[Terretta]

I want what you’re offering, but I do need real security assurances, beyond “secure hosting”.

> Enterprise-level security: Single Sign-On (SSO), Data backup and recovery, Role-based permissions, Secure hosting, AES encryption

Ok but that’s “consumer level” for SaaS.

For Enterprise, you need to prove to me that a malicious insider at your organization can not access the enterprise’s data. Dealing with insiders and RBAC models is particularly interesting when offering search.

You need to provide full access and full change audits trails.

You need to provide a business continuity plan, as noted in a sibling comment.

You can make a more trusted claim by getting your solution HIPAA certified. If you are compliant for storing personal medical information, you’re basically there for “enterprise-level security”.

[tfjaeckel]

Thanks for that input. Totally agree that HIPAA certification is a good approach to prove full coverage of what you've mentioned.

[didgeoridoo]

Is "HIPAA certification" an actual thing? As far as I know, the various HIPAA "certificates" offered by private companies are not universally recognized, nor do they have clear legal relevance. See TrueVault's FAQ: https://www.truevault.com/hipaa-compliance.html

[mbesto]

It's not. You typically sign whats a called a BAA[0] with an entity that is covered by HIPAA compliance. In other words, if a hospital wants to use the software they would make the SaaS provider sign a BAA. This then subjects both the hospital to HIPAA as well as the BAA. The best you can do is basically get audited by an external firm, not dissimilar to how PCI compliance works (which also doesn't have a certification, but has QSA certifications).

[0] - https://www.hhs.gov/hipaa/for-professionals/covered-entities...

[mbesto]

These suggestions are very sound, and I'd suggest the same, but they are overly pedantic for a contract value at a maximum of $2.4k/year. I've seen a number of healthcare providers bound by HIPAA who don't have any of these features (and way less) and are still very competitive in the market. It's not to say you shouldn't do these things, but they are not what will win you contracts for your suggested pricing tiers. More importantly they will probably burden your business from a cost perspective (assuming you're still relatively new to the market).

TL;DR - Put them on the list, but don't let them burden you from making money.

[tfjaeckel]

Thanks for that perspective. Put on the list. Won't let them keep us from making money along the journey.