The following is a guest post submission from Nathan Sykes. Nathan is the founder of Finding an Outlet, a site dedicated to the latest in B2B IT news and trends. Follow him on Twitter @nathansykestech to read his latest articles.
As cloud-based solutions, like SaaS and remote technologies, become more prevalent than ever we’re starting to see regulators and auditors get more serious about IT governance standards. As standards become more stringent, companies become more aware of the requirements set upon them and, in turn, ask providers to help with IT audits.
As you might expect, this means the pressure gets offloaded onto SaaS providers, who don’t generally perform audits or mind regulatory requirements outside of their own responsibilities. But the landscape is changing rapidly, not just in regards to audits but additional regulatory and legal constraints too, right along with financial limitations and tax requirements.
What exactly is changing in the SaaS legal landscape, and what do you need to know about it?
Sales tax and nexus
In October 2017, the U.S. Supreme Court ruled in South Dakota v. Wayfair that internet-based and e-commerce retailers can be required, by law, to pay and collect sales tax in states even where they lack a physical presence. This completely uproots decades of legal precedence, not the least of which relates to the concept of nexus.
How nexus applies
Nexus is essentially your physical influence or presence within a state. If you have “nexus” within a region, then you can be required by law to collect and pay sales taxes lest you incur fines and compounding interest. The idea is used to declare and determine where a business may have a physical presence even outside their home state.
Determining nexus has always been particularly tricky because each state varies regarding qualifications. What gives you nexus in one state may be completely different in another. And this supreme court ruling just made it even more difficult, especially for SaaS providers who operate and serve on a broad level outside of their home location(s).
As a result, South Dakota now has an economic nexus law — among 25 other states and counting — that increases the tax burdens of online businesses, SaaS and cloud service providers included. What this means is that general tax burdens will grow, and companies will need to expansively research tax burdens on a state-by-state basis with more scrutiny than ever before. This has happened before, further muddling the definition of nexus and sales tax when it comes to online services, so it’s not unreasonable to think it will be expanded even more in the future.
A major issue with these tighter laws is that they tend to have low limits: 200 total transactions — as opposed to customers outright — in a state will commonly develop nexus. But since SaaS providers deliver subscription-based pricing models and deal with multiple invoices per client, you can end up with nexus in a state faster.
This further facilitates the need to have an accountant or experienced professional deal with taxing and monetary collection policies. Don’t overlook this, especially if your business is spread across varying locations and your service coverage is far-reaching. You will need to identify and understand where sales tax is necessary, and failure to do so will lead to severe consequences not the least of which is heavy legal fines and court costs.
Security and data governance audits are less an optional state of checks and balances and more a legal and regulatory requirement these days. Therefore the onus has shifted to providers to help deal with and prepare for some of these experiences.
Increasingly, SaaS clients require records on IT security audits, clear-cut data storage, handling and protection policies, performance standards, end even risk management or disaster recovery plans. In other words, you may be initially audited by clients — in a way — before any legal audits take place.
Common auditing concerns
More than proper planning and documentation, it helps to have these elements established long before your clients even ask, so that when the time comes, you can provide the necessary assurances.
Here are some things to consider for future and present audits:
Do you have a corporate security policy?
Is there a dedicated security team in place to handle events and failures?
Do you have a formal procedure for reporting a security violation or data breach?
Do you regularly conduct penetration testing or have a third-party handle the process? When was the last relevant test performed, and what were the results? What are you doing to remedy any flaws or vulnerabilities discovered?
Whether through external means or internal discovery, what are you doing to both identify and remediate vulnerabilities in your system and network?
How often are applications or software tools updated? What is the process for doing so and how does this affect security? What about customer or client downtime? How long will the update process take?
Do you have a process for announcing and sharing scheduled maintenance sessions?
Is there API access or external integration support? How does this relate to data security and protections?
Are all API units authenticated, data encrypted, and monitored?
How do you physically secure access to your data facilities or operations sites?
How do you comply with HIPAA/Sarbanes-Oxley/PCI DSS 3.0/ and other similar-level regulations? Do you have documentation to support this?
Are all your processes — including data backups — documented in full with details on how you handle operations?
How far does your disaster recovery plan extend? What will you do if your customers are affected by a breach? How will you continue to ensure their privacy and security?
Legally mandated data protections
GDPR or the General Data Protection Regulation in the European Union is designed to protect businesses from overreaching and provide more assurance for citizens in regards to personal data and privacy. For example, one new requirement from the law forces companies to offer a “forget me” option that allows European citizens to not only download and see any personal associated data collected about them but also delete it in full.
