Company Credibility
Trust is the foundation of any partnership. Look for providers with a proven track record, robust client portfolio, and transparent and honest business practices.
Below are a few questions you can ask the provider to assess their credibility:
Can you share examples of existing clients you work with?
Will your clients be open to sharing their experience about working with you?
If the provider is unable to provide at least 2-3 references of reputable clients, be wary of proceeding further.
Has there been any negative press about their organization recently?
If there has, assess the level of risk to your organization should you proceed with the provider.
Has long has the organization been around?
As with anything, the longer a company has been in the industry, the more experience they have with solving the problem. There are reasons why working with unproven companies can be risky!
Are there any major milestones you can share that would attest to your credibility and expertise in the industry?
These could include anything from the number of records removed to the number of users they have served. Compare these with other existing providers to assess for credibility and scalability.
Are you willing to allow financial statement audits?
The provider should feel comfortable with audits to help you engender confidence with them.
Look for organizations that have years of experience. An unproven company may leave you with a gap if the organization becomes unsustainable.
BACK TO LIST
Technology and Scale
The ability to handle vast amounts of data efficiently and accurately is crucial. Evaluate the provider's technological capabilities and scalability to ensure they can meet your needs as your user base grows.
Below are questions you can ask the provider to assess their ability to handle scale and what signals to look out for.
Who is your biggest API client? How long have you been in market?
The goal of this question is to gauge the provider’s enterprise readiness, their ability to scale, the robustness of the provider’s technology, security, compliance, protocols and more.
How long have you been in market with a large enterprise API client (more than 1M users)?
If the client is not a Fortune 500 company or the provider has only worked with the large enterprise API client for less than 2 years, the provider could lack the scale required for large organizations. Additionally, the viability of the provider's technology, security protocols, pricing, and business model may not have been thoroughly tested.
Is your solution built in-house or are you using a vendor?
If the provider has not built the technology in house, you are likely paying a premium markup, and the provider may not know how scalable the technology is.
How many users have opted into removals that you have serviced?
If that number is under 1.5M, their technology, methods, and overall business model have not been tested at scale and may pose a potential risk. Avoid being the first to test their business at scale.
How many verified successful removals have you completed of People Search sites?
If that number is under 100M, their technology, methods and overall business model have not been tested at scale and may pose a potential risk.
A word of caution: Beware of misleading removal claims. A removal means a tangible record found on the site that has been verified and is then removed after an opt out process has been completed. This needs to be distinguished from the idea of "not found" or the opt out of a non-public Data Broker (where a record may not have existed), or a data breach resolution, where a user’s info was exposed in a data breach and the user successfully changed their password.
Technology that can’t scale with you and your users may cause a litany of complex challenges down the line for your organization. Ensure the privacy provider you choose is capable of scaling effectively to support the growth of your business.
BACK TO LIST
Proven Product Effectiveness
Evidence of success, quantified by metrics such as the number of successful data removals and user satisfaction, is essential. This not only demonstrates capability but also builds confidence in the provider's service.
Be sure to ask the provider:
How many records have you successfully removed in total?
With a service like this, efficacy is of the utmost importance. This is especially true when the stakes are high for a user or for an organization that has made privacy promises to their consumers. A proven track record is important, and if a provider hasn't removed 50M+ records, the viability of the technology, security protocols, pricing, and business model of the provider have likely not been put through rigorous testing.
How many records do you average removing a day?
Look for numbers above 100K a day. Using 100K as a benchmark enables you to assess consistent performance over large numbers.
BACK TO LIST
Enterprise Readiness and Proof Points
Providers should offer concrete examples of their success with large enterprises, highlighting their experience in dealing with complex systems and large-scale requirements.
What is the largest client you have in terms of the number of customers they serve?
Ensure the provider you’re evaluating has a proven track record with large, enterprise clients. Removing hundreds of thousands of records is not equivalent to removing millions.
Name a few other enterprise clients you partner with.
Ask for references to ensure their enterprise clients are having an optimal experience.
What SLAs do you have in place? Have you successfully met them for an enterprise client (more than 1M users) for more than 1 year?
It’s important that a company has enterprise scale SLAs in place. It’s even more important that they’ve successfully maintained those standards for a client for an extended period of time. It is easy to claim uptime at a scale of <100M records removed with <1M users—it’s quite another to fulfill it.
What enterprise SLAs do you commit to and how long have you had those in place?
