> I am avoiding Blackblaze as they don't allow you to do due diligence. Any requests to get security audit reports, pentest reports under NDA are all ignored.
What they should do is make you cut a half a million dollar check, refundable when you spend half a million dollars on services.
It removes so many headaches from dealing with people who think their $100 over a year is Very Big Money.
I don't understand why it matters if I only spend $100 or half million? If I am going to use third party I want to verify it meets my own security requirements. I think that's totally reasonable to ask.
Actually I would expect that such a big company have these things readily available on request.
Because in the vast majority of the cases those that want these docs after getting a generic one start asking questions/want interaction while having the attitude that "Why should it matter if I only spend $100?" thus expending way more company resources than their account is worth.
You make it sound like reviewing these documents is free.
If a company ask me for similar paperwork (which they have) I have the paperwork in order and ready, they sign a NDA and I am sending them. It's just a step in the sales process imho
Trixter, yes, I have it ready because I did all these audits already as part of company security policy; and not because of customers and I can share them on request.
A company that never did a pen test or security audit or doesn't want to share them doesn't give me much trust to use them as a partner.
I can't tell you how many times I've been able to implement solutions for my organization based off of experience with personal projects. If I'm satisfied in my due diligence of the provider then I'm a lot more likely to turn around and suggest it for use in my corporate environment.
In this case it's not so much about a $100 spend, it's about them potentially leaving a lot of money on the table if they are incapable of delivering the reports in question.
The money is in the head, not in the long tail. It is possible to make money off the long tail by never treating anything other than the head as a potential head. You will miss some middle of the distribution customers, sure, but you won't spend resources of hundreds if not thousands "influencers" that don't actually influence anyone.
Based on what I have experienced, those that have real decision making power in companies that will make a high six to seven figure purchases simply do not have time to vet their home projects where they are going to spending $100/year. The grandstanding arguments about importance of their projects come from people who probably won't even spend $100/year
Of course, I wouldn't ask this for a home project but if its considered for a business archival solution were government regulation requires me to store things for multiple years and client data for same period. Of course, I will make sure this data is safe. I am not going to depend on their marketing pages.
You make it sounds this is ridiculous to do a security assessment or to ask for such paperwork. I can tell you that my company insurance even demands it. At the moment I prefer to pay 3x more and store things at a cloud provider which shares these kind of documentation.
What they should do is make you cut a half a million dollar check, refundable when you spend half a million dollars on services.
It removes so many headaches from dealing with people who think their $100 over a year is Very Big Money.