# Anyone need free billing? :)



## jhadley (Dec 6, 2013)

Hi everyone,

I've decided to 'open up' Loading Deck, i.e. make it free.

More information is here.

Also happy to answer any questions. If you do decide to use it, an announcement retweet or follow @loadingdeck on Twitter would be appreciated 

This is not specifically for web hosts, and web hosts will see some limitations (e.g. order form is still being made) but freelancers - designers, consultants etc. should really enjoy it.

 

James


----------



## notFound (Dec 6, 2013)

Awesome stuff, will see how flexible it is for my mum's business soon. This should be fun.


----------



## Erawan (Dec 6, 2013)

It's makes me curious, because I believe I saw you offering loading deck in this few weeks, so no one purchased it yet?


----------



## jhadley (Dec 6, 2013)

Erawan said:


> It's makes me curious, because I believe I saw you offering loading deck in this few weeks, so no one purchased it yet?


There are/were some people on trials (since >= 30 days were free).


----------



## shovenose (Dec 6, 2013)

Erm, question. Not trying to be rude but you're kind of pulling a hostbill in that you're changing pricing all the time. Since it's a hosted solutoin, does it let me download the MySQL database for my stuff if I ever want to bail and move to another solution, like in case you decide you're going to close up shop??

Hope that makes sense


----------



## jhadley (Dec 6, 2013)

shovenose said:


> Erm, question. Not trying to be rude but you're kind of pulling a hostbill in that you're changing pricing all the time. Since it's a hosted solutoin, does it let me download the MySQL database for my stuff if I ever want to bail and move to another solution, like in case you decide you're going to close up shop??
> 
> Hope that makes sense


I would disagree with the HB statement - there has only really been one change since the launch of LD, although I did run an extended trial.

With regard to moving away, a new release is going to be applied very soon with a detailed API which will be the recommended way of moving. If you need a MySQL dump just ask 

James


----------



## blergh (Dec 6, 2013)

First it was called billr, had issues & got "audited" and then changed name to loadingdeck? This is confusing. The product might be great for all i know, but it being a hosted solution with owners who seem to be having monetary issues (or having a hard time making their minds up) i think i will pass.

Oh, the reason for it all to be free is that you want our data for research? How about nope.


----------



## Aldryic C'boas (Dec 6, 2013)

What guarantees of safety/security do you provide?  And should a compromise occur (nothing, _nothing_ is 100% locked down), what is your proposed compensation and course of action?


----------



## tchen (Dec 6, 2013)

"Over 50 PCI gateways are available for £10 per month via Spreedly, enabling you to accept credit cards without passing PCI compliance."

:huh: - Please lookup SAQ-A.  That said, Loading Deck as a third-party that deals with and has access to cardholder data (even indirectly through Spreedly) should have PCI compliance.


----------



## Shados (Dec 6, 2013)

tchen said:


> "Over 50 PCI gateways are available for £10 per month via Spreedly, enabling *you* to accept credit cards without passing PCI compliance."
> 
> :huh: - Please lookup SAQ-A.  That said, Loading Deck as a third-party that deals with and has access to cardholder data (even indirectly through Spreedly) should have PCI compliance.


Emphasis mine; they're saying that you don't have to have PCI compliance, not that they don't. At least, that's how I'm reading it.


----------



## HalfEatenPie (Dec 6, 2013)

Aldryic C said:


> What guarantees of safety/security do you provide?  And should a compromise occur (nothing, _nothing_ is 100% locked down), what is your proposed compensation and course of action?


Basically this.  Every single time when I've stated I dislike the SaaS because of possible security breaches you answer with "We won't get hacked".  That's all fine and dandy from your side but I just would not like to take that risk.  It makes you a much bigger target the bigger you grow with a bigger payout if you do get hacked.  Because of such high risks involved I'd prefer to host on my own platform.  

I would love to try it out, and have been liking it for a while, but the SaaS does not fly with me at all.  

Here, can you specify why we can trust a billing SaaS over our own/personal installation?


----------



## sv01 (Dec 7, 2013)

yes, but not hosted. I prefer self hosted solution


----------



## jhadley (Dec 7, 2013)

tchen said:


> "Over 50 PCI gateways are available for £10 per month via Spreedly, enabling you to accept credit cards without passing PCI compliance."
> 
> :huh: - Please lookup SAQ-A.  That said, Loading Deck as a third-party that deals with and has access to cardholder data (even indirectly through Spreedly) should have PCI compliance.


No, we won't touch the cardholder data and can't see it. Half of the value in Spreedly is that it does all of that itself with transparent redirects (a little like Stripe).



Aldryic C said:


> What guarantees of safety/security do you provide?  And should a compromise occur (nothing, _nothing_ is 100% locked down), what is your proposed compensation and course of action?


Given this is free, there won't be any compensation. It would simply be a case of being open about the problem, fixing it and restoring from a backup.



