4 key areas SaaS startups must address to scale infrastructure for the enterprise

Startups and SMBs are usually the first to adopt many SaaS products. But as these customers grow in size and complexity — and as you rope in larger organizations — scaling your infrastructure for the enterprise becomes critical for success.

Below are four tips on how to advance your company’s infrastructure to support and grow with your largest customers.

Address your customers’ security and reliability needs

If you’re building SaaS, odds are you’re holding very important customer data. Regardless of what you build, that makes you a threat vector for attacks on your customers. While security is important for all customers, the stakes certainly get higher the larger they grow.

Given the stakes, it’s paramount to build infrastructure, products and processes that address your customers’ growing security and reliability needs. That includes the ethical and moral obligation you have to make sure your systems and practices meet and exceed any claim you make about security and reliability to your customers.

Here are security and reliability requirements large customers typically ask for:

Formal SLAs around uptime: If you’re building SaaS, customers expect it to be available all the time. Large customers using your software for mission-critical applications will expect to see formal SLAs in contracts committing to 99.9% uptime or higher. As you build infrastructure and product layers, you need to be confident in your uptime and be able to measure uptime on a per customer basis so you know if you’re meeting your contractual obligations.

While it’s hard to prioritize asks from your largest customers, you’ll find that their collective feedback will pull your product roadmap in a specific direction.

Real-time status of your platform: Most larger customers will expect to see your platform’s historical uptime and have real-time visibility into events and incidents as they happen. As you mature and specialize, creating this visibility for customers also drives more collaboration between your customer operations and infrastructure teams. This collaboration is valuable to invest in, as it provides insights into how customers are experiencing a particular degradation in your service and allows for you to communicate back what you found so far and what your ETA is.

Backups: As your customers grow, be prepared for expectations around backups — not just in terms of how long it takes to recover the whole application, but also around backup periodicity, location of your backups and data retention (e.g., are you holding on to the data too long?). If you’re building your backup strategy, thinking about future flexibility around backup management will help you stay ahead of these asks.

Encryption in transit and at rest: Cloud infrastructure provides great tools to manage encryption and is something you should be actively working toward. In many cases, it’s just a question of turning on a configuration in Amazon Web Services (AWS) or Google Cloud Platform (GCP) to put the encryption in place. You should think about your encryption practice holistically: How is your data encrypted at rest and between services? What is the granularity of encryption that you’re using? How do key management and key rotation work?

Facility and office network control: As technologists, it’s easy to zero-in on your application’s architecture and ensure that it’s secure. But things like office network and physical security are just as critical to your overall security. It’s important to have active plans around these to protect your and your customers’ data at all times, and you should expect that customers will ask you about these.

Give IT admins control over product usage

Many SaaS products are built for adoption directly by teams, meaning they don’t require IT to install and manage. However, as your product gains traction, IT becomes an important stakeholder and partner in how your product is used inside the customer shop.

IT’s security and data control needs vary, and the requirements they have for your application will not be the same across customers. One size will certainly not fit all. Sometimes the needs are based on the industry the customers are in and related regulations, and within the same industry they can vary based on local laws. In other cases, the needs emerge from how they use your product. Whatever circumstance you’re dealing with, treat IT admins like first-class customers.

Here are some flexible controls to build for IT admins so they can enforce internal policies:

User management: This includes basic provisioning, deprovisioning and visibility into user activity. For larger customers, you’ll likely be required to offer more grouping of users and roles.

Active integrations: You might be excited about a new integration, but some customers might not be and may want to block that integration from being used within their organization. Integrate away, but give admins control on what users within their organizations can use.

Privacy and security settings: This includes changing team membership, guest access, default privacy throughout the organization, SSO and password requirements.

Data export: This involves the ability to export data snapshots for the organization.

There is no single policy that works for all customers, and the goal is to provide the flexibility that IT admins need to define the defaults and policies for their team members.

Build data isolation into your architecture

One of the key aspects of SaaS that makes it attractive — other than removing the operational burden from your customers — is multitenancy, because it makes your offering more efficient than each customer running your product on their own premises. As your customers become larger, there is an opportunity and stronger need to isolate customer data without giving up on the scalability, performance and security that comes from multitenancy.

Both these goals can be achieved by building compartments of various sorts while also sharing resources. The right compartmentalization can protect your customers from “noisy neighbor” performance problems, reduce the blast radius of failures, and significantly lower the amount of data exposure in case of a security breach.

Building your architecture to support data isolation between different customers can also help down the line if you decide to provide regional storage of data for particular customers (e.g., in a data center in the European Union). Building that capability might be hard, because of the automation required to manage separate data centers and the continuing need to maintain some amount of global data, but building isolation from the start will give you a leg up.

Support customers by interconnecting their data across applications

It’s important to think about how customers are using your product alongside the full ecosystem of products they’re using. According to Asana’s Anatomy of Work Index, the average worker switches between 10 apps 25 times per day. Your app will always be one of many. Your largest customers will find it easier to adopt your product if you build the capability to connect their favorite tools with your app through an open API and native integrations.

Enterprises are dealing with thousands of applications that their employees want to use, so connecting your product to other applications allows the value that you’re adding to be more accessible through more services. One way to start is by building an API early that allows your product to integrate with other apps to reduce data silos and the need to switch between apps constantly.

Then, engage your developer ecosystem so others can build on top of your product versus building these integrations yourself. For large organizations, there will be specific security needs (e.g., SIEM, audit logs, DLP) for customers to secure usage of your product.

Final takeaways

As companies grow, their security and reliability needs evolve. When working with large customers, having empathy for these needs will go a long way. IT admins have an obligation to control and protect their own data and minimize risk while getting the value you offer. They will be opinionated about their needs, but are often willing to discuss how their security and reliability goals can be met. While IT admins are a narrower audience, they are still your customers and should be given first-class treatment.

In addition, there is so much value you can glean from enterprise engagements when it comes to accelerating your product maturity. While it’s hard to prioritize asks from your largest customers, you’ll find that their collective feedback will pull your product roadmap in a specific direction.

As a rule of thumb, avoid building one-off features and functions that only benefit a single customer, and instead track the requests that you get and build once the trends and patterns become clear.