The 37signals Report Card
We’ve long believed in the value of transparency at 37signals. It’s why we write about how we work and why we provide real-time information about our customer happiness and uptime. We like being held to a high standard, and we think there’s no one better to do so than our customers.
Today we’re taking another step towards greater transparency with the launch of the 37signals Report Card.
This report card, which we’ll update monthly (April 2013 is available now; subscribe to be emailed the report each month), provides a high level overview of our performance in each month on the dimensions that our customers most directly experience: how available our applications are, how fast and successful their interactions with our support team were, and how fast the applications themselves were.
GeeIWonder
on 08 May 13This is fantastic. Good job.
I would still need a peer-reviewed and systematic security audit before putting anything critical or confidential on your systems.
Most western governments have issued repeated calls for companies like yours to take steps to address these, and transparency is at least as important there as it is in terms of pageload and support times. This question isn’t going away.
Ben
on 08 May 13+1 GeeIWonder
About 6 months ago I emailed support asking to receive their SSAE16 report.
They didn’t even know what I was asking for, which is alarming given the nature of business 37signals is in (storing customers data).
They then came back with telling me they did a self audit, which was laughable. And tried to pass it off as an official QSA assessment.
If you’re reading this post and don’t know what a SSAE16 (newer form of SAS70), its be worthwhile for you to read up on it. Essentially, no publicly traded company can keep sensitive data with a 3rd party unless they provide an official, uptodate SSAE16 report
Taylor
on 08 May 13@Ben
I’m really sorry we provided such a poor experience. There was definitely some confusion on our part in the way we responded to your request. We’ll review this internally and make sure everyone has the right understanding to be able to adequately respond to these inquiries.
Both datacenters have SSAE16 reports available. We provide the executive summary on request. We can work with the DC to get the full report to you too.
Separately we follow PCI Compliance guidelines. There’s different levels of assessment and one of them is self-assessment. We complete those quarterly through Security Metrics which is an Approved Assessor.
We also have our applications audited by outside security consultants on a regular basis. It just so happens the last audit was completed a week ago. We’re working on a reasonable means of making the results of these audits publicly available too.
Ben Kinnaird
on 08 May 13Ben, I don’t think 37s are public ally trading, does SSAE16 also apply to private organisations?
I like the idea of the report card and as a sales too I think it’s a winner but, as a customer, I cannot see why I’d want this emailed to me regularly. Would you share the rational behind this.
As a business owner I would love to see this information (basecamps stats particularly) emailed to me monthly. A sort of business health check if you will. Here’s hoping this is just a part of Jason’s new project.
GregT
on 08 May 13That’s impressive. I wish my company did that.
Don Schenck
on 08 May 13@Ben
Your last sentence, ”... unless they provide …”.
Is the “they” referring to the 3rd party?
Thanks for the information regarding SSAE16. Always good to learn something new.
Ben
on 08 May 13@Ben Kinnaird
Publicly trading companies have to “assert” their data is secure.
So if that public company so choices to store their data with a 3rd party vendor (like 37signals), the public company needs a report completed by a certified QSA from the private company (37signals) asserting the data is protected on behalf of the public company.
Make sense.
Ben Kinnaird
on 08 May 13Ben, got it. Thanks for explaining further.
MattH
on 08 May 13I love that instead of micro-managing your employees (or eliminating telecommuting) you find ways to measure overall productivity. It’s even more impressive that you share that information.
Glen Barnes
on 08 May 13Just one small suggestion….Can you please change the dots from red/green to some other combination? The colour blind will than you dearly for it.
Michael
on 09 May 13Of course, Ben doesn’t even acknowledge Taylor’s informative response. This shows that Ben doesn’t actually need nor care about SSAE16 except as a possible avenue of criticism.
The report looks great. I wish you had followed through on the report that compared your uptime to Github et al; that would have been interesting. Perhaps it would be a good joint project between several similarly-minded companies?
andrew
on 09 May 13I have been using the old basecamp for years on personal projects. Thanks for the great job, even though it is quite dated now and i know there is your new version I still really appreciate the simplicity of the old.
looking for free crm software – try saleslifecycle.com
GeeIWonder
on 09 May 13I think it was a nice informative response. And encouraging, even. It does not surprise me they are working on this.
When a kid tells you they’re going to do the dirty dishes, do you say great! Do you move your food over to the dirty plates?
Or do you wait until the dishes are done?
Ben
on 09 May 13@Taylor, thank you for the info.
@GeeIWonder, I purposely didn’t respond BECAUSE I was being polite and didn’t want to hijack this thread to continue the SSAE16 topic any further.
If you must know, I went with Zoho because I didn’t feel I received the adequate response from 37signals (at the time). I was extremely fair to 37signals and responded back with my concerns after I received their initial response. What frustrated me even more was when I responded back with my concerns, my follow up request was never acknowledged and I never heard back from 37signals. Zoho was able to provide the report immediately and my company has been a happy customer if theirs for 6+ months.
This is exactly the detail I didn’t want to get into this post. But if you must know, that’s what happened.
GeeIWonder
on 09 May 13@Ben I was replying from my own perspective to the ‘of course they just whine’ comment.
You’re smarter than I am and a) didn’t take the bait and b) didn’t use blockquote which still don’t work on here.
I think your comment was great for those who do/aspire to do business with government, publicly traded companies, or anybody else who cares to be accountable.
Ben
on 09 May 13@GeeIWonder
Sorry for directing my comment at you. You’re right, I obviously meant to direct it at @Micheal
(The lack of quoting capabilites on this blog makes reading comments confusing. Please don’t take offense to my misdirected comments)
Michael
on 12 May 13Ben, a simple “thanks, Taylor. I’ll submit another ticket” would have worked without being distracting.
Brian M.
on 13 May 13Micheal
You clearly didn’t read Ben’s post. Ben said he went to Zoho 6 months ago.
Why would Ben write Taylor “thanks, I’ll submit another ticket” – if he’s no longer in the market for an offering?
Michael
on 14 May 13Brian, because I can’t imagine anyone wanting to stay with Zoho.
Scott Miller
on 14 May 13Just wondering if you chose your 25 yet?
This discussion is closed.