HalfEatenPie said:


> Basically this.  Every single time when I've stated I dislike the SaaS because of possible security breaches you answer with "We won't get hacked".  That's all fine and dandy from your side but I just would not like to take that risk.  It makes you a much bigger target the bigger you grow with a bigger payout if you do get hacked.  Because of such high risks involved I'd prefer to host on my own platform.
> 
> I would love to try it out, and have been liking it for a while, but the SaaS does not fly with me at all.
> 
> Here, can you specify why we can trust a billing SaaS over our own/personal installation?


It depends which systems you're comparing, and what measures you yourself take to secure it. Ask yourself how secure what you're using at the moment really is. I think it's better I don't publicly post all of the security measures that are in place.



sv01 said:


> yes, but not hosted. I prefer self hosted solution


Use something else then


----------



## GIANT_CRAB (Dec 7, 2013)

OK


----------



## Aldryic C'boas (Dec 7, 2013)

jhadley said:


> Given this is free, there won't be any compensation. It would simply be a case of being open about the problem, fixing it and restoring from a backup.


That doesn't answer the first question - what guarantees of security can you give?  What measures do you take (in technical terms, not layman’s) to prevent security leaks? 

What does "fixing it" entail?  Pulling a Solus/WHMCS and releasing a new patch every two days?  Are you required to report CC theft in the event of a data breach?  I notice you specifically mentioned "restoring from a backup" - I'm not talking about a bug/breach that destroys data.  I'm specifically asking your plan of action in the event that all of the data you store is compromised and leaked, not destroyed.


----------



## tchen (Dec 7, 2013)

jhadley said:


> No, we won't touch the cardholder data and can't see it. Half of the value in Spreedly is that it does all of that itself with transparent redirects (a little like Stripe).


As the third party that people are relying on for SAQ-A, YOU need to be compliant.


----------



## tchen (Dec 7, 2013)

Shados said:


> Emphasis mine; they're saying that you don't have to have PCI compliance, not that they don't. At least, that's how I'm reading it.


Which is a wrong statement in and of itself. It's a basic error that anyone who has touched the PCI forms wouldn't make.


----------



## jhadley (Dec 7, 2013)

Aldryic C said:


> That doesn't answer the first question - what guarantees of security can you give?  What measures do you take (in technical terms, not layman’s) to prevent security leaks?
> 
> What does "fixing it" entail?  Pulling a Solus/WHMCS and releasing a new patch every two days?  Are you required to report CC theft in the event of a data breach?  I notice you specifically mentioned "restoring from a backup" - I'm not talking about a bug/breach that destroys data.  I'm specifically asking your plan of action in the event that all of the data you store is compromised and leaked, not destroyed.


The only guarantee I can realistically offer is that normal, reasonable precautions have been taken to protect the data, including server security and code quality. I deliberately don't want to go into too much detail around this for obvious reasons, save to say that it includes a firewall, brute force protection, VPN-only and key-only access to certain services, a code-checking process whereby code is checked by further developers before going live, frequent system and framework updates and so forth.



tchen said:


> As the third party that people are relying on for SAQ-A, YOU need to be compliant.


I have had several conversations with Spreedly and 403labs on this subject and, honestly, it seems to be a grey area. However, it's irrelevant for the moment as only Paypal and GoCardless are being used (there is no option on the website to enable the other gateways).


----------



## tchen (Dec 7, 2013)

jhadley said:


> I have had several conversations with Spreedly and 403labs on this subject and, honestly, it seems to be a grey area. However, it's irrelevant for the moment as only Paypal and GoCardless are being used (there is no option on the website to enable the other gateways).


It's grey in that there's no specific form to fill for a SaaS and is a case by case basis. It's the sharing of responsibility that changes, and it is not a release of the SaaS from any compliance requirements.
https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf


I hope you do address this topic again when you decide to turn on the other gateways. As it stands, your customers would be exposed to the compliance fines.


----------



## Aldryic C'boas (Dec 7, 2013)

jhadley said:


> The only guarantee I can realistically offer is that normal, reasonable precautions have been taken to protect the data, including server security and code quality. I deliberately don't want to go into too much detail around this for obvious reasons, save to say that it includes a firewall, brute force protection, VPN-only and key-only access to certain services, a code-checking process whereby code is checked by further developers before going live, frequent system and framework updates and so forth.


Sorry mec, but that’s not really a guarantee at all.  Reasonable by whose standards?  What precautions?  Were your security implementations tested and verified by a trusted third party, or are you making this claim on the assumption that your work, reviewed only by yourself, is good enough?

What obvious reasons?   The only one I can think of is that you worry going into detail will reveal that things aren't quite as secure as you market them to be.  I point this out because the entirety of the quoted paragraph above could be used to describe Solus, WHMCS, and numerous other panels with known flaws.

