Ask HN: How to legally guarantee privacy in a SaaS product?

5 points by shaunpersad ↗ HN
Every so often, a "privacy-focused" SaaS product comes along that makes lots of promises about what they won't do with your data. While the intentions are usually good, the problem is that there is no straightforward way to verify the claims of a hosted product.

As someone who is developing a privacy-minded product like this myself, I've been mulling over how to establish trust with my users in this situation. Surely there must be a way to offer the convenience of hosting whilst still offering privacy peace of mind?

Having an open source version of the hosted product is not enough, because it is not verifiable that the open source version is what's being hosted. Privacy policies and terms of service don't appear to be enough either, because as we've seen, they are easily violated or vaguely worded.

What I've been considering is something that acts similarly to how service-level agreements function, where if the SLA is violated, the customer receives a refund. This "privacy-level agreement" should somehow guarantee that if the established privacy policy is violated, the customer is entitled to some form of monetary compensation or can otherwise take legal action.

Unfortunately, I'm not a lawyer, so I don't know exactly to what extent of the law such an agreement can be enforceable, so my questions to the HN community are: how feasible is such an agreement, and what are some alternative solutions to this trust problem?

3 comments

[ 2.2 ms ] story [ 17.1 ms ] thread
> "privacy-level agreement"...

IANAL. You have described EU GDPR. However any fines are paid to goverments, but you can still decide to arbitraly compensate the customers.

If the country of your business doesn't provide similar framework then only regular independent audits performed by customer-trusted entity may uncover your wrongdoings.

There is literally no way for a company in the US to guarantee privacy from the federal government with regards to any data on their server that they can access unencrypted.

If you have the keys or you wrote the software, you cannot guarantee privacy.

You can't legally guarantee it (even the GDPR, which is like the top of the line in terms of privacy regulations, is still a joke due to the lack of enforcement) but you can make yourself look more trustworthy by having a business model that does not rely on stealing data.