posthog icon indicating copy to clipboard operation
posthog copied to clipboard

Published 20 hours ago verified publisher icon PostHog

Request: Make compliance a self-serve feature

Open joethreepwood opened this issue 1 year ago • 3 comments

Feature request

Is your feature request related to a problem?

Currently, BAAs and DPAs are a bit of a pain for the CS & Sales team. I'm not even technically in that team and I still see a bunch of emails about one or the other every day. Occasionally people also ask for our SOC 2 report. From what I understand, there are very few situations where we don't agree.

The DPA process is pretty simple: Users have to email us at [email protected], which goes to Ops, and then @fraserhopper signs it and returns it.

The BAA process is more involved: Users have to contact us via the website, then we usually tell them they have to be on the Teams / Enterprise plan, then they have to confirm they are, then we have to check, then we have to send the docs to them via PandaDoc, then we have to update them in Hubspot (soon to be Salesforce) when it's signed.

In both cases there's manual work involved, and we could arguable make this a lot simpler by taking a good idea from Sentry.

Describe the solution you'd like

Sentry are smart, because they made this entirely self-serve for users. I think we should do the same.

Screenshot 2024-05-02 at 14 07 35

We add a new Legal section here ☝️ where users can review and accept legal documents themselves, within the app. When they do, we'll likely want to send an event. Maybe we want to have that event trigger a Slack notification, just so we can keep an eye on things.

Documents we could include:

  • Standard T&Cs (We should make this accepted by default)
  • Privacy Policy (We should make this accepted by default)
  • Data Processing Agreement (US and EU versions)
  • Business Associate Amendment (We should make this exclusive to users with the Teams add-on, etc)

Each of these would need to offer users a way to open and accept the document, or to close it without accepting.

We can also include links to the privacy Docs, where users can get guidance for CCPA guidance, and a link to our latest SOC 2 security report.

Describe alternatives you've considered

The alternative would be that I create an automated process outside of the app. I can look into this as a potential hackathon project, but the solution would basically look like this for the DPA:

  • Create a new page, with a form where users fill out for DPA approvals and provide the needed details
  • This form passes these details to Customer.io as properties and triggers a campaign
  • The campaign uses LiquidHTML to insert the properties into the agreement, and sends a completed copy with our details pre-filled back to the user for approval, CCing our Ops team.

The blocker to doing this right now is that such a form would be best powered by Hubspot...and we're about to switch to Salesforce.

For a BAA the process would be more complex because the user would need to be on a Teams plan, which we can't check easily in Customer.io because of https://github.com/PostHog/meta/issues/104 not allowing us to check orgs. We could set up a workaround for this based on users...but all it would take is one user on a gmail/outlook domain to ruin that. We'd probably have to involve Zapier for it.

Additional context

For https://github.com/PostHog/meta/issues/193

Debug info

- [ ] PostHog Cloud, Debug information: [please copy/paste from https://us.posthog.com/settings/project-details#variables]
- [ ] PostHog Hobby self-hosted with `docker compose`, version/commit: [please provide]
- [ ] PostHog self-hosted with Kubernetes (deprecated, see [`Sunsetting Kubernetes support`](https://posthog.com/blog/sunsetting-helm-support-posthog)), version/commit: [please provide]

joethreepwood avatar May 02 '24 13:05 joethreepwood

Just for BAAs, I think we would want some option on our side to approve it, as they do open us up to liability so it shouldn't be totally unilateral from the customer (e.g. they are some sketchy company who we don't want to agree to take their money to do this.)

charlescook-ph avatar May 02 '24 13:05 charlescook-ph

Just for BAAs, I think we would want some option on our side to approve it, as they do open us up to liability so it shouldn't be totally unilateral from the customer (e.g. they are some sketchy company who we don't want to agree to take their money to do this.)

We can automate that within the app or with the hackathon solution: we'd just trigger the pre-filled emails to go to @fraserhopper instead, with the user email included in text so he can very quickly reply and get it approved.

joethreepwood avatar May 02 '24 14:05 joethreepwood

This seems pretty doable.

Would we expect this to use the panda doc API in order to get the signature from the customer?

zlwaterfield avatar May 02 '24 14:05 zlwaterfield