As we mentioned just a few days ago, data security is increasingly top of mind for every business, but especially B2B SaaS companies. Data breaches are becoming more common and present an existential threat: losing control over sensitive personal information information can result in lost reputation, churn, class action lawsuits, fines from regulators, or literally closing up shop.
I’m very happy to announce that Aptible has achieved HITRUST CSF Certification for Enclave and Gridiron. This post shares a bit more about what this means and how you can think about your own path to certification.
What is the HITRUST CSF?
In healthcare, HIPAA is the dominant regulatory framework, but it has two basic shortcomings:
Lack of standardization: Because HIPAA regulates a large and extremely diverse set of businesses (perhaps close to 1M covered entities and business associates nationwide), it necessarily leaves a lot of room for interpretation. As just one example of many, HIPAA doesn’t address multi-factor authentication at all, except through general requirements to appropriately safeguard data. SaaS companies are routinely asked for independent verification that they exceed HIPAA requirements and implement best practices and industry standards for security and privacy management.
Lack of independent assurance: SaaS companies are often asked for independent validation that they meet HIPAA requirements, but there is no official HIPAA certification or validation. HHS has an auditing program, but you cannot self-select into it.
Enter the HITRUST Alliance and the HITRUST Services Corp. HITRUST Alliance is a non-profit that develops a Common Security Framework (CSF) based on ISO/IEC 27001 that integrates HIPAA, HITECH, and a variety of other state, local, and industry frameworks and best practices. HITRUST Services Corporation is a for-profit that works with independent CSF assessors to validate implementation and efficacy of the CSF.
HITRUST has three levels of assurance for the CSF, each of which correspond to a report:
Self-Assessment is what it means. HITRUST will QA the report, but all of the attestations are supplied by you.
Validated Assessment is where you work with an authorized CSF Assessor following the CSF Assessment Methodology.
Validated Assessment with Certification is available when demonstrate certain levels of maturity for each in-scope control.
What does HITRUST CSF Certification mean?
To earn certification, you have to demonstrate to your assessor’s satisfaction that all of your required controls have met certain maturity levels. This HITRUST CSF Certification implements this through a scoring system. The full HITRUST CSF Control Maturity Model is described starting on page 9 of HITRUST’s “Risk Analysis Guide for HITRUST Organizations”. In particular, see the scoring example starting on page 16.
I’ll summarize and provide another example here.
First, you work with your assessor to determine which controls are in scope, based on certain risk factors that HITRUST deems relevant, such as how much HIPAA PHI you process, your organization size, etc. (see “Assessment Scoping” in CSF Assessment Methodology). Controls are organized across domains such as access control, asset management, and risk management.
Each in-scope control has five maturity levels, organized progressively. You receive a score (25% intervals between 0-100%, non-compliant to fully compliant) for each maturity level based on whether you have complied with the control’s requirements for that maturity level. Your overall maturity score is the sum of the weighted scores.
I’ll use the same category of example as the HITRUST Risk Analysis Guide, device encryption, adapted slightly for startups.
|Maturity Level||Summary||Weight||Scoring Example|
|Policy||Policies for the control are in place, managed, and communicated to those affected or responsible.||25%||You have an official policy that says you will encrypt all laptop and workstation filesystems with strong crypto, and enforce it with mobile device management. The policy is signed by management and has been distributed to the specific individuals you have assigned responsibility for managing security, and laptops/workstations in particular.
Score: Fully Compliant, 100
|Procedures||Procedures for the control are in place, current, communicated to those affected or responsible, etc.||25%||You have internal procedures documenting how to configure JAMF Now, your MDM provider. JAMF only works with Mac devices though, and you have one old Windows server running some ancient on-prem software you really need for processing PHI. It can’t be enrolled in JAMF.
Score: Mostly Compliant, 75
|Measured||Control tests, self-assessments and audits are performed; metrics are collected, etc.||15%|| You check for MDM enrollment, status sometimes, but not on a regular basis.
Score: Somewhat Compliant, 25
|Managed||Controls are adjusted and matured over time.||10%|| Windows MDM is just something you haven’t gotten around to yet. You don’t really use any metrics from JAMF to make decisions or improve security.