You also ignored over half of my prior response, so I'll post it again:



Aldryic C said:


> What does "fixing it" entail?  Pulling a Solus/WHMCS and releasing a new patch every two days?  Are you required to report CC theft in the event of a data breach?  I notice you specifically mentioned "restoring from a backup" - I'm not talking about a bug/breach that destroys data.  I'm specifically asking your plan of action in the event that all of the data you store is compromised and leaked, not destroyed.



I realize it seems like I'm just giving you a hard time - but for all of your projects you tend to advertise and describe as someone from a marketing department would - not how a developer would.  This naturally would lead people to wonder if you have the technical expertise to back up your claims.  Speaking from the viewpoint of someone involved frequently with development; if I were in the market for a billing system, your responses to questions in this thread would've thoroughly convinced me that LoadingDeck (along with billr and any of your other projects) would not be up to standard for what I consider secure/efficient.

Just a bit of advice - I know you have a history of starting things, getting them clear of beta, then letting them just kinda fade into obscurity.  You're treading rather dangerous ground now, to be employing that attitude with a system designed to store information about people and finances.  Your claim of "Use at own risk, it's free lol" doesn't make you immune to the regulations and policies that apply to running such enterprises.  Nor is anyone likely to forgive you should something catastrophic occur, and the best you can do for them is "What did you expect, you weren't paying anything".  If you're going to try and do something important, at the very least take the time to think things through and plan properly/accordingly.


----------



## blergh (Dec 8, 2013)

If no responsibility is going to be taken on your behalf due to it being free, why not just release it so that we may host it ourselves? This would make far more sense as the only ones to blame would be ourselves instead of having to reply on a third party that doesn't give two shits about it.


----------



## jhadley (Dec 8, 2013)

@Aldryic - I'm actually much more developer than marketer (although I'm not the main developer at Loading Deck) however I'm used to explaining in terms that most people can understand. You're absolutely right that there are no solid guarantees at this early stage. Solid guarantees of security are rare and often broken anyway. I'll make sure that the research will begin by looking at the liability issues and finding a clear path through them.



blergh said:


> If no responsibility is going to be taken on your behalf due to it being free, why not just release it so that we may host it ourselves? This would make far more sense as the only ones to blame would be ourselves instead of having to reply on a third party that doesn't give two shits about it.


I find this a little offensive. I do care about the software and its users, and I am actively maintaining it despite 'opening it up'. The reason that's possible is (once again) because research is being done. For this research to work, I need to maintain full control over the system. There are also a number of other advantages of SaaS over self-hosted for me including a lower support load.

TL;DR I'm getting something out of this in a different way.

There will however be parts that are open-sourced in the near future, but open source isn't the aim here.


----------



## Aldryic C'boas (Dec 8, 2013)

I would wish you the best of luck.. but given that multiple times now you've completely ignored what I actually said and only answered what you wanted to hear, I would rather wish the poor folks trusting you and using an ill thought out platform luck - they'll need it.

Word of parting advice - work on your honesty.  Attempting to deflect direct, specific inquiries with marketing jargon you don't fully understand has done little more than alienate you to everyone here that actually knows what they're doing when it comes to security and implementation.


----------



## concerto49 (Dec 8, 2013)

Is this free for a limited? It was called something before billr and tried to be sold on code canyon or somewhere too. Didn't sell I guess? How do we trust this will be around?


----------



## HalfEatenPie (Dec 9, 2013)

*cough*

http://i.imgur.com/9AoeKHh.png

It's no longer available on Code Canyon.

In his defense though, he did state that Code Canyon was taking 50% of the sales and that's why it was pulled (not sure though)


----------



## concerto49 (Dec 9, 2013)

HalfEatenPie said:


> *cough*
> 
> http://i.imgur.com/9AoeKHh.png
> 
> ...


Wouldn't 50% be better than free


----------



## Echelon (Dec 15, 2013)

jhadley said:


> @Aldryic - I'm actually much more developer than marketer (although I'm not the main developer at Loading Deck) however I'm used to explaining in terms that most people can understand. You're absolutely right that there are no solid guarantees at this early stage. Solid guarantees of security are rare and often broken anyway. I'll make sure that the research will begin by looking at the liability issues and finding a clear path through them.
> 
> I find this a little offensive. I do care about the software and its users, and I am actively maintaining it despite 'opening it up'. The reason that's possible is (once again) because research is being done. For this research to work, I need to maintain full control over the system. There are also a number of other advantages of SaaS over self-hosted for me including a lower support load.
> 
> ...


My concern here is for those who decide to go the route of using your service for billing. What pricing would one expect to be presented with in October of 2014 when you plan to remove the service being offered for free?


----------



## jhadley (Dec 17, 2013)

Echelon said:


> My concern here is for those who decide to go the route of using your service for billing. What pricing would one expect to be presented with in October of 2014 when you plan to remove the service being offered for free?


Sorry for the delay. At the moment I'm expecting to go down the freemium route so as no to leave free clients behind. There will likely be a few extras that will cost money, like SSL on your own domain and PCI gateways via Spreedly.


----------

