Can SaaS owners legally read your data?

[Michael]

I've been currently testing out a particular web app and required some support. So I emailed them my issue and received a very helpful reply, but this person knew all the projects/tasks/users etc that my account is using. He even gave me examples using my project's names and the tasks inside them which made me cringe like hell.

Is this legal? I guess if they mentioned it in their ToS that I obviously didn't read it would be fine.

But surely this is not good practice anyway. What if an admin from the SaaS' account is comprised, my data is at risk also? Even their support team was able to see this information?

I had the brand name of the project I'm working on as project title in this app. Now obviously I'm no bigshot (yet ), so it doesn't matter too much, but like I said it still made me cringe / questions their service.

 

[SmokeTree]

Having built quite a few Desktop and Internet Apps over the years, this kind of thing is normally protected by a Role Based Access Control (RBAC) system, which means there are access levels. In most cases, a support person would not have full access to a system, but they WOULD have enough access that they would be able to assist people when they call without having to get managers/devs/etc involved, which can lead to a poor customer experience because now you'd have to wait because the tech you're communicating with "can't do the thing you need to have done".

Another thing to consider is that in some cases you are receiving support by the developers or owners of said SaaS and yes, they have every right to look at the data on their system, unless there is some law I am unaware of.

At any rate, I understand your concern, however it's not generally a good idea to lock support personnel out of tools that are needed to better serve the customer. I wouldn't hire a support person I didn't trust with my customer's data.