

Subledger: APIs for Accounting - flylib
http://subledger.com

======
rbucks
I'm cofounder of Scripted.com and we're probably subledger's first major
integration. We did it because we didn't want to put an engineering FTE on
dealing with money in our app. Timing was good so we went for it! And I'm glad
we did. All told I think we deleted some 9,000 lines of code.

Great team but integration needs some work. I'm sure they'll get there and I'm
glad we could be the guinea pigs. Go ahead, AMA!

------
tmornini_ey
Hello there!

I'm a founder, and this has brought us a lot of traffic! THANK YOU!

We believe that all APIs must be built in a secure and robust fashion. We use
techniques similar other online accounting apps.

I don't believe our responsibilities are greater or lesser than theirs, but I
do appreciate your feedback. We will certainly spell out our security better!

Specifically, here are some details that should ease your concerns.

All traffic is SSL encrypted. We receive an A+ on
[https://www.ssllabs.com/ssltest/](https://www.ssllabs.com/ssltest/)

We require two randomly created tokens (key/secret) for authentication. Both
are 22 character Base 62 strings, so the combined key space is greater than
256 bits.

We allow for overlapping keys to encourage regular rotation.

We use BCrypt for secret hashing to avoid brute force attacks.

All data creation operations will not return success until your data is
written to two independent datacenters.

We stream versioned resource backups into our own S3 bucket, and optionally a
bucket owned and controlled by our customers.

With Subledger it really is your data!

~~~
bdcravens
As I hinted at in another comment, this info should be on your website. I get
the flat layout and all, but I think you'll want to AB test using the abstract
description of features ("Google Analytics for money", "a precise, scalable
double-entry accounting ledger", etc) with the bullet points you mentioned in
the this post and in your FAQ.

~~~
tmornini_ey
Thanks! Very clear and happy about all your feedback. Thanks!

------
doomspork
Really neat idea but I'm surprised that a company who needs me to send them
intimate accounting data makes no mention of what they're doing to ensure my
data is safe and secure.

Building an API is relatively simple, protecting sensitive financials is not.

~~~
flylib
this is in a FAQ in the email after you signup for beta

"Q) Does Subledger store data safely and securely?

A) Yes. Subledger runs entirely on Amazon's AWS, which itself is compliant
with HIPAA, SOC 1/SSAE 16/ISAE 3402 (formerly SAS70), SOC 2, SOC 3, PCI DSS
Level 1, ISO 27001, FedRAMP(SM), DIACAP and FISMA, ITAR, FIPS 140-2, CSA and
MPAA. Subledger itself has not yet been certified. We take your data security
and safety very seriously: when Subledger says it has received your data, it
has already been stored in two separate data centers.

Q) Does Subledger provide disaster recovery?

A) Yes. Subledger makes real time backups of transactions as you create them.
Our storage system has a stated durability of 99.999999999%. Subledger can
optionally mirror your transactions to a separate geographic location. With
multiple copies in diverse georgraphic locations, your data is extraordinarily
durable.

Q) Do I need to replace what I've already built?

A) No. Subledger can exist alongside anything that's already in place.

Q) Is accessing my financial data over the internet secure?

A) Yes. All communications to and from Subledger are TLS/SSL encrypted which
is the modern standard for over the internet security.

Q) Do you have strong authentication and authorization?

A) Yes. We employ a gigantic keyspace (7.3322e+78 combinations) key/secret
authentication with support for rolling key updates."

~~~
bdcravens
There's little value in putting this information in the FAQ after I signup.
You'll never even see my email if I can't have this level of confidence in
your service. The site is pretty and flat and has decent copy, but this isn't
a to do list app.

~~~
tmornini_ey
I hear you loud and clear, will get site updated!

Thank you for your clear and concise feedback, very much appreciated!

------
bdcravens
The links (blog, etc) on the "App" screen are all using SSL, which doesn't
appear to be configured properly:

"You attempted to reach subledger.com, but instead you actually reached a
server identifying itself as *.wpengine.com."

~~~
tmornini_ey
Yikes, apologies.

Will get that fixed ASAP, thanks for pointing his out.

~~~
tmornini_ey
Fixed now.

Thanks for the feedback, much appreciated!

------
epa
I don't really understand what you guys do. Are you just a cloud database for
account balances, and we send you journal entries? And then you process the
financial statements? I assume you don't automatically process the notes to
the FS?

~~~
tmornini_ey
It's reasonable to consider us as a double-entry accounting data store. But we
don't just store balances, we store the entire audit trail, including links to
source documentation.

As such, we make it easy to show customers and vendors realtime account
statements, just like your bank does.

We also provide simple manual tools to allow humans to view and make manual
entries as required via our iOS and web app.

We do not handle payment, but we do allow you to account for the payments you
request and receive from other vendors.

Finally, we make it trivial to account for splits in marketplace applications,
and liability positions in any prepaid models. For instance, gift card
accounting is a natural fit for us.

In short, we simplify building core financial functionality for applications
by providing developers an API to track money in the worldwide standard manner
for the last 500 years. :-)

------
bdcravens
Just saying you'll have a REST API doesn't give me enough reason to sign up
for an invite. Your API could be an joy to work with, or I might burn a week
and a half just getting the initial auth working.

~~~
tmornini_ey
We're not satisfied with our documentation, which is why we don't give direct
API access at this time.

Understand your input, appreciate it a lot. Thanks!

~~~
troels
Considering that the API is you product, getting it documented should probably
be you #1 priority. Even a rudimentary documentation, which you can then
update later, would be better than none.

~~~
tmornini_ey
Hey there. Yes, agree, thank you, but depends upon how many eyes you want on
it along the way.

Said another way: didn't realize that today was Hacker News day! :-)

We DO have [https://api.subledger.com](https://api.subledger.com) which is
Swagger documentation, but we lack a directed HOWTO document that describes
double-entry accounting and how our API represents it.

Believe me, we're working on it! :-)

~~~
bdcravens
I've been using Apiary to document some APIs, and it seems pretty easy to add
in-line explanation in Markdown.

~~~
tmornini_ey
Thanks, I'll take a look!

------
amatxn
We are building something very similar as an internal project to support our
payment systems, wish this had been available 2 years ago!

~~~
tmornini_ey
I wish it was available two years ago too!

Next time, or this time if you'd like to compare us against your internal
implementation. :-)

~~~
amatxn
I have already forwarded the link to our team, we will be evaluating it to see
if it fits for us.

~~~
tmornini_ey
Thank you, kind sir!

Let me know if I can help in any way.

------
flylib
Backed By Andreessen Horowitz & Draper Associates, Created by a co-founder of
Engine Yard

~~~
tmornini_ey
Who we think rock! They saw the future we see and helped us build it!

