Hacker News new | comments | show | ask | jobs | submit login
Subledger: APIs for Accounting (subledger.com)
26 points by flylib on June 29, 2014 | hide | past | web | favorite | 29 comments

I'm cofounder of Scripted.com and we're probably subledger's first major integration. We did it because we didn't want to put an engineering FTE on dealing with money in our app. Timing was good so we went for it! And I'm glad we did. All told I think we deleted some 9,000 lines of code.

Great team but integration needs some work. I'm sure they'll get there and I'm glad we could be the guinea pigs. Go ahead, AMA!

Hello there!

I'm a founder, and this has brought us a lot of traffic! THANK YOU!

We believe that all APIs must be built in a secure and robust fashion. We use techniques similar other online accounting apps.

I don't believe our responsibilities are greater or lesser than theirs, but I do appreciate your feedback. We will certainly spell out our security better!

Specifically, here are some details that should ease your concerns.

All traffic is SSL encrypted. We receive an A+ on https://www.ssllabs.com/ssltest/

We require two randomly created tokens (key/secret) for authentication. Both are 22 character Base 62 strings, so the combined key space is greater than 256 bits.

We allow for overlapping keys to encourage regular rotation.

We use BCrypt for secret hashing to avoid brute force attacks.

All data creation operations will not return success until your data is written to two independent datacenters.

We stream versioned resource backups into our own S3 bucket, and optionally a bucket owned and controlled by our customers.

With Subledger it really is your data!

As I hinted at in another comment, this info should be on your website. I get the flat layout and all, but I think you'll want to AB test using the abstract description of features ("Google Analytics for money", "a precise, scalable double-entry accounting ledger", etc) with the bullet points you mentioned in the this post and in your FAQ.

Thanks! Very clear and happy about all your feedback. Thanks!

I don't really understand what you guys do. Are you just a cloud database for account balances, and we send you journal entries? And then you process the financial statements? I assume you don't automatically process the notes to the FS?

It's reasonable to consider us as a double-entry accounting data store. But we don't just store balances, we store the entire audit trail, including links to source documentation.

As such, we make it easy to show customers and vendors realtime account statements, just like your bank does.

We also provide simple manual tools to allow humans to view and make manual entries as required via our iOS and web app.

We do not handle payment, but we do allow you to account for the payments you request and receive from other vendors.

Finally, we make it trivial to account for splits in marketplace applications, and liability positions in any prepaid models. For instance, gift card accounting is a natural fit for us.

In short, we simplify building core financial functionality for applications by providing developers an API to track money in the worldwide standard manner for the last 500 years. :-)

Really neat idea but I'm surprised that a company who needs me to send them intimate accounting data makes no mention of what they're doing to ensure my data is safe and secure.

Building an API is relatively simple, protecting sensitive financials is not.

this is in a FAQ in the email after you signup for beta

"Q) Does Subledger store data safely and securely?

A) Yes. Subledger runs entirely on Amazon's AWS, which itself is compliant with HIPAA, SOC 1/SSAE 16/ISAE 3402 (formerly SAS70), SOC 2, SOC 3, PCI DSS Level 1, ISO 27001, FedRAMP(SM), DIACAP and FISMA, ITAR, FIPS 140-2, CSA and MPAA. Subledger itself has not yet been certified. We take your data security and safety very seriously: when Subledger says it has received your data, it has already been stored in two separate data centers.

Q) Does Subledger provide disaster recovery?

A) Yes. Subledger makes real time backups of transactions as you create them. Our storage system has a stated durability of 99.999999999%. Subledger can optionally mirror your transactions to a separate geographic location. With multiple copies in diverse georgraphic locations, your data is extraordinarily durable.

Q) Do I need to replace what I've already built?

A) No. Subledger can exist alongside anything that's already in place.

Q) Is accessing my financial data over the internet secure?

A) Yes. All communications to and from Subledger are TLS/SSL encrypted which is the modern standard for over the internet security.

Q) Do you have strong authentication and authorization?

A) Yes. We employ a gigantic keyspace (7.3322e+78 combinations) key/secret authentication with support for rolling key updates."

There's little value in putting this information in the FAQ after I signup. You'll never even see my email if I can't have this level of confidence in your service. The site is pretty and flat and has decent copy, but this isn't a to do list app.

I hear you loud and clear, will get site updated!

Thank you for your clear and concise feedback, very much appreciated!

Agree... Something like that would be much better in the form of a library that companies can integrate into their code.

I understand your position clearly!

People felt the same way about Salesforce.com, i.e. The data is too sensitive to place in the cloud.

Yet millions use QuickBooks Online every day.

We believe strongly that a huge new API economy is being built, we're delighted to offer our accounting API, mobile app, and web app to people who do not wish to build and manage it themselves.

I'd be careful of using the Salesforce and QuickBook comparison. Salesforce had a $4M seed round, include Larry Ellison. Do you have that kind of cash to throw at security? I presume Salesforce controlled the hardware - it looks like you're on AWS (at least that's what using CloudFront suggests to me).

Intuit is 31 years old, and QuickBooks is 20. They spent a long time getting account software right before they ventured into the hosted solution, and they're a publicly traded company with the advantages that comes with.

Not to say that you can't answer the security story, but I'd be cautious of the analogy approach.

Thanks, understand your points clearly.

I'll point out that I did spend a lot of time, energy and money on application security at Engine Yard (and still do as board member) and I'm very proud of our security record there.

The links (blog, etc) on the "App" screen are all using SSL, which doesn't appear to be configured properly:

"You attempted to reach subledger.com, but instead you actually reached a server identifying itself as *.wpengine.com."

Yikes, apologies.

Will get that fixed ASAP, thanks for pointing his out.

Fixed now.

Thanks for the feedback, much appreciated!

Just saying you'll have a REST API doesn't give me enough reason to sign up for an invite. Your API could be an joy to work with, or I might burn a week and a half just getting the initial auth working.

We're not satisfied with our documentation, which is why we don't give direct API access at this time.

Understand your input, appreciate it a lot. Thanks!

Considering that the API is you product, getting it documented should probably be you #1 priority. Even a rudimentary documentation, which you can then update later, would be better than none.

Hey there. Yes, agree, thank you, but depends upon how many eyes you want on it along the way.

Said another way: didn't realize that today was Hacker News day! :-)

We DO have https://api.subledger.com which is Swagger documentation, but we lack a directed HOWTO document that describes double-entry accounting and how our API represents it.

Believe me, we're working on it! :-)

I've been using Apiary to document some APIs, and it seems pretty easy to add in-line explanation in Markdown.

Thanks, I'll take a look!

We are building something very similar as an internal project to support our payment systems, wish this had been available 2 years ago!

I wish it was available two years ago too!

Next time, or this time if you'd like to compare us against your internal implementation. :-)

I have already forwarded the link to our team, we will be evaluating it to see if it fits for us.

Thank you, kind sir!

Let me know if I can help in any way.

Backed By Andreessen Horowitz & Draper Associates, Created by a co-founder of Engine Yard

Who we think rock! They saw the future we see and helped us build it!

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact