HackerTrans
TopNewTrendsCommentsPastAskShowJobs

drewkim

no profile record

Submissions

Launch HN: Pelm (YC W22) – Plaid for Utilities

pelm.com
101 points·by drewkim·4 jaar geleden·88 comments

comments

drewkim
·4 jaar geleden·discuss
That's a great idea! We've identified a use case with solar companies for aiding in sales...this is a great additional case.
drewkim
·4 jaar geleden·discuss
They're listed on the bottom of our home page
drewkim
·4 jaar geleden·discuss
Thanks for the feedback! To answer your questions: - Myself and my co-founder - Credentials aren't stored in plaintext and the encryption key isn't universally available; "peeking" at the db is quite difficult - Data (I'm assuming you mean credentials) is encrypted at rest and in transit - Only business logic and errors are logged: e.g. when processes are completed and why things are breaking - Yes, eventually - Definitely ISO 27701 & SOC 2, perhaps others

Our process for safeguarding credentials is mentioned further down in the thread.

I'm not sure what more guarantees we can give to inspire confidence other than statements taken at face value. We don't have the scale or resources to undergo rigorous third party auditing at the moment. On the other hand, one of the first conversations my co-founder and I had was about hiring a security engineer as soon as we could afford one; we definitely take the matter seriously. Did you have any other ideas of ways we can showcase our commitment to security/privacy other than "trust us"? I do agree it's not the best method but am unsure of alternatives.
drewkim
·4 jaar geleden·discuss
This is also what we've encountered so far...though it's probably safe to assume at least a few providers have looser security protocols.
drewkim
·4 jaar geleden·discuss
Thanks for the great advice! We've created more detailed responses, so hopefully there's now a clearer picture of the output for each endpoint. We've added the more implementation-heavy recommendations (like changing the request body for interval data and splitting the address schema into multiple fields) to our roadmap to be implemented shortly. Really appreciate the scrutiny; way better to work everything out now than having developers run into usability issues. Please let us know if there's anything else you notice!
drewkim
·4 jaar geleden·discuss
You nailed it!

First guarantee is that nobody is manually going in and poking around your account details since the process you've described happens entirely programmatically.

Now, we could program our system to do things other than what's mentioned. However, we're quite disinterested in (actually, emphatically against) ruining our trust/reputation with customers (plus the general public) given our dependence on such relationships and desire to succeed as a company. All that's to say, the second guarantee is that we won't be touching such sensitive data unless given permission to do so by the user.

An example of when we might need to is if the user wants to pay their utility bill using stored payment options instead of submitting payment information. Even in this case, there won't be human eyes on this data; only our Python backend will be interacting with it.
drewkim
·4 jaar geleden·discuss
Here's the guide to using sandbox mode: https://pelm.readme.io/reference/sandbox-mode
drewkim
·4 jaar geleden·discuss
We're excited for the challenge!

Arc was released after we'd already been working on this for a while so it did take us a bit by surprise. We'll compete by focusing on building an amazing team and a high quality product.
drewkim
·4 jaar geleden·discuss
Arcadia requires their customers to sign NDAs and locks them into yearlong contracts, so we don't have an accurate picture. However, we've been told that our pricing is more competitive than theirs.
drewkim
·4 jaar geleden·discuss
Personal use is totally okay and we'd love to here your feedback!
drewkim
·4 jaar geleden·discuss
We do! You can call our endpoints with a "sandbox" header to get mock data. I realize this isn't outlined in our docs--we'll fix that ASAP and I'll comment here when it's done.
drewkim
·4 jaar geleden·discuss
Thanks for the feedback; as an early stage startup with two employees, we'll often miss things here and there, so I appreciate the callout for how we can improve our docs. While we may not be established right now and have some work to do, I'm confident we can build an amazing developer experience given time. UtilityAPI might have very detailed docs, but we think the end to end usability is still lacking. This has been the consistent theme we've heard from developers that we've interviewed.

I'm not sure I agree with UtilityAPI being founded by "tech people", though we may have differing definitions on what that means. It seems like most of the high level execs come from the energy industry and don't have software engineering experience.

Could you give examples of the specific details we could add to the website to make it easier for you to onboard?
drewkim
·4 jaar geleden·discuss
That makes sense; we'll need to think more about pricing consumer differently than enterprise because we've heard that our pricing is actually quite low for enterprise. Appreciate the perspective!
drewkim
·4 jaar geleden·discuss
UtilityAPI and other products are built by energy companies, not tech companies. We've talked to developers who've used these platforms and they consistently mention an extremely poor developer experience; lack of clear documentation, difficulty in building integrations quickly, little to no support, etc. One example: we talked to a paying customer of UtilityAPI who asked for a specific feature, and UtilityAPI asked him to pay for the development costs of it.

We are software engineers by trade and know how to build a really good developer experience. We're focusing on ease-of-use from the start and will build a stellar engineering team that in turn will help us develop a higher quality product.
drewkim
·4 jaar geleden·discuss
It's definitely on our roadmap...when we get to it largely depends on the needs of our early customers but know that we have it in mind!
drewkim
·4 jaar geleden·discuss
We use a secret manager on our cloud platform for key storage, manually rotate keys (for now), and store encrypted passwords on a separate db.
drewkim
·4 jaar geleden·discuss
Ah, I meant plaintext passwords are never persisted in a db anywhere. The only time passwords are decrypted are when they are used to programmatically log in, so they're never stored anywhere except in memory.
drewkim
·4 jaar geleden·discuss
Ah, nice! Getting all of Exelon for the cost of one would be quite awesome. We'll dig into it.
drewkim
·4 jaar geleden·discuss
Gotcha. Makes sense to keep things simple.

You're not the first person to suggest a blog for marketing purposes...seems like something we should invest in!
drewkim
·4 jaar geleden·discuss
Would love to hear about your experience when you do so!