Data has become one of the most valuable resources in the world, and unlike most valuable resources, we’re just producing more each day. Some experts estimate that every person with an internet connection generates as much as 1.7megabytes per second, or roughly 2.5 million terabytes produced globally each and every day.
When you work in app development you’ve not only signed on to create a great product, but to act as the steward of the data that passes through your app each moment. This includes not only your app’s data about things like usage, telemetry, errors, and stats, but also any and all personal data that your end users have entrusted to you.
With so many third party solutions and APIs becoming integrated into the app ecosystem, getting full transparency on all of your data may seem daunting, especially when you're debating whether to build vs. buy. But over a decade of high profile data breaches and cybersecurity have made something abundantly clear: not protecting your app data is not only irresponsible, it’s unethical. There’s a lot that goes into protecting your app data, but the first step is practicing good data ownership.
In the simplest terms, data ownership is about the possessing and controlling the information that passes through your app. This means you and you alone have the capability to store, modify, copy, or remove data. Whether your data is available on your premises or with a cloud storage service, data ownership gives you the sole irrevocable right to access and utilize your data as you see fit, and the sole right to assign and revoke privileges to others to do likewise.
If your data is a car, data ownership means you alone hold the keys and the title. To put it another way: in the world of business apps, remember this: if you don’t own your data, you don’t truly own your app. But you don’t have to take my word for it, here’s three reasons why you need to own your app data.
Data portability is the ability to take your data from wherever it presently lives to another physical or digital location. That means being able to transfer, transport, or export your data at your discretion.
In the consumer space Google led the charge over a decade ago by giving users the ability to download and delete all of their data from across Google’s product ecosystem. This included things like contacts, attached files, emails, map data, search history, and even videos uploaded to Youtube. In the years since, other consumer facing tech companies have come on board, including Twitter and most file sharing sites. Even Facebook, once notorious for locking down user data, bowed to pressure and now offers a data export option, going as far as to recently give users the ability to move their data to competing platforms.
On the business side of things, almost every cloud hosting provider now offers several ways to export or move your data either to an on premises solution or a competing platform, with the only charges to you coming in the form of logistics fees you’d already be paying such as bandwidth use or the cost of physical transport. Amazon Web Services even offers a suite of different physical devices so your data can easily be moved from one physical location to another. These devices can be as small as a handheld hard drive for small amounts of data and as large as “the snowmobile,” a cooled, ruggedized shipping container filled with server racks of your data, which can be sent anywhere in the world.
So why go to all this trouble? The first reason is as old as file management itself: redundancy. Though basically every cloud provider offers several forms of redundant storage to make sure your app data is never accidentally destroyed, having your data available on a backup or emergency hosting solution is the only way to guarantee uptime in the event of a catastrophic outage.
Redundant storage is also one of the best protections against the latest scourge of the internet: ransomware. One of the most popular ransomware attacks is incredibly simple: a hacker accesses your primary system and encrypts all your data. Though you still have access to the encrypted data, it is unreadable and therefore useless until you pay for the encryption key. Keeping a redundant copy of your data protects you from such attacks, as you can plug the security hole, trash the encrypted data, and move your redundant data onto your hosting platform.
The final reason data portability is so important is flexibility. Put simply, keeping your data portable means not having to be locked in to any one service or vendor if you’re not happy with them, or a great competitor emerges. When the only reason you continue to use a service is because you can’t go anywhere else, that’s called lock-in. It’s been used by service providers to ensnare consumers and business clients alike.
Unfortunately, lock-in has become a core strategic component of many b2b service providers. As many an unscrupulous product manager will tell you, the easiest way to reduce churn is to make churn impossible for your users. Sendbird, for example, limits data export functionality to enterprise level customers, meaning only the highest paying Sendbird clients have truly portable data. Lock-in stifles competition, hurts small businesses, and is used when a company doesn’t want to compete on merit. When you’re locked in, you don’t own your data, period.
