Really neat idea but I'm surprised that a company who needs me to send them intimate accounting data makes no mention of what they're doing to ensure my data is safe and secure.
Building an API is relatively simple, protecting sensitive financials is not.
People felt the same way about Salesforce.com, i.e. The data is too sensitive to place in the cloud.
Yet millions use QuickBooks Online every day.
We believe strongly that a huge new API economy is being built, we're delighted to offer our accounting API, mobile app, and web app to people who do not wish to build and manage it themselves.
I'd be careful of using the Salesforce and QuickBook comparison. Salesforce had a $4M seed round, include Larry Ellison. Do you have that kind of cash to throw at security? I presume Salesforce controlled the hardware - it looks like you're on AWS (at least that's what using CloudFront suggests to me).
Intuit is 31 years old, and QuickBooks is 20. They spent a long time getting account software right before they ventured into the hosted solution, and they're a publicly traded company with the advantages that comes with.
Not to say that you can't answer the security story, but I'd be cautious of the analogy approach.
I'll point out that I did spend a lot of time, energy and money on application security at Engine Yard (and still do as board member) and I'm very proud of our security record there.
this is in a FAQ in the email after you signup for beta
"Q) Does Subledger store data safely and securely?
A) Yes. Subledger runs entirely on Amazon's AWS, which itself is compliant with HIPAA, SOC 1/SSAE 16/ISAE 3402 (formerly SAS70), SOC 2, SOC 3, PCI DSS Level 1, ISO 27001, FedRAMP(SM), DIACAP and FISMA, ITAR, FIPS 140-2, CSA and MPAA. Subledger itself has not yet been certified. We take your data security and safety very seriously: when Subledger says it has received your data, it has already been stored in two separate data centers.
Q) Does Subledger provide disaster recovery?
A) Yes. Subledger makes real time backups of transactions as you create them. Our storage system has a stated durability of 99.999999999%. Subledger can optionally mirror your transactions to a separate geographic location. With multiple copies in diverse georgraphic locations, your data is extraordinarily durable.
Q) Do I need to replace what I've already built?
A) No. Subledger can exist alongside anything that's already in place.
Q) Is accessing my financial data over the internet secure?
A) Yes. All communications to and from Subledger are TLS/SSL encrypted which is the modern standard for over the internet security.
Q) Do you have strong authentication and authorization?
A) Yes. We employ a gigantic keyspace (7.3322e+78 combinations) key/secret authentication with support for rolling key updates."
There's little value in putting this information in the FAQ after I signup. You'll never even see my email if I can't have this level of confidence in your service. The site is pretty and flat and has decent copy, but this isn't a to do list app.
I'm a founder, and this has brought us a lot of traffic! THANK YOU!
We believe that all APIs must be built in a secure and robust fashion. We use techniques similar other online accounting apps.
I don't believe our responsibilities are greater or lesser than theirs, but I do appreciate your feedback. We will certainly spell out our security better!
Specifically, here are some details that should ease your concerns.
We require two randomly created tokens (key/secret) for authentication. Both are 22 character Base 62 strings, so the combined key space is greater than 256 bits.
We allow for overlapping keys to encourage regular rotation.
We use BCrypt for secret hashing to avoid brute force attacks.
All data creation operations will not return success until your data is written to two independent datacenters.
We stream versioned resource backups into our own S3 bucket, and optionally a bucket owned and controlled by our customers.
As I hinted at in another comment, this info should be on your website. I get the flat layout and all, but I think you'll want to AB test using the abstract description of features ("Google Analytics for money", "a precise, scalable double-entry accounting ledger", etc) with the bullet points you mentioned in the this post and in your FAQ.
Just saying you'll have a REST API doesn't give me enough reason to sign up for an invite. Your API could be an joy to work with, or I might burn a week and a half just getting the initial auth working.
Considering that the API is you product, getting it documented should probably be you #1 priority. Even a rudimentary documentation, which you can then update later, would be better than none.
Hey there. Yes, agree, thank you, but depends upon how many eyes you want on it along the way.
Said another way: didn't realize that today was Hacker News day! :-)
We DO have https://api.subledger.com which is Swagger documentation, but we lack a directed HOWTO document that describes double-entry accounting and how our API represents it.
I don't really understand what you guys do. Are you just a cloud database for account balances, and we send you journal entries? And then you process the financial statements? I assume you don't automatically process the notes to the FS?
It's reasonable to consider us as a double-entry accounting data store. But we don't just store balances, we store the entire audit trail, including links to source documentation.
As such, we make it easy to show customers and vendors realtime account statements, just like your bank does.
We also provide simple manual tools to allow humans to view and make manual entries as required via our iOS and web app.
We do not handle payment, but we do allow you to account for the payments you request and receive from other vendors.
