it's often a shame to hear they're just going to do standard login or build multi-tenancy themselves. Trying to sell to enterprises without meeting them where they are on login & compliance is asking for failure.

I think a lot of founders and early employees are true believers in their value prop, and in this case it blinds them to the fact that there are people in the world like enterprise CSOs who simply don't care and will shut down a product for any number of security reasons. You have to check the boxes, and figuring out what those boxes are on the fly is painful and costly.

discuss

danielmarkbruce|1 year ago

"build multi-tenancy themselves".... this is a weird thing to say. In the modern day, what product company builds single-tenancy..? Even if a customer explicitly wants it, you can make multi into single easily. The other way around is difficult.

tyrw|1 year ago

Depends on the app and the context. A lot of apps need multi-tenant access control but not necessarily separate containers etc. In those cases, "adding" multi-tenancy means maintaining an Organizations table, a Roles table, and a table to map them to Users.

DylanSp|1 year ago

Question about multi-tenancy - do you recommend starting with a single-tenant approach, or are there off-the-shelf options for multi-tenancy that you'd recommend using, instead of building it from scratch?

tyrw|1 year ago

We build a system that is multi-tenant capable but can run as single tenant until you need it. Happy to chat if helpful

thenobsta|1 year ago

I'd love to hear more insights about on this. I'm just kicking off a B2B SaaS, have a rough idea of the checklist in my head, and am trying to balance core tech development with box checking.

louthy|1 year ago

GDPR & ISO27001 compliance are the important ones, but depending on the industry there maybe others (HIPAA for example). You need to hire an advisor and start writing everything down. Being able to hand over compliance documentation along with proof of an audit is absolute gold. If you don’t do this, be prepared for a mini-audit on every sale (if you get that far).

Sales to governments will likely come with even more compliance requirements, national security audits, and potentially staff vetting. It’s not worth it early on unless you’re really well funded.

Compliance does actually scale with the business, so it’s not particularly onerous at the start. Although it can get out of hand if you’re not careful. Compliance should be pragmatic.

SSO is clearly one of the major factors for integrating anything into an enterprise organisation. Their IT team will want to have complete control over who has access, when somebody leaves the company they want to make sure that they can shut them down immediately, not have to reach out to third-party providers, or login to multiple systems. Ignore this at your peril.

Independent penetration tests are also really important.

You can usually resist requests for self-hosting or multi-tenancy if you have all the above, but not always. If they don’t think you’ll be around tomorrow, then they won’t touch you.

tyrw|1 year ago

Sorry I got busy today (more convos!). I'd be happy to chat or email and try to be helpful -- if you want you can check my bio.

jprokay13|1 year ago

If you are going after enterprise early, I highly recommend putting them on their own system instead of in a multi-tenant system. Enterprise wants 30 days of immutable db backups? They need to be able to rollback within X time? They want guarantees that other people won’t affect them?

This all becomes easier if you turn it from an engineering problem to an operations problem. Enterprise really cares about how you operate in order to guarantee they won’t be negatively impacted by your system. SOC2 is much more about your operations than anything else.

My recommendation: have a multi-tenant system for the plebs and bespoke deployments for the enterprise. Save yourself the headache of trying to satisfy both with the same infrastructure.