Score: Not Compliant, 0
In this example, you’d score:
(100 for policy)(.25)
+ (75 for procedures)(.25)
+ (75 for Implementation)(.25)
+ (25 for measurement)(.15)
+ (0 for management)(.10)
You’d then convert that maturity score to a rating scale for CSF certification (see p. 21 of the HITRUST Risk Analysis Guide). In this example, a maturity score of 66.25 would convert to a Level 3+ maturity rating.
To obtain certification, you must attain a Level 3+ or 3 with a corrective action plan for each required CSF control.
How can you get HITRUST CSF Certified?
First things first, you need to have some kind of formal security management function in place, or a plan for developing one. You are going to need to designate security responsibilities, establish formal policies and do formal risk analysis, train your workforce on various security and compliance issues relevant to their roles, conduct regular security management tasks and checks, such as scanning, pen testing, etc.
Note that the rating scale is weighted so that if you hit 100%, fully compliant for policies, procedures, and implementation on a control, you will score 3+. In other words, if you nail policies, procedures, and implementation across the board, you have a path to certification and give yourself a strong foundation for improving your security posture over time by layering in more monitoring and management.
A standard certification strategy usually starts with a CSF Self-Assessment. Given that we dogfood our own Gridiron platform for HIPAA, GDPR, ISO 27001, and SOC 2 compliance, we had a major head start on the HITRUST CSF requirements.
Things to be aware of as you budget and assess whether certification is feasible:
Each HITRUST report has a fee ($3750-7500 each depending on your organization)
You must purchase a HITRUST MyCSF subscription (starts at $10k/year)
Your assessor will have their own fee schedule (likely the bulk of your cash costs - shop around as prices vary widely)
A standard assessment strategy would be to start with a facilitated self-assessment, to use as a gap analysis. You’d hire your assessor or another facilitator, purchase a subscription to MyCSF, and purchase a self-assessment report. When you are ready to proceed to a validated assessment with certification, you’d purchase another validated assessment report and work with your assessor as described in the section above.
How does the Enclave + Gridiron HITRUST CSF Certification help you?
This whole Internet/cloud/software-eating-the-world thing doesn’t work without trust. Our mission at Aptible is to help developer teams protect sensitive data. Adding HITRUST CSF Certification to our assurance programs for ISO 27001 certification, SOC 2 Type 2 auditing, HIPAA and GDPR/Privacy Shield makes Aptible Enclave one of the most heavily audited container platforms anywhere. Compliance is not security, and confusing the two is dangerous, but independent verification of security management in the form of certifications and audits does help build trust, and is increasingly a critical requirement for B2B buyers.
If you are a B2B SaaS company, using Enclave is the fastest way to fly through vendor security assessment, risk questionnaires, and other steps in the B2B sales process. Your customers will accept our certifications as evidence that your Enclave architecture is managed according to the most stringent security best practices.
If you are interested in HITRUST Inheritance for Enclave, please let us know.
Gridiron is a SaaS platform for security management. Customers use it to build and manage security programs that meet and exceed protocols like HIPAA, GDPR, SOC 2, and ISO 27001. The HITRUST CSF is separately licensed by HITRUST and is not available in Gridiron by default. Please contact us if you would like to use the HITRUST CSF in Gridiron.
How can I get a copy of the Enclave + Gridiron CSF Validated Assessment Report?
You can view Aptible’s standalone HITRUST CSF certification letter for Enclave and Gridiron here.
Because the full Validated Assessment Report contains sensitive information, we cannot share it publicly. We are however excited to share it with customers and partners. If you’d like to get a copy of our report, or if you’d like to learn more about the HITRUST CSF, please let us know.
Data security is increasingly top of mind for every business, but especially B2B SaaS companies. Data breaches are becoming more common and present an existential threat: losing control over sensitive personal information information can result in lost reputation, churn, class action lawsuits, fines from regulators, or literally closing up shop.
Your customers and partners demand assurances that the data you process on their behalf is protected. This is why standards like the the American Institute of Certified Public Accountants (AICPA) System and Organization Controls (“SOC” for short) for Service Organization reports have become popular in the last few years. A SOC report is completed by an independent third-party CPA auditor and provides insight into how a service organization (such as a cloud vendor) achieves key security and compliance objectives.
Aptible has achieved SOC 2 Type 2 compliance for the security and availability Trust Service Principles. This post shares a bit more about what this means and why this type of compliance is so valuable to B2B SaaS companies in specific. We’ll also share how you can start building a security program that meets SOC 2 requirements and is audit-ready.
