Concierge and covering yourself

Robodisco · December 5, 2014, 8:28am

So I want to offer a concierge service for new users of my proposal software. One option is for them to be able to submit one of their proposals and I’ll get it written up and formatted in the app to lower onboarding friction.

My lofi approach is to just create a mailto link in their dashboard and let them email their pdf to me.

I’ll then be saving their proposal to my laptop and perhaps in the future outsource this to a PA. For that reason I want my users to scrub out any sensitive client info before submitting and know I wont be held responsible for any loss / theft etc.

Because I’m trying to keep things simple i dont want to create a db record for an ‘Agree to terms’ checkbox.

I was thinking of simply specifying in the mailto link, a predefined email body containing some 'We will not be held responsible for any. loss or damage…" legalese speak.

Would this be enough? Is there a better way? Any nicer way of saying the above (it is for onboarding after all) ???

ideasasylum · December 5, 2014, 1:21pm

It sounds like maybe Wufoo or TypeForm could make the experience a little nicer.

I wouldn’t get them to strip out sensitive data — it creates work for them (twice! Once to strip it out and again to put it back in the app) and they are already trusting you with their complete proposal details. Assuming you have access to the server from your laptop, there’s no logical difference between that and having the file locally on your drive. You need to take precautions either way (disk encryption, primarily).

Edited to add: since they are customers, they’ve already agree to T&C’s which should cover the manual case too

kalenjordan · December 5, 2014, 2:06pm

Hey man - nice idea! Seems kind of like fundmentally more of a legal question than an onboarding question though. I’m not a lawyer or anything but my thoughts on that is that if you have proposal software, they’re already going to be storing all of their proposal information in your system, so you’re going to need to work out the privacy concerns around that at some point anyways.

So I would say don’t complicate the process of having them send you a proposal. Just have them send it to you as-is so that it will be quick for them.

For people who are more privacy-conscious for whatever reason, they will probably just scrub it themselves without you even asking.

I have a similar situation for my app - I get access to my customers’ backend sometimes to help to install my extension. Haven’t had any issues so far (famous last words).

Robodisco · December 5, 2014, 2:59pm

Thanks @ideasasylum and @kalenjordan

Re: scrubbing being coutner productive to onboarding

Yes I agree. I’d rather they just send as is.

Re: My server and terms and conditions should already be secure and lock tight

They are but their client proposals are being sent to me as an individual via email which are then downloaded to my local machine. It just feels like a gray area.

Andy · December 5, 2014, 5:12pm

I think that rather defeats the whole object. It might also send out the message that you aren’t to be trusted.

IMO If you are running a professional service you need to take responsibility for their data. Its not hard to get them to submit their document securely via SSL and encrypt your harddisk, is it?

If you are negligent with their information, I think you will probably be liable, no matter what terms and conditions they have signed (under English law anyway).

If you have a limited company, it gives you some protection from being sued personally.

IANAL. Usual caveats apply.

coreysnipes · December 5, 2014, 8:29pm

I agree with @Andy on this. Give them a secure channel to submit that stuff, store it securely, and take on that responsibility. Otherwise you raise questions about whether they should be trusting you to provide the service at all.

kalenjordan · December 5, 2014, 10:35pm

I will say that the fact that you’re worrying about this is a good sign. It’s good that you care.

Robodisco · December 6, 2014, 3:21am

Thanks @Andy @coreysnipes @kalenjordan

I’ll look into encrypting my harddrive.

And your right - all things point to lofi just being counterproductive - sending wrong trust signals, exposing me to potential lawsuits regardless of terms. Best to just use ssl and store securely.

Andy · December 6, 2014, 10:58am

Mac OS X has a built in encryption option.

So do some versions of Windows ( BitLocker IIRC).

Robodisco · December 6, 2014, 2:31pm

Cheers Andy. Im on mac so ill rummage through settings and get it going.

steve · December 6, 2014, 7:01pm

Just in case you don’t know, email works on a ‘store and forward’ mechanism. Any system which handles the email could read the contents. So if you are concerned about the client’s information, you may want to have them upload the PDF directly to your system.

jnye131 · December 6, 2014, 10:38pm

We do something similar in the day job - and use the Dropbox API and application folders to save sensitive documents - it’s encrypted, complies with safe harbour legislation. Worth looking into.

Robodisco · December 7, 2014, 1:02pm

Thanks @steve for mentioning that. Yes uploading to my system seems to be the best possible solution to this. Though I may use email for my first 5 beta users just to get this thing out of the door.

@jnye131 thats interesting - could be good enough for my early beta stage for first few customers. I looked at the docs briefly. Can you confirm is it just a case of dropping in the javascript tag to get it working?

jnye131 · December 9, 2014, 11:11am

@Robodisco sadly I had very little to do with the implementation - but I was involved in discussions around what solution to use. I know that the legal department were happy with dropbox (please do your own due diligence here though).

Robodisco · December 9, 2014, 2:50pm

Cheers mate. Dont worry I wont “quote you on it”

I’m actually rolling direct uploads for official release.

Adam