Why We Need an Open “Data Safety” Score for All Business Apps and Integrations?

Introduction

In today’s dynamic business environment, startups, SMBs, and large organizations adapt to changes in an astonishing phase. Think about it, millions of people switched to work from home instantly at the beginning of 2020, then to a hybrid model, and then went back to the office in 2021. This change would be unimaginable just a decade ago. So, what made it possible? The most significant enabler is probably technology adoption, and more specifically, a wide variety of flexible solutions to pick up and glue together quickly. With more digital transformation happening in more verticals and no-code adoption by larger organizations, this trend will increase.

There is some room for concern

Integrations are great. But with a growing number of integrations comes a greater risk of data exposure by the integrated apps, whether intended (selling your data) or unintended (data leak or breach). Think about it this way, every Slack, Zoom, or Monday integration you connect, means another company now has access to your data for as long as the integration is active. Some of those companies are not as protective of the data as they should be.

The major platforms partially address this issue with basic automated or manual audits and security checks. However, from our experience, it’s still too easy to connect an app that suffers from security issues or insufficient privacy policy, potentially putting user data at risk.

The data protection gap

Big corporations have been concerned with 3rd-party cybersecurity and data protection for years. Therefore, several solutions are solving this issue with various degrees of success. Those enterprise-focused solutions solve the problem by providing automation and structure to the developers verification process and require a dedicated information security team to operate. Some solutions include a basic “hacker-view” security scan and a scoring system, but are mainly focused on direct vendors and third-parties, and not looking one layer deeper and mapping fourth-parties as well (vendors of your vendors), such as all Slack, Zoom, Zapier integrations, or Chrome extensions. In addition, those solutions are complicated, have a steep learning curve, and are not priced for small-medium companies, startups, and freelancers, meaning they are just too expensive for most pro users.

GDPR, CCPA, SOC/2, and ISO-27001 aren't enough

There's an anecdote in the industry that goes something like this: "The biggest achievement of GDPR is the consent popup every website has implemented". Sure, privacy regulations and security standards helped some vendors become more aware and protective of customers' data, but most mid-small b2b app vendors are still hesitant about going through the process. And even if they do, clients would still find it overwhelming to verify data governance statements, security posture, and privacy measures implemented.

Methods to estimate data-safety

1. Most professionals run a quick and intuitive internet search to validate whether a product or an integration is trustworthy. They will speed-read the developer's homepage, check out their social media handles, read a couple of customer reviews, and maybe even recognize some security and privacy certifications on the homepage (if any). This will probably work for some tiny startups and freelancers; however, when you have important deals with larger clients on the line, you probably should take 3rd and 4th-party validation more seriously.
2. Very few "privacy geeks" might go as far as actually reading the privacy policy before using a product. Still, most of us will elegantly skip and proceed with connecting the tool. There's a good reason for that - most privacy policies are simply too long, complicated, full of legal jargon, and the risk of data misuse is just not visceral enough for most professionals. Regardless, the risk is real, and the privacy policy contains important details about the data collection and various indications about the data usage, protection, and sharing.
3. There are some tools that can help you estimate the business app's safety, which includes public domain blacklists, scam reporting tools, SSL certificate scanners, and customer review websites. All of those can give you some indication of the data protection level. However, they provide a crude approximation and probably will work only for the most extreme and obvious cases (where the app is definitely a scam).
4. Another way is to simply send a customer support inquiry with your questions and concerns about data protection and security. Most vendors will take from a couple of days to several weeks to answer, especially if you are not a major corporation (yet).
5. The last, most techy, and extreme way to perform a data-safety assessment for 3rd-party apps and integrations is to run penetration testing, conduct a long process of security audits and questioners, and sign a custom DPA (data processing agreement), which require a dedicated team of cybersecurity and legal professionals. Most businesses are lacking the skills and probably won't invest the time.

Data-driven trust metrics

The privacy movement has brought many positive changes, like empowering users and making developers more privacy-aware, transparent, and careful with the data they collect; however, there's still a long way to go. The biggest challenge is how vendors communicate their data-protection posture to users. The everyday marketing, sales, or tech professional is just trying to figure out whether it's safe to connect a specific Slack chatbot or a Google Chrome plugin, and this task isn't easy.

We think it's possible to create a simple data protection score that everyone can understand. The best way to do this is to run a standardized data-protection analysis, monitoring all relevant indicators remotely and automatically. In fact, this is what we've been building for the last several months.

Our open solutions analyze three main aspects of every integration:

1. Cloud security - we run a cybersecurity assessment for every app and integration, ensuring it protects your data against hackers and external data breaches.
2. Privacy policy - we're using AI to understand whether a developer is obligated to protect your data, keep it private (not to sell it), and provide transparency and controls.
3. Community trust - we're collecting positive and negative trust signals from users across the web and processing them into a simple community trust score.

On top of that, we are working on some awesome features for our PRO solution that will seamlessly keep your data protected, help you with compliance, and keep your team safe when using business platforms, integrations, and no-code tools.

Data protection for the masses

Today's data protection (or DLP), 3rd and 4th-party risk management, compliance, and data discovery solutions are available only to large corporations. Those products are offered with a high price tag, are hard to integrate, and require dedicated information security and compliance teams to operate. However, for mid-sized companies and startups (which often can have hundreds of employees), there are no good solutions. We've stumbled upon a strong demand for a product that will help companies estimate if integration is safe or not and support ongoing monitoring and data protection for teams.

Our vision is to make trust more data-driven, measurable, and open for everyone, from the small startup entrepreneur that's considering whether to use a Gmail add-on up to the corporate CISO, trying to protect thousands of employees from using unvetted Slack integrations. For that reason, we are launching an open platform, available via a simple online search and without requiring a costly subscription to access the basic data-protection score for business apps.

Conclusions

The data privacy revolution is still undergoing, bringing more privacy and trust to B2B vendors and their clients. Nevertheless, it won't accomplish its goal until every business, large or small, would be able to easily understand whether a given product keeps their data safe. The existing tools aren't addressing this issue. There's a need for an open data-protection score to make the SaaS and integrations ecosystem much more transparent, simple, private, and safe for everyone.