If they do not have enterprise level uptime/SLA standards that they’ve successfully fulfilled for enterprise scale customers for at least 2 years, they likely have not yet met or have not been able to meet the scale requirements for these types of companies.
BACK TO LIST
Compliance and Security
Adherence to regulatory requirements and the implementation of robust security measures are non-negotiable. Providers must demonstrate their commitment to protecting sensitive information.
Can you tell more about your security standards?
-
What data security requirements do you adhere to?
-
Does your personnel undergo background checks?
-
What kind of training do your developers undergo? And at what frequency?
-
What active security clearances does your infosec team hold?
A provider with a robust compliance and security program should have:
-
Background checks for all personnel before they’re hired
-
Recurring tabletop security exercises
-
Active USG security clearances, including TS/SCI across multiple infosec personnel
-
A PCI Level 1 Service Provider environment
Have you been vetted and tested by a major customer in a regulated industry?
If a company is unable to historically reference passing the thorough security measures of a Fortune 500 company in a highly regulated industry, in addition to industry standard certifications like SOC II, be wary that the provider may have either failed those tests, or have not had the opportunity to pressure test their security.
Involve your security and compliance teams in the vetting process to ensure that the provider does not introduce any risks that could jeopardize the safety of your business and your customers.
BACK TO LIST
Integration Capabilities
Seamless integration with existing systems minimizes disruption and enhances user experience. Assess the provider's ability to integrate smoothly with your infrastructure.
Do you offer a sandbox environment?
It’s crucial that the provider offers a testing environment to help you build confidence in the product.
What implementation options do you offer?
Look for flexibility. The provider should have multiple integration methods so that you can select what works best for you. Options can include embeddable components, API and private label.
Can you offer a native experience?
While private labels can be a great option, having a user go to another hosted site or render as an iframe within an app will hurt conversion. Look for ways to integrate directly into your app.
What does the typical implementation timeline look like?
The provider should give a clear and definitive answer. Implementation should also not take longer than a few weeks.
BACK TO LIST
Pricing
Transparent and fair pricing models are indicative of a provider's integrity. Ensure the cost structure is clear and aligned with the value delivered.
Is the pricing easy to understand?
If their pricing structure causes more confusion than clarity, it might be a red flag.
Will the forecasted revenue be favorable to my organization?
Be sure to run the numbers to ensure a favorable outcome to your bottom line with a reasonable timeframe.
Does the provider have any proof points that attest to driving revenue for their clients?
If the provider you’re assessing makes revenue claims for their clients, be sure to evaluate them against those claims.
BACK TO LIST
Site Coverage
Comprehensive coverage is critical to effectiveness. Verify the provider's claims regarding the breadth of sites from which they can remove information.
In an effort to attract more customers, many companies in the space will tout inflated coverage claims (including sites that they won’t actually be able to remove from at scale). A few things to watch out for to check if providers are inflating their coverage:
Including “dead sites” that no longer exist in their coverage.
As privacy laws have become more robust, many small data brokers have gone out of business. Yet some providers may continue to claim these sites in their coverage despite there being a lack of records to find or remove.
Counting state databases as 50 sites instead of 1 site.
There are database sites that break out by state “Alabama residents, Alaska resident, …” so on. A user will be on one of these sites depending on where they live. Instead of counting this as one database coverage, they will count it as 50 to inflate their coverage.
Including sites that have sophisticated technical barriers that the provider has not built solutions for.
Some of the largest People Search sites have made it exponentially challenging to remove data from their database by investing in technology and processes that require solutions.
For example, a popular People Search site, which now owns 30 of the largest sites, requires direct verification of a user's phone and email in real time. If the privacy provider doesn't have a solution that involves a user interaction or granting direct access to phone and email inbox, they are unable to remove data from these sites. However, many companies continue to keep these sites on their list.
Keep an eye out for:
-
An “inability” to find records on users despite their existence. Providers might claim coverage by counting sites where they never actually locate user records—even though these records do exist—simply to avoid the obligation of removing them.
-
A perpetual “in progress” status. Providers may perpetually list the sites as 'in progress,' continuing to claim they are attempting removals even though they know these efforts will never succeed.
A lack of solutions for major People Search sites.
With the increasing complexity of technical barriers preventing straightforward data removal, some People Search sites have made it virtually impossible for an authorized agent to do a complete opt out process themselves without the user needing to take a final step themselves or giving the authorized agent direct access to their email inbox and phone.
Note: Array has a simple guided removal for the user that millions of users have leveraged.