In the past ten years, concerns over data privacy have moved from a niche topic mostly raised by activists to a major source of tension between the public and technology companies. Just two years ago, Pew research found that 79% of Americans had serious concerns over how private companies utilized the data being collected. When you are the product owner of an app, you need to understand that any time your customers and end users are interacting with your app, they are implicitly trusting you with their data.
In the professional world it’s important to remember that trust is easy to gain, easier to lose, and almost impossible to win back. Take Facebook as an example again. In 2018, journalists broke the story that Facebook’s poor data policies allowed the marketing firm Cambridge Analytica to scrape sensitive information about over 50 million Facebook users in the USA alone.
In the month following this story, usage across Facebook’s platform dropped as much as 30%, and in the intervening months and years, analysts estimate that Facebook’s usage has remained at 80% of what it was pre-Cambridge Analytica. The scandal itself sparked what Wired calls the “Privacy Great Awakening” in the public and among lawmakers.
Users are more cautious about their data than ever before, and when a popular platform changes its terms of service to indicate more data collection, it often makes headlines. The unfortunate reality is that data is now traded like a commodity, and though you may be handling your users’ data responsibly, you never know what may be hidden in the terms of service of your vendors that allows them to profit off your users’ data.
The fact of the matter is that if you don’t own your data, and the data of your users, then someone else does. When someone else owns that data, they’re in control of how it’s used. As we saw in the Facebook scandal, even though Cambridge Analytica was the primary party responsible for wrongdoing, it was Facebook that bore the brunt of the damage to their reputation. When you don’t own your users’ data end to end, there’s more potential for you to lose respect, lose trust, and ultimately lose business.
The modern internet is underpinned by a series of complex sets of security standards and protocols that could have a whole article unto themselves. Some of these standards, like SOC2, which dictates best practices for data collection and stewardship, are designed by private consortiums are largely opt-in, while others, like GDPR, US CANSPAM and HIPAA, were created by lawmakers and are compulsory for conducting certain types of business online.
Whether these standards are maintained by private bodies or by government mandate, adherence to them can make the difference in where your apps can be deployed, and which organizations can use them. This is such an important draw that many SaaS and cloud service providers have built their entire business model around rigid compliance to these standards so they can attract customers in security dependent sectors such as:
Worse yet, some companies are fully aware of the value of adhering to security standards and are more than happy to treat that compliance as an upsell. HIPAA, a United States law designed to protect consumer safety and privacy in regards to their health data, imposes strict limits on how medical data is collected and disseminated. HIPAA compliance is the bedrock requirement of working in health related fields in the USA.
As I’ve said before, when you don’t own your data, that means someone else does, which puts you at their mercy. As a practical example, most third party API providers are built to be fully secure and compliant from the jump, but some companies like Sendbird or Stream are happy to hide HIPAA compliance behind their enterprise plan and an additional fee. Paying a premium just to be able to work in healthcare can be seriously damaging to a burgeoning company’s bottom line, and can dramatically curtail their ability to scale.
Some companies are even willing to take basic quality of life security standards, like SSO (secure sign on) or 2FA (two-factor authentication) and charge a premium for them, leaving product owners stuck having to choose between a good user experience and their own profit margins. These difficult choices can be avoided completely when you take the appropriate steps to own your data.
Weavy is designed to let app developers own their data completely end to end. This starts with how Weavy is deployed. Unlike other chat and collaboration APIs, Weavy’s server SDK is designed to be deployed either in the same server environment as your app, or in a parallel environment that you control. Other than license authentication, Weavy has no insight into your platform or your data, giving you true ownership.
Weavy is also designed to match the security, privacy, and authentication schemes. When it comes to things like 2FA or SSO, if your app supports it, then Weavy supports it. Or, as our CEO Rickard Hansson once told me: “if you want to have ten factor authentication, we support it.” When it comes to standards like HIPAA, GDPR, SOC2, or anything else under the sun, Weavy is easily configured to comply with those standards.
Of course, if these things were easy, everyone would be doing them from the jump. Reliance on integrations and third party solutions makes the goal of data ownership more difficult than ever. But striving towards total ownership of your data is so vital to protecting your business and your customers, and that’s why it’s important to ask important questions of your vendors before you sign an agreement that signs away your data.