[tfjaeckel]

Hi, I'm one of the founders of Shelf. We think teams and organizations are wasting too much time locating and sharing knowledge.

Been working on helping solve this this issue for quite a while now keeping things in more of a closed circle of beta users until recently. Why? Because we wanted to build a well rounded product based on customer feedback before opening this thing up.

Anyway, so far we've built Shelf primarily on a NodeJs stack making heavy use of microservices and recently more and more Lambdas with (and sometimes without) the Serverless framework. And we built a web clipper as browser extension for Chrome and Firefox to make it easier to clip and share web content.

Would love to get your feedback on if and how you experience the pain point. Of course feedback on the product itself would be great, too, if you want to give it a spin.

[Terretta]

I want what you’re offering, but I do need real security assurances, beyond “secure hosting”.

> Enterprise-level security: Single Sign-On (SSO), Data backup and recovery, Role-based permissions, Secure hosting, AES encryption

Ok but that’s “consumer level” for SaaS.

For Enterprise, you need to prove to me that a malicious insider at your organization can not access the enterprise’s data. Dealing with insiders and RBAC models is particularly interesting when offering search.

You need to provide full access and full change audits trails.

You need to provide a business continuity plan, as noted in a sibling comment.

You can make a more trusted claim by getting your solution HIPAA certified. If you are compliant for storing personal medical information, you’re basically there for “enterprise-level security”.

[tfjaeckel]

Thanks for that input. Totally agree that HIPAA certification is a good approach to prove full coverage of what you've mentioned.

[didgeoridoo]

Is "HIPAA certification" an actual thing? As far as I know, the various HIPAA "certificates" offered by private companies are not universally recognized, nor do they have clear legal relevance. See TrueVault's FAQ: https://www.truevault.com/hipaa-compliance.html

[mbesto]

It's not. You typically sign whats a called a BAA[0] with an entity that is covered by HIPAA compliance. In other words, if a hospital wants to use the software they would make the SaaS provider sign a BAA. This then subjects both the hospital to HIPAA as well as the BAA. The best you can do is basically get audited by an external firm, not dissimilar to how PCI compliance works (which also doesn't have a certification, but has QSA certifications).

[0] - https://www.hhs.gov/hipaa/for-professionals/covered-entities...

[mbesto]

These suggestions are very sound, and I'd suggest the same, but they are overly pedantic for a contract value at a maximum of $2.4k/year. I've seen a number of healthcare providers bound by HIPAA who don't have any of these features (and way less) and are still very competitive in the market. It's not to say you shouldn't do these things, but they are not what will win you contracts for your suggested pricing tiers. More importantly they will probably burden your business from a cost perspective (assuming you're still relatively new to the market).

TL;DR - Put them on the list, but don't let them burden you from making money.

[tfjaeckel]

Thanks for that perspective. Put on the list. Won't let them keep us from making money along the journey.

[jasode]

>Anyway, so far we've built Shelf primarily on a NodeJs stack [...] And we built a web clipper as browser extension for Chrome and Firefox [...]

Thanks for providing extra technical detail. However, I'm more curious with what's happening on the backend.

As far as I can tell, the your differentiation from something like MS Sharepoint or DropBox is an integrated OCR to extract keywords, and Artificial Intelligence to help filter (or "screen" as your landing pages call it). Is there more to your special sauce that I have overlooked?

Also, where are you storing customers' data? Amazon S3? In house servers? Are you using something like ElasticSearch or did you build your own search engine?

[tfjaeckel]

Dropbox is really great for storing and syncing files across devices. It doesn't have a rich set of pre-built filters, you can only store files, not mixed content including links, contacts, etc. So, Shelf is really a complementary solution for Dropbox and can sit on top of it, combining the Dropbox content with other content from a single interface.

Sharepoint is of course very powerful. And that means you typically need a project to make it work. Shelf works out of the box, is opinionated and let's you get started with minimal to no configuration setup.

Yes, we use Amazon S3 for content uploaded to Shelf (encrypted of course) and we utilize ElasticSearch as well.

[KGIII]

You needn't be all that specific, but how do you securely search the encrypted data?

[tfjaeckel]

Data is secured at rest and in transmission. We take every measure available in Elastic to secure the search indexes themselves.

[KGIII]

Ah, so the indexes are secured - but are they encrypted?

You don't need to answer. It's okay. I'm largely asking because I've been thinking about writing an series of essays on the subject of security and one of the topics I have taken some notes about is searching encrypted data.

If the index isn't secure, it kind of defeats the idea of encryption - someone need only make off with the index and be able to draw some conclusions. More so if it's relational.

There are different ways that some go about this, one is the hash with individual words with a unique salt and search for the hashes, but that has its own set of problems, like the ability to eliminate words like 'the' and 'it' from search queries. Well, at least computationally easy.

So, it's purely for my own curiosity that I ask. I imagine it might be doable to load it into RAM, the whole DB - if it's small enough or you have enough RAM, and then do the searches there in an encrypted environment?

I am not so concerned with exfiltration by 'hackers' so much as I'm concerned with exfiltration by employees. Should I get to writing the essays, that's going to be a central theme - protecting data from rogue employees with the increased use of cloud services in today's business environment.

Again, I'd not want you to feel obligated to release anything proprietary or anything that would compromise your security.