Since SaaS in the enterprise is not inherently a consumer-level business it’s easy to fall into the trap of thinking GDPR doesn’t apply. But it does, in some cases even on multiple levels. With some providers, for example, the protections may extend to customers, a customer’s customers and sometimes beyond. This means that even if your company or business doesn’t serve affected customers, but one of your clients or service users does, then you’re obligated to comply where applicable.
Under GDPR, the purpose, nature and storage duration of data must all be supplied and honored. That is, if you say you’re going to keep data for two years, then you should immediately purge it after said period. You must also define and adhere to the type of data being processed, while also considering the responsibilities, rights and requirements of customers — who generally serve as the source or inherent “owner” of specific data sets.
This extends to security protections, as well. Customers must be informed of a breach or security issues as soon as it a company is aware of it. Providers must ensure that protections are in place to prevent data breaches and fully secure customer information. Failure to do so will result in hefty fines.
Here’s a GDPR and protections checklist you can review to ensure ultimate compliance:
It’s important to understand, however, that no matter how comprehensive this checklist may seem, there’s much more that goes into ensuring compliance. Therefore, it’s crucial you do your due diligence to research and understand the new regulations and how they apply to your business and operations.
General data practices
Outside of the legal and regulatory space, there’s also the matter of protecting your data and digital assets internally.
Throughout most of your auditing and data protection strategies, you’re focused on external data channels that often stem from your customers and umbrella users. It’s easy to forget that you — as a business — have your own proprietary data and trade secrets that you need to handle properly.
Here are some questions you should be asking:
How often do you back up your sensitive data and where is it stored?
How often are backups completed? If there is a data breach, failure or complication what could be lost?
What security measures do you have in place to retain control of your systems and network?
How will service interruptions affect your customers, their data and their users?
Protecting data that belongs to your customers and clients is vital, but you need to protect the content that relates to your business or organization and its primary operations as well. If you offer a cloud-service application, for example, where is the source code housed and is it handled or edited in a way that won’t compromise the entire business?
The landscape is tumultuous; be ready to evolve
As is evident through many of the discussions in this guide, the world of cloud computing and SaaS is changing considerably, along with the rest of the enterprise market. There’s a general focus on network and user security, data protection, customer rights and moral responsibility in some cases in regards to products and service offerings. Sometimes, as is the case with GDPR, regulations extend beyond your direct clientele and stretch further down the chain to include anyone affected by internal data usage and collection.
That’s why compliance internally is crucial to the success and continued operations of your business. The last thing you need to deal with are repercussions handed down by government bodies, your customers or the community at large.
Sales is one of the core aspects of how a business functions.
Without sales, your brilliant product will just sit there, neglected and unused.
But no one is born as a brilliant salesperson, just as no one is born with an innate knowledge of how to run an effective outbound strategy.
We learn these things on the way. A lot of the time, we learn from the sales jobs we’ve had. But we shouldn’t limit ourselves to that. Why not learn from the best salespeople, the highest performing companies, and the extreme examples?
In this Process Street article, we’re bringing expertise galore to your bookshelf or Kindle. We’ll go through our 7 key recommended reads, and follow that with 38 more sales books to satisfy your niche, industry, or needs.
If you’re looking to rapidly grow your user-base by optimizing your product, simply signing up to Trello and Asana will give you a masterclass.
These two apps are optimized for virality because they work best when teams collaborate around them. Here’s how it’s done.
The whole point of project management apps is to give teams a central place to collaborate, update project status and store information. Trello and Asana aren’t particularly useful for individuals, so their product teams put extra effort into getting users to propagate the apps within their own organizations. No marketing required.
Process Street started in an unexpected place: the beaches of Thailand.
I was 24, had just quit my 6-figure sales job, and was ready to leave the rat race and travel the world.
Just months before taking off, I read Tim Ferriss’ The 4-Hour Workweek and discovered dropshipping — moving a product directly between a manufacturer and customers without keeping it in your own storage. It wouldn’t require making or storing any product, it wouldn’t require a giant team or a huge investment, and best of all, it wouldn’t require an office.
I thought the best way would be to look at the pricing pages of the SaaS 250 — a list compiled by Montclare of the most successful SaaS products in the world.
To see this data in the form of an infographic, you can skip straight down to the bottom on this page.
Before we start — why did 80% of companies not have pricing pages?
Before jumping right in, it’s interesting to note that of these 250 companies, only 48 had pricing available. The rest had pricing available on request by contacting the sales people.