(If you’re a customer or partner, and you want to get a copy of Aptible’s SOC 2 Type 2 report, skip ahead.)
What is SOC 2?
SOC 2 is a widely-used framework for building trust between vendors (called “service organizations”) and customers (called “user entities”).
CPAs have been doing audits relating to controls at service organization relevant to user entities’ internal control over financial reporting for decades, all the way back to a standard called SAP No. 29 in the 1950s. In 1992, a standard called SAS 70 introduced the concept of service organizations, which was used for years and gained importance post-Enron and post-Sarbanes Oxley. These standards still focused on internal control over financial reporting, however, not security. With the rise of cloud computing, the AICPA saw the need for a security-specific framework, and in 2010 introduced their new Statement on Standards for Attestation Engagements No. 16 (SSAE 16). SSAE 16 introduced SOC 1, SOC 2 and SOC 3, with SOC 1 replacing SAS 70.1
Today, SOC 2 Type 2 reports are one of the most requested forms of assurance from large B2B customers. Why is that?
SOC 2 defines five Trust Service Principles (security, availability, confidentiality, processing integrity, and privacy) and criteria (called the Trust Services Criteria) for meeting them. As an organization, you select controls to ensure you meet the criteria.
Do you remember the Choose Your Own Adventure Series?
SOC 2 is Choose Your Own Trust Service Principles2 and controls. You pick which TSPs you want to be audited on, and which controls you select.
Why are those the most popular? Why not the privacy TSP?
In a nutshell, the security TSP is the big lift. The criteria for the Trust Services Principles are broken into two categories: a set of criteria common to all five of the trust service categories (called the “common criteria”); and additional criteria specific to the availability, processing integrity, confidentiality, and privacy TSPs.
The common criteria cover key concepts that affect all of the TSPs and criteria, like establishing a control environment, communication, risk assessment, and monitoring. So, if you only do the security TSP, you do the common criteria and are done. If you only do availability, you have to do all of the common criteria, plus three additional criteria. If you do security and availability, you have to do the same work: all of the common criteria, plus the three additional availability criteria. With the new 2017 Trust Services Criteria, confidentiality (which used to be 8 additional criteria in the 2016 version) is wrapped into the common criteria and slimmed down to two additional criteria.
So security is the most popular TSP because everyone has to do it and it gets at the heart of your security management program. Availability and confidentiality are extra work, but not that much more.3 Processing integrity is six additional criteria (five in the new 2017 TSCs) and may become more popular in the future, although at Aptible we don’t see much demand for it yet. Privacy is 20 extra criteria (18 in the new 2017 TSCs), and often entities have HIPAA or GDPR efforts that are redundant, so customers rarely demand it.
We highly recommend buying the Trust Services Criteria3 and SOC 2 Guide. Note the SOC 2 guide is the new, shiny 2018 edition (and works with the upcoming 2017 TSCs), but the TSCs are the 2016 version, which expires at the end of March. You can download a mapping of the extant (still in effect) 2016 TSCs to the new 2017 ones from the AICPA.
That explains SOC 2, but what is a Type 2 report and why is it so popular?
SOC 2 (and SOC 1) reports come in two flavors, Type 1 and Type 2. (These are also sometimes called Type I and Type II, but the AICPA SOC 2 Guide uses Arabic numerals, so I will here. I don’t think it matters.)
A Type 1 report is a point-in-time snapshot where a CPA looks at management’s description of the service organization’s system (e.g. your security management program) and renders an opinion on 1) whether that description is fairly presented, and 2) whether the controls you have in place are suitably designed to meet your control objectives. Type 1 reports are useful if you want to get your auditor familiar with your chosen controls, or if your system or control scheme has changed significantly.
A Type 2 is the good stuff your customers want: It includes the Type 1 subject matter plus an opinion on the operating effectiveness of the controls in place over a specific period (called a “review period” - usually 6 or 12 months). The Type 2 report also contains details about how the auditor examine each control and what they tested. This level of granularity, along with SOC 2’s usability for any vertical, is why the framework is so popular.
By way of contrast, an ISO 27001 certification (Aptible’s is here represents strong adherence to a specific set of controls, but doesn’t have any granularity as to how specific control objectives are achieved, or whether those controls are operating effectively. Many B2B buyers will accept both in lieu of a security assessment questionnaire, but some prefer SOC 2.
