Agreed, they make a good point, however, I think the terms of service are binding, and if what we're doing changes, we _must_ update them. This, of course, does not change the fact that we've collected a lot of data and it would suddenly fall under the new terms of service.
With that said, I actively delete customer data on request, and a terms of service change like this _might_ (very reasonably) prompt someone to request their data to be deleted, and since terms of service are not typically immediately effective without consent, I feel strongly that I would make sure I could remove data for people who do not agree with the new terms of service. What I'm saying, is that I would fight very hard for my customers, like, ridiculously hard.
As said above – I am not the CEO – I don't have controlling interest, and there is absolutely some future where the things I said above are impossible to execute. I have not felt that way yet, and I am very conscious of the possibility if that in the future, and will stay vigilant both for my customers and for my own peace of mind to make sure we're always doing the right thing.
I'll have a wild guess there: all devs and most managers have access to the full data set. Any disgruntled one could ex-filtrate it anywhere with not trace.
That's the kind of things which make me for the vision of data as liability.
Absolutely not. We have strict control over our data and access to infrastructure.
Every person with access can only get it via a bastion VPN with their own key. Access is logged to an external host which they do not have access to. We are SOC2 compliant (just waiting on final certification) and we have regular pen tests both against our code as well as our employees with mock phishing.
As a total aside: it would cost a serious amount of money to exfiltrate the data in bulk, and would cause an obvious strain on our infrastructure. Assuming they get by all the above protections, and are really clever, sure, never say never, but I think we can not assume the worst but prepare for it none the less.
An effective opt-out may help most of the vigilant, but it is in the best interest of those changing the ToS to keep it as confusing/hush-hush as possible.
With that said, I actively delete customer data on request, and a terms of service change like this _might_ (very reasonably) prompt someone to request their data to be deleted, and since terms of service are not typically immediately effective without consent, I feel strongly that I would make sure I could remove data for people who do not agree with the new terms of service. What I'm saying, is that I would fight very hard for my customers, like, ridiculously hard.
As said above – I am not the CEO – I don't have controlling interest, and there is absolutely some future where the things I said above are impossible to execute. I have not felt that way yet, and I am very conscious of the possibility if that in the future, and will stay vigilant both for my customers and for my own peace of mind to make sure we're always doing the right thing.
reply