[grepfru_it]

Once again, never ever commingle customer accounts, one bad apple ruins it for all of them. Create a new (in this case, Heroku) account for each customer, no exceptions

Story time: I worked for a major marketing firm that did this with Facebook. we would see accounts go down every once in awhile and it turned out the managers of the companies that cried foul were doing foul things which we would have to resolve (bonus: extra $$$ Too). One Saturday our monitoring started chirping only to find all Facebook accounts were deactivated. It took us 10minutes to realize we did not change our tooling to support their api changes. These are well known name brands that were completely down. That was the first time I have seen an entire company scramble to resolve an issue, but we were back up and hobbling around within 2 hours.

Always separate accounts.

[nextaccountic]

Can you link a single credit card to multiple accounts?

Also, if they notice the same people, from the same IP, with the same credit card, (...), are running a bunch of accounts, why wouldn't them ban it all after a ToS violation?

[grepfru_it]

Because maybe what you described isn’t a violation of terms of service. Do you always start companies without consulting a lawyer?

Sorry for the snark, but this seems like a thinly veiled attempt at a troll

[nicholasreed]

I don't think they are trolling; I have exactly the fear that somehow now my email, IP, all linked credit cards on other accounts, etc, are about to be autobanned by the same broken process that got me to this point.

The biggest concern is the complete lack of transparency in why the account was suspended; was I hacked and I need to protect other things? Was my customer data accessed? I haven't the faintest idea, which is a helpless feeling.

I had planned for outages, disconnects, etc, but literally EVERYTHING is behind the Heroku login; because I never considered anything I was doing remotely bad, I never considered I'd be suddenly unable to login to every 3rd party backup service, access environment variables, etc.

[grepfru_it]

You are not your end users. I’ve had services terminated because script kiddies attacked me. Literally nothing in my control, it was bad optics for the provider (and their customers). So you must find a way to insulate yourself. Multiple accounts is the way.

Think of it like this, when you are doing your accounting you don’t put everything on a single line item, you separate by customer to understand where your profit and losses are occurring. Same with service accounts

[nextaccountic]

I'm not trolling. The trouble is that the systems that ban people from cloud platforms are largely automated. And if you trip a wired you have no recourse to talk with an human being, so the actual written lines in the ToS aren't very relevant.

[grepfru_it]

At a certain size, your org should be a resale partner with whatever cloud service it is, so the end customers are getting their own accounts. This varies by size and $$$ spent.

Credit cards should never be linked across accounts thanks to PCI-DSS complince

Same IP ban is also not likely unless you are actually doing nefarious things across multiple accounts. I am also making the assumption you are connecting from some business account and not a residential ISP, though that is changing thanks to covid. FWIW, I have worked at many companies where offices of 300-500 proxy outbound traffic to a single IP, that’s why I don’t believe this is a concern.

The ultimate problem is when you have several logical partition but no billing partition. Also the large marketing firm I worked at had zero phone support with Facebook and Google, yet we did this all day (with a single IP address).

This all boils down to one common thread: you should be taking advice from a lawyer on whether the terms prevent such actions and to have a business continuity plan. If the vendor does something egregious, like shutdown all accounts, then your lawyer can ship them a nice letter which will get their attention

[funny_falcon]

> Credit cards should never be linked across accounts thanks to PCI-DSS complince

Afaik, PCI-DSS doesn't prevent you to store cryptographic hashes of card. Therefore cards still could be linked with hashes.

[nextaccountic]

> At a certain size (...)

I think this is key.

> Same IP ban is also not likely (...)

Thanks for answering! I had no idea.