Day 31 — Bozo Buckets

Bozo Buckets

When I was a kid, I used to dream I was live on Bozo Buckets gameshow winning the GRAND PRIZE of $50 and a brand new bicycle (it’s also probably why I maintain a healthy fear of clowns).

If you’ve never played, it’s pretty simple: you throw a ping pong ball into a series of 6 buckets that each win a prize. If you hit all six in a row, you win the grand prize.

Today I set up my own (nerdy) version of bozo buckets.

Today’s Problem to Solve

Today I continued work on vendor assessments — evaluating all the 3rd party tools and providers I use at Invincible to ensure they meet our security standards.

The Process

When evaluating a vendor, in a perfect world I‘m looking for 3 things:

  1. ISO:27001 or SOC 2, Type 2 Certification (the vendor has very rigorous security standards and our data is safe with them)
  2. A signed agreement identifying how the provider will store, process, or transmit our data (the vendor is contractually obligated to store, process, or transmit our data securely)
  3. A signed BAA if provider is storing any personally-identifiable health information (vendor can safely store PHI).

If a vendor satisfies each of these criteria, easy peasy. But as I quickly found out today, this activity was far from easy:

  • Just finding the security documentation for vendors took a bunch of digging. And when I did, most didn’t have the certifications I needed.
  • Most of the vendors didn’t have a signed agreement, just standard terms of service. Many offer to sign a data processing agreement, but it’s extra time and work.
  • Other vendors have the security and the agreements in place, but I need to make internal changes to how we’re using the tools in order to be compliant.

Bozo Buckets

That brings us to today’s game of bozo buckets.

Today I evaluated all 30 of our vendors based on our risk, what information we store, and their security processes. I was left with the following:

Results of Today’s Vendor Audits

1 — Approved (no conditions)

These were the easy ones. These are the solutions that have a SOC 2, Type 2 report in place and a signed agreement with Invincible. From every app I evaluated, by far set the gold standard for ease of access to this information by setting links right from my account information and downloadable reports. If you sell SAAS and care about security and your customer’s time, do this. does Privacy & Security Right

2 — Approved (w/ exceptions)

These were a bit trickier. These were generally cases where I am missing a SOC 2 report but I have no choice but to proceed ahead. Here were a few examples:

  • Google — Firebase Cloud Messaging (no ISO:27001 / SOC 2 Certification)
  • Apple — App Store Connect (no ISO:27001 / SOC 2 Certification)
  • Facebook — Instagram and Facebook (no ISO:27001 / SOC 2 Certification)

Nevertheless, I have no choice but to proceed ahead. We absolutely need these services and have no real alternative available. Plus, while they don’t have these certifications, they have strong security measures in place and we’re only storing minimal user information in each of these services.

3 — Agreement Requested

These were circumstances where I just need a signed agreement for approval. This was a case where GDPR legislation makes this task much easier, as most companies have either build a data processing agreement into their standard terms of service or else they’re willing to sign a DPA with us.

If you search “Data Processing Agreement” and the company, you can usually find the answer. Most companies have an @security email address where you can request it.

4 — Upgrade Account for Security Enhancements

These companies are frankly just annoying: they sell security as a feature. “Oh, you want to make sure you’re data is secure? No problem, just give us a bunch of money and we’ll be happy to help.”

  • Dropbox
  • Github
  • Lastpass

Each requires upgrading to an Enterprise Account, which translates to a bunch of money for the exact same set of features I have today.

5 — Changes required before approval

These systems are just cleanup, changes I need to make on my end to ensure good data security practices and HIPAA compliance for PHI.

  • Google / AWS: Need to sign a BAA to process PHI
  • Typeform / Mailchimp: Need to consider how I’m interacting with end users and the potential for PHI transmission. Most likely, I need to move away from these services toward something that will serve our long-term security needs.
  • Hubspot: Remove any PHI references (or better yet, get rid of it and switch to a HIPAA-compliant CRM).

What’s Next?

I had hoped this would be a one-day activity, but it’s clear it’s turning into a much bigger project than hoped. On the bright side, I feel much more comfortable about navigating data security with our vendors and the risks we currently have with our data.

More to come tomorrow!




Startup founder surviving in his parent’s basement.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Devil’s Ivy: The Open Source Vulnerability that Puts Millions of IoT Devices at Risk

What’s the Real Threat when President Trump uses his Personal Phone?

Cryptography applications in real world

C2 Malware Detection with browing history

With Ethereum is coming soon

Catching A4s Hiding in Plain Sight : XXE (XML Ext Entities)


S3 Antivirus Scanning with Lambda and ClamAV

{UPDATE} If ... Else Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Bob Weishar

Bob Weishar

Startup founder surviving in his parent’s basement.

More from Medium

One Of Robert Kiyosaki’s Rule For Success

Motsats Furniture, my startup story

Money is not the Resource

Solving your customers’ problems is your job; own it!