The AICPA’s new SOC for Cybersecurity framework will have both a static set of controls (like ISO 27001) and the SOC 2 auditing methodology, and will probably be popular as well when the SOC for Cybersecurity Guide is released later this year.
How can you complete your own SOC 2 report?
If you run architecture on Enclave, our AWS-based Docker container orchestration platform, you can inherit our SOC 2 report through what the AICPA calls the carve-out method.
We also offer Gridiron, a security management SaaS platform for helping you stand up and run a security management program that meets stringent criteria. You can use Gridiron with several protocols, including HIPAA, ISO 27001, SOC 2, and GDPR.
For SOC 2 specifically, Gridiron onboarding replaces much of the gap and readiness work that you would do with consultants, in spreadsheets and word processing documents, and leaves you with a source of truth for security management data that makes auditing easy.
How can I get a copy of Aptible’s SOC 2 Type 2 report?
Under AICPA rules, SOC 2 reports are only for management, customers, and other key stakeholders. As a result we cannot post our SOC 2 Type 2 report publicly. We are however excited to share it with customers and partners.
If you’d like to get a copy of our report, or if you’d like to learn more about SOC 2 and how you might begin preparing to create a security management program that will help you complete your own report, get in touch now.
These changes continue: SSAE 16 has been replaced with SSAE 18 and a new “SOC for Cybersecurity” framework is coming this year.
1 These changes continue: SSAE 16 has been replaced with SSAE 18 and a new “SOC for Cybersecurity” framework is coming this year.
2 The AICPA is renaming the Trust Service Principles to Trust Service Categories, but is still using the acronym “TSP.”
3 The AICPA is updating the Trust Services Criteria to a 2017 version (effective in December 2018), but there are still only 3 additional availability criteria.
I am happy to announce that Aptible has earned ISO 27001 certification for our Enclave and Gridiron products! This is the result of a lot of hard work by the Aptible team, and is good news for you if you’re an Aptible customer: You can use Aptible’s ISO 27001 certification to show your customers that your cloud computing stack meets an international standard for security.
What is ISO 27001?
ISO is an organization. In English, the name of the organization is the “International Organization for Standardization,” but usually people just call it ISO, like International Business Machines Corporation is just IBM.
ISO produces “standards:” documents that outline requirements, specifications, and guidelines.
Requirements, specifications, and guidelines for what? Lots of things. There are over 20,000 standards, and they can be very specific.
You can play around and search the ISO site. This can be strangely fascinating: pick a random noun and search for it.
“Avocado?” Boom: ISO 2295 is a guide for the storage and transport of avocados. ISO 3659 has instructions on how to ripen avocados after cold storage. And so on.
ISO standards also cover more abstract concepts. One of the best-known standards is ISO 9001, which sets out criteria for a quality management “system”, or set of principles and business processes.
ISO 27001 is also a “system” standard. It defines requirements for information security management systems. The main body of the standard outlines a governance structure that you have to adopt: requirements for determining what counts as in-scope or out-of-scope for your “system,” assigning security roles and responsibilities, security planning activities, risk management activities, monitoring/metrics, and improving the system itself.
ISO 27001 also has an annex of reference controls relating to areas like cryptography, operations security, asset management, incident management, and more. The reference controls are normative, in the sense that if you don’t implement a given control, you need to be able to convince your auditor that your decision was reasonable, or otherwise explain yourself.
What does ISO 27001 mean for software development teams?
Think of ISO 27001 as a baseline for good security management processes. “We take security seriously” is a cliche. Many developer teams know they would benefit from an organized approach to security, but don’t know where to start. Hiring someone full-time for security is a stretch for small teams, and managing security just gets more complex as you scale.
Teams seeking ISO 27001 certification need to be organized. Like most of the major information security protocols (SOC 2, HIPAA, PCI, etc.), ISO 27001 requires:
Proactive risk management, instead of just reacting to bad things as they happen
Planning ahead for security and setting appropriate security improvement goals
Writing down the rules for how security is supposed to work for your system (in policies and procedures)
Training your workforce on those rules, with advanced training for those with more security responsibilities
Training for and responding to security and availability incidents, including breaches
Most teams will end up investing in secure software development practices, such as test coverage, continuous integration/continuous deployment, code review, vulnerability scanning, penetration testing. On a practical level, you’ll probably get serious about MFA, require everyone to use a password manager, start using mobile device management to secure laptops and phones, do criminal background screenings, stuff like that.
