Great team but integration needs some work. I'm sure they'll get there and I'm glad we could be the guinea pigs. Go ahead, AMA!
I'm a founder, and this has brought us a lot of traffic! THANK YOU!
We believe that all APIs must be built in a secure and robust fashion. We use techniques similar other online accounting apps.
I don't believe our responsibilities are greater or lesser than theirs, but I do appreciate your feedback. We will certainly spell out our security better!
Specifically, here are some details that should ease your concerns.
All traffic is SSL encrypted. We receive an A+ on https://www.ssllabs.com/ssltest/
We require two randomly created tokens (key/secret) for authentication. Both are 22 character Base 62 strings, so the combined key space is greater than 256 bits.
We allow for overlapping keys to encourage regular rotation.
We use BCrypt for secret hashing to avoid brute force attacks.
All data creation operations will not return success until your data is written to two independent datacenters.
We stream versioned resource backups into our own S3 bucket, and optionally a bucket owned and controlled by our customers.
With Subledger it really is your data!
As such, we make it easy to show customers and vendors realtime account statements, just like your bank does.
We also provide simple manual tools to allow humans to view and make manual entries as required via our iOS and web app.
We do not handle payment, but we do allow you to account for the payments you request and receive from other vendors.
Finally, we make it trivial to account for splits in marketplace applications, and liability positions in any prepaid models. For instance, gift card accounting is a natural fit for us.
In short, we simplify building core financial functionality for applications by providing developers an API to track money in the worldwide standard manner for the last 500 years. :-)
Building an API is relatively simple, protecting sensitive financials is not.
"Q) Does Subledger store data safely and securely?
A) Yes. Subledger runs entirely on Amazon's AWS, which itself is compliant with HIPAA, SOC 1/SSAE 16/ISAE 3402 (formerly SAS70), SOC 2, SOC 3, PCI DSS Level 1, ISO 27001, FedRAMP(SM), DIACAP and FISMA, ITAR, FIPS 140-2, CSA and MPAA. Subledger itself has not yet been certified. We take your data security and safety very seriously: when Subledger says it has received your data, it has already been stored in two separate data centers.
Q) Does Subledger provide disaster recovery?
A) Yes. Subledger makes real time backups of transactions as you create them. Our storage system has a stated durability of 99.999999999%. Subledger can optionally mirror your transactions to a separate geographic location. With multiple copies in diverse georgraphic locations, your data is extraordinarily durable.
Q) Do I need to replace what I've already built?
A) No. Subledger can exist alongside anything that's already in place.
Q) Is accessing my financial data over the internet secure?
A) Yes. All communications to and from Subledger are TLS/SSL encrypted which is the modern standard for over the internet security.
Q) Do you have strong authentication and authorization?
A) Yes. We employ a gigantic keyspace (7.3322e+78 combinations) key/secret authentication with support for rolling key updates."
Thank you for your clear and concise feedback, very much appreciated!
People felt the same way about Salesforce.com, i.e. The data is too sensitive to place in the cloud.
Yet millions use QuickBooks Online every day.
We believe strongly that a huge new API economy is being built, we're delighted to offer our accounting API, mobile app, and web app to people who do not wish to build and manage it themselves.
Intuit is 31 years old, and QuickBooks is 20. They spent a long time getting account software right before they ventured into the hosted solution, and they're a publicly traded company with the advantages that comes with.
Not to say that you can't answer the security story, but I'd be cautious of the analogy approach.
I'll point out that I did spend a lot of time, energy and money on application security at Engine Yard (and still do as board member) and I'm very proud of our security record there.
"You attempted to reach subledger.com, but instead you actually reached a server identifying itself as *.wpengine.com."
Will get that fixed ASAP, thanks for pointing his out.
Thanks for the feedback, much appreciated!
Understand your input, appreciate it a lot. Thanks!
Said another way: didn't realize that today was Hacker News day! :-)
We DO have https://api.subledger.com which is Swagger documentation, but we lack a directed HOWTO document that describes double-entry accounting and how our API represents it.
Believe me, we're working on it! :-)
Next time, or this time if you'd like to compare us against your internal implementation. :-)
Let me know if I can help in any way.