Recently, a client asked the question “If I were to deploy a software product as a SaaS service, what would be things I would need to consider?” I thought about our experiences here and sent him the following list:

  1. Are you running your hosts or is someone else running them?
  2. How many and what operating system?
  3. How big are they? Processors, memory, disk?
  4. Where is power coming from and how is it protected?
  5. What physical security? Who has physical access to machines?
  6. How are they connected to the Internet? Through whom?
  7. What if the connection dies?
  8. What happens when a host has an issue?
  9. Where is the data stored?
  10. How is it backed up and what are the backups stored?
  11. How does a fresh system get built and a backup restored?
  12. Where is the DNS hosted?
  13. What domains are being used?
  14. How are you protecting your IP?
  15. What about outgoing email services?
  16. What about certificates?
  17. Who has logical access?
  18. What types of access do they have?
  19. Firewalls?
  20. Logging and auditing?
  21. Compliance with anything? PIPEDA? EU?
  22. Support encryption-at-rest?
  23. How are the systems patched? How often and by whom?
  24. Who decides on which threats to address?
  25. How do changes to software get tested?
  26. How do changes to software get deployed to the servers?
  27. How are different users separated from each other? Logical? Physical?
  28. What service level agreements can you support?
  29. What are your plans for achieving these service levels?
  30. What happens when there’s a failure?
  31. How do people contact your support?
  32. Do you have support levels?
  33. Do you have an FAQ that can easily be searched and updated?
  34. Allow customers to help each other, or contact only through you?
  35. What set of browsers are supported? Apps or responsive?
  36. Who decides which to add/remove from long-term support?
  37. How is development done? Agile? Waterfall?
  38. How often is software deployed?
  39. How is team managed to ensure long-term support for codebase?
  40. How to deal with custom, one-off requests from customers?
  41. How to deal with improvement suggestions from customers?
  42. How are customers billed? What are the terms of their agreements?
  43. What process is followed to upgrade software to newer versions of language/libraries?
  44. What processes are in place to avoid regressions?
  45. How are accounts integrated with billing?
  46. What process is used to onboard? Are trial accounts offered?
  47. Do accounts have limits which “level the playing field” operationally?
  48. Is multilingual supported? If so, how?
  49. What metrics are collected for managing short- and long-term system performance?
  50. What mechanisms are in place to identify and solve catastrophic system issues?
  51. What are rules around customer non-payment?
  52. How are credit cards charged?
  53. How are customer contacts managed and updated?
  54. How is old data purged?
  55. What about customers who have cancelled and want proof of data destruction?
  56. What about customers wanting a data dump?
  57. Does support have a ticketing mechanism?
  58. How does support maintain connections with customers?
  59. How is the product sold?
  60. How are demos done? With what data?
  61. How are potential customers identified and managed?
  62. What third party systems and APIs are needed to support operations?

Let us know if you are interested in a discussion of any of these. Also, we’d love to hear your thoughts about omissions from the list.