Operating a SaaS product through ownership changesby Sebastien Mirolo on Tue, 30 Aug 2022
Either because you sold the business, or a critical operation engineer is promoted and/or leaves the company, changes in ownership are inevitable. To be prepared for it, you should create a business continuity plan and review it regularly.
3rd party services checklist
First list all the online services your SaaS business depends on. You can usually do this by going through the business bank or credit card statement. If you rely on many free services, that makes live a little more complicated but you can still comb through your e-mails to refresh your memory about what you signed up for and what you actually use.
For each service, list at the bare minimum:
- Name of the service and its URL
- Purpose of the service
- Contact with credentials
When you are ready to implement a more robust business continuity plan, also list:
- Risk to the business if service is unavailable
- How authentication to the service is done? (SSO, service-managed credentials database)
With that information, you can then categorize providers into three tier:
- Tier 1 providers
- Any outage to one of these providers has immediate and severe consequences to the business. In simple terms: total blackout and every person in the business is scrambling to find a way to come back online.
- Tier 2 providers
- An outage of tier 2 providers means the service runs with a severely degradated experience. The operations team is on the bridge to mitigate and solve the issue as quickly as possible but other parts of the business might still be able to operate on their regular schedule.
- Tier 3 providers
- An outage of tier 3 providers is annoying but the effects are not immediate nor affect all customers. The operations team can resolve those issues on their normal work schedule.
It can be intimidating at first to populate Purpose of the service and Risk to the business. Fortunately for most SaaS products, these two columns of the spreadsheet are pretty standard.
|Purpose of the service||Risk to the business if service is unavailable||Name of the service and its URL||Contact with credentials||How authentication to the service is done?|
|Tier 1 providers|
|Domain Registrar||Website, e-mail, etc. are unreachable. - i.e. we are screwed!||GoDaddy||Joey in Engineering||GoDaddy username/password|
|Domain Name service||Website, e-mail, etc. are unreachable. - i.e. we are screwed as well!||GoDaddy||Joey in Engineering||GoDaddy username/password|
|Hosting||Website is unreachable - a really bad day!||AWS||Joey in Engineering||AWS username/password with TOTP|
|Tier 2 providers|
|Cannot receive e-mails. bouncing when customers try to reach us.||GMail||Co-founder Alice||GMail OAuth, username/password and phone|
|Phone||Cannot receive phone calls. customers get a phone disconnected message.||ATT||Co-founder Alice||ATT username/password|
|Payment processing||Website cannot process online payments.||Stripe||Clara in Software Engineering||Stripe username/password with one-time code throuigh phone|
|Customer support||Support tickets are not recorded. customers are not notified something is wrong.||Zendesk||Co-founder Alice||Zendesk username/password|
|Tier 3 providers|
|TLS certificates||Expiring certificates are not renewed leading to security alert for customers trying to access the website.||Letsencrypt||Joey in Engineering||Letsencrypt API key|
|Code and package repositories||Cannot deploy changes to the website||GitHub||Co-founder Alice||GitHub username/password|
|Payroll Software||Cannot send paychecks and taxes mechanically.||Intuit||Co-founder Alice||Intuit username/password with one-time code throuigh phone|
|CRM Software||Loose ability to manage prospects and leads at scale||Hubspot||Co-founder Alice||Hubspot username/password|