Jason Lemkin, CEO and Co-Founder of EchoSign, says that most companies have a very good reason for this. Writing on Quora, he outlined 5 key reasons you might be better off not showing pricing on your website.
Deals will get more complex as you grow. Some day you’ll do a deal so large and complicated it wouldn’t have been able to be expressed in $/user/month. Products with integrations and add-ons will be priced so confusingly, it’s simpler to just get them on the phone to sales.
Discounting will become difficult. With a preset rigid pricing structure, you’ll put off enterprises. Jason says “Your champion will require a discount. Then, it will get sent to procurement. Procurement’s bonus will be tied to the next discount they win. If you have rigid pricing, you’ll blow the deal.”
A $700k deal is sold differently to a $100k deal. When it means the difference between an everyday deal and a huge account, you’re going to treat the customers differently. Pushing both down the same track is risky because you want to make sure that the big customers are on the phone to sales straight away.
Enterprise customers just want to buy. Jason says that price doesn’t matter for enterprises. More than 80% of the time, they just want to get set up with a solution as efficiently as possible. Price comes after features.
Looking as if you’re ‘all about price’ is a bad look. Pricing can make your product look cheap, and not enterprise-oriented. Jason says, “If your competitor says “Call Me” and appears more or equally enterprise-grade and trustworthy — your transparent pricing may say “cheap”. “
So, 202 of the SaaS 250 have good reasons for not being transparent with their pricing. Let’s look at what I found when analyzing the SaaS pricing pages of the remaining 48.
Throughout a customer lifecycle, it is important to take opportunities when they present themselves.
One aspect which many SaaS companies will be familiar with is the ongoing attempt to upgrade customers to the next level of billing.
The core method of achieving this is to add features and improve your product.
This provides provides greater value for the client and gives them more reasons to consider purchasing your services – resulting in an upsell which works for both parties.
I imagine most of you reading have bought something from Amazon at some point in time. Yet when Amazon offer a more premium delivery service with access to films and television shows many of you will have gone from occasionally using Amazon for purchases to being fully fledged Prime users!
Amazon offered greater value and you thought it was worth paying for. You were upsold.
But importantly, both you and Amazon came out of the deal as winners!
In this article, we’ll look at how different companies have utilized upselling to drive their business forward, and try to learn a little something from each.
Then we’ll take a more in depth look at how Process Street upsells its customers, and the importance of seeing this as a company wide effort rather than small aspect of sales.
At the end of the article, we’ll give you a free Process Street process template you can use in your business for upselling customers. This process is geared to be run by a member of the sales team to try to upsell a valuable client, and close the deal.
Thanks to SaaS (software-as-a-service) countless businesses of all sizes have moved to cloud-based apps to solve everyday problems in ways only available before to big companies willing to shell out thousands for software licenses. Smart startups can harness the power and efficiency of larger teams by cutting out the robotic admin work from their processes and zeroing in on what really matters — generating leads, closing deals and keeping customers happy.
Organizing yourself and your team is made so much simpler when the apps you use sync to the cloud. This means the apps are accessible from any device, data coming in and out can be seen by whoever you choose, and apps can integrate with each other, doing more with less human input.
The cloud became the perfect setting for a CRM, and that’s where you’ll find all major products today.
It’s thought that a high-touch approach to customer success does not scale.
Here are the common objections:
There aren’t enough hours in the day to personally oversee 10,000 users.
Even if there were enough hours in the day, there aren’t enough of us to do it and still be profitable.
Even if there were enough of us, there’d be no way to keep track of it all effectively.
Zapier, a SaaS middleman for app integration, thinks differently.
The idea is simple: connect your SaaS app to Zapier, and Zapier will connect it to over 1,000 apps. The formula is one programmers will be intimately familiar with since it’s basically an if/then statement. For example: if a user submits a Zendesk ticket, then post the ticket to a Slack channel.
Apps can create actions and triggers, controlling each other and automating frustrating admin work behind the scenes so you don’t have to bother with it.
While it might seem new and intimidating, machine learning in business is already bringing massive benefits to companies and consumers alike.
From increasingly effective product suggestions to accurate journey time predictions and advanced customer analytics, machine learning is an incredibly powerful tool which lets you analyze every important aspect of your business without wasting human hours on the task.
But what exactly is machine learning, and how do you go from knowing that to actually using it?
“Instead of using labels to teach an AI what each object it’s looking at is, this DeepMind project teaches itself because it learns to recognise images and sounds by matching them up with what it can see and hear.