tags:

views:

67

answers:

3
Q: 

Maintaining strict data confidentiality of clients

I am building car rental web-application software

I recently encountered a concern from a possible client; that they don't want the software company to see their data in the database. They load their rates contracts etc which are confidential and don't want anyone apart from them have access to this data, including our dba or some developer/tech person.

I normally do not sell the code of my application and only let clients run the software on their servers. I normally do maintenance and system updates to their servers on a bi monthly or so basis. So I do have remote access to their servers and such. Up to now this was OK, but I move into a market where there is a lot of competition and clients are very anxious about their data and having a server that only they have access to.

They proposed that I sell an exclusive version of the software to them so that they can carry on with maintenance and future updates in-house.

I do consider and brain-storm around business models that can revolve around that idea. But at the same time I think about if it would be reasonable/practical to support/update/maintain an application without accessing the database server directly at all..

Any suggestions appreciated..

Ps: Having a non-disclosure agreement is not enough for this situation.

+4  A: 

Do they fully understand what it will take to get someone in their organisation trained to be able to maintain the application?

Make this clear to them.

What happens when an employee of the company who's had access to this information leaves?

This is a more likely source of data leakage.

Offer to sign a non-disclosure agreement which is standard in this sort of case.

ChrisF  2010-08-22 17:48:49
They are willing to create an IT department to maintain the application.non-disclosure is not enough for this case..
kaivalya  2010-08-22 18:43:45
Non-disclosure kinda is enough.
Matchu  2010-08-22 18:47:29
Having NDA means close to nothing from clients perspective here as data can be looked at analyzed and used on another companies margin strategies and there is almost no way they can prove that this has been done.. Again, this is what a client think on a country where such things are done and they already have prior such unethical experiences, hence they want to have all their critical data 'physically' at their hands.
kaivalya  2010-08-22 21:30:26
+1  A: 

Have you thought of Encryption techniques on database side....

hrishi  2010-08-22 19:34:56
A: 

You don't need the access to database for application maintenance. You don't have to service the database if they have the staff. If you need to change something in DB you can do it with scripts, or special one-time mini-applications. If they want the database let them have it.

Dialecticus  2010-08-22 20:29:44

related questions

What language do you use for Postgresql triggers and stored procedures?
Are Multiple DataContext classes ever appropriate?
Which tools do people use to create Data Dictionaries?
Any experiences with Protocol Buffers?
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
How do I index a database field
How does database indexing work?
How do I connect to a database and loop over a recordset in C#?
Editing database records by multiple users
Object Oriented vs Relational Databases
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
Embedded Database for .net that can run off a network
Connect PHP to an AS/400
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
.NET Migrations Engine
Is there a version control system for database structure changes?
SQLite and XSD
How do I version my MS SQL database in SVN?
XSD DataSets and ignoring foreign keys
Flat File Databases in PHP
Throw Error In MySQL Trigger
Binary Data in MySQL