Finally, we make it trivial to account for splits in marketplace applications, and liability positions in any prepaid models. For instance, gift card accounting is a natural fit for us.
In short, we simplify building core financial functionality for applications by providing developers an API to track money in the worldwide standard manner for the last 500 years. :-)
I'm cofounder of Scripted.com and we're probably subledger's first major integration. We did it because we didn't want to put an engineering FTE on dealing with money in our app. Timing was good so we went for it! And I'm glad we did. All told I think we deleted some 9,000 lines of code.
Great team but integration needs some work. I'm sure they'll get there and I'm glad we could be the guinea pigs. Go ahead, AMA!
29 comments
[ 3.9 ms ] story [ 92.5 ms ] threadBuilding an API is relatively simple, protecting sensitive financials is not.
People felt the same way about Salesforce.com, i.e. The data is too sensitive to place in the cloud.
Yet millions use QuickBooks Online every day.
We believe strongly that a huge new API economy is being built, we're delighted to offer our accounting API, mobile app, and web app to people who do not wish to build and manage it themselves.
Intuit is 31 years old, and QuickBooks is 20. They spent a long time getting account software right before they ventured into the hosted solution, and they're a publicly traded company with the advantages that comes with.
Not to say that you can't answer the security story, but I'd be cautious of the analogy approach.
I'll point out that I did spend a lot of time, energy and money on application security at Engine Yard (and still do as board member) and I'm very proud of our security record there.
"Q) Does Subledger store data safely and securely?
A) Yes. Subledger runs entirely on Amazon's AWS, which itself is compliant with HIPAA, SOC 1/SSAE 16/ISAE 3402 (formerly SAS70), SOC 2, SOC 3, PCI DSS Level 1, ISO 27001, FedRAMP(SM), DIACAP and FISMA, ITAR, FIPS 140-2, CSA and MPAA. Subledger itself has not yet been certified. We take your data security and safety very seriously: when Subledger says it has received your data, it has already been stored in two separate data centers.
Q) Does Subledger provide disaster recovery?
A) Yes. Subledger makes real time backups of transactions as you create them. Our storage system has a stated durability of 99.999999999%. Subledger can optionally mirror your transactions to a separate geographic location. With multiple copies in diverse georgraphic locations, your data is extraordinarily durable.
Q) Do I need to replace what I've already built?
A) No. Subledger can exist alongside anything that's already in place.
Q) Is accessing my financial data over the internet secure?
A) Yes. All communications to and from Subledger are TLS/SSL encrypted which is the modern standard for over the internet security.
Q) Do you have strong authentication and authorization?
A) Yes. We employ a gigantic keyspace (7.3322e+78 combinations) key/secret authentication with support for rolling key updates."
Thank you for your clear and concise feedback, very much appreciated!
I'm a founder, and this has brought us a lot of traffic! THANK YOU!
We believe that all APIs must be built in a secure and robust fashion. We use techniques similar other online accounting apps.
I don't believe our responsibilities are greater or lesser than theirs, but I do appreciate your feedback. We will certainly spell out our security better!
Specifically, here are some details that should ease your concerns.
All traffic is SSL encrypted. We receive an A+ on https://www.ssllabs.com/ssltest/
We require two randomly created tokens (key/secret) for authentication. Both are 22 character Base 62 strings, so the combined key space is greater than 256 bits.
We allow for overlapping keys to encourage regular rotation.
We use BCrypt for secret hashing to avoid brute force attacks.
All data creation operations will not return success until your data is written to two independent datacenters.
We stream versioned resource backups into our own S3 bucket, and optionally a bucket owned and controlled by our customers.
With Subledger it really is your data!
Understand your input, appreciate it a lot. Thanks!
Said another way: didn't realize that today was Hacker News day! :-)
We DO have https://api.subledger.com which is Swagger documentation, but we lack a directed HOWTO document that describes double-entry accounting and how our API represents it.
Believe me, we're working on it! :-)
"You attempted to reach subledger.com, but instead you actually reached a server identifying itself as *.wpengine.com."
Will get that fixed ASAP, thanks for pointing his out.
Thanks for the feedback, much appreciated!
Next time, or this time if you'd like to compare us against your internal implementation. :-)
Let me know if I can help in any way.
As such, we make it easy to show customers and vendors realtime account statements, just like your bank does.
We also provide simple manual tools to allow humans to view and make manual entries as required via our iOS and web app.
We do not handle payment, but we do allow you to account for the payments you request and receive from other vendors.
Finally, we make it trivial to account for splits in marketplace applications, and liability positions in any prepaid models. For instance, gift card accounting is a natural fit for us.
In short, we simplify building core financial functionality for applications by providing developers an API to track money in the worldwide standard manner for the last 500 years. :-)
Great team but integration needs some work. I'm sure they'll get there and I'm glad we could be the guinea pigs. Go ahead, AMA!