What does ISO 27001 “certification” mean?
ISO standards are voluntary. Unlike the Department of Health and Human Services with HIPAA enforcement or the PCI Security Standards Council, the ISO organization itself doesn’t have any ability to enforce the standards. In fact, anyone can claim they “comply” or are “consistent” with any of the ISO standards.
The gold standard is a certification performed by an “accredited” certification body, or auditor. Being “accredited” means the auditors have themselves been audited against an ISO standard for how they conduct audits and certifications.
Aptible has been certified by Coalfire ISO, an ISO/IEC 27001 Certification Body accredited by the ANSI-ASQ National Accreditation Board (ANAB).
How does Aptible’s ISO 27001 certification benefit you?
Getting organized about security helps us protect your data. ISO 27001 lays out clear best practices for security management. With developer teams, huge problems can come from seemingly little things like not sanitizing inputs, not patching vulns, accidentally pushing sensitive data to the wrong system. ISO 27001 certification means we’ve spent time thinking systematically about risk, and have strong controls in place to manage it.
In turn, you can use Aptible’s ISO 27001 certification to show your customers that your cloud computing stack meets an international standard for security.
How can you get your own ISO 27001 certification?
The traditional way is prepare is to use consultants or full-time hires. This usually involves a lot of Word documents and Excel spreadsheets, takes a long time, is extremely expensive, and makes you feel slightly let down, like you just spent all that time and money and not much really changed. You may have this nagging feeling that you’re not actually that much more secure, but at least you have antivirus on everyone’s laptops.
I think there’s a better way. At Aptible, we make Gridiron, a set of tools for managing security, designed specifically for software development teams. Let us know if you want to get ready for ISO 27001, HIPAA, SOC 2, PCI, NIST 800-53, 21 CFR Part 11, or any other security framework.
Are Aptible customers affected by Cloudbleed?
No, not by virtue of using Aptible. Aptible does not use Cloudflare, and as such, our services and customer environments were not affected by the Cloudbleed vulnerability disclosed yesterday.
That said, if you use or used Cloudflare, you may be affected. You can read Cloudflare’s official description of Cloudbleed here.
If I used Cloudflare to cache PHI, what should I do?
Activate your incident response plan and talk to your lawyer immediately, unfortunately. You may be required to conduct mitigation, and breach and/or security incident notifications, by HIPAA or your business associate contracts.
Cloudbleed is one issue. Another issue is that if you were using Cloudflare to cache PHI though their CDN without a BAA, you may have been in breach of the HIPAA rules before this.
Some have suggested that Cloudflare might not be a HIPAA business associate because of an exception to the definition of business associate known as the “conduit” exception. Cloudflare is almost certainly not a conduit. HHS’s recent guidance on cloud computing takes a very narrow view:
The conduit exception applies where the only services provided to a covered entity or business associate customer are for transmission of ePHI that do not involve any storage of the information other than on a temporary basis incident to the transmission service.
OCR hasn’t clarified what “temporary” means or whether a CDN would qualify, but again, almost certainly not, as data storage is a critical, non-incidental component of CDN functionality.
What if I used Cloudflare to cache PII?
Again, activate your incident response plan and talk to your lawyer. HIPAA is just one of many data privacy regulations. Many states require companies to report breaches of personally identifiable information belonging to residents of that state.
What if I used Cloudflare for data aside from PHI or PII?
We encourage you to be safe and rotate all credentials that might have passed through Cloudflare from your app, such as session cookies, API keys, and user passwords.
What else should I do?
We encourage you to rotate your passwords for any service that used Cloudflare between September 22, 2016, and February 18, 2017. Cloudflare has not released a list of services affected. You can find one security researcher’s list of Cloudflare DNS customers (which is likely overinclusive) here.
The Aptible Update Webinar Series is a new quarterly presentation that covers recent features and changes to the Enclave deployment platform and Gridiron security management products.
We hosted the first Update Webinar on October 25. In it, we covered:
- Deploying from Private Docker Registries: How to configure a private container deployment pipeline
- Advanced Memory Management: How to plan for and easily manage container memory issues
- New ALB Endpoints: More resilient zero-downtime deployments
- HTTP Health Checks: Smart, safe app container routing
- Platform Events: How to get more from the Enclave API and your logging
- Container Metrics: Live telemetry and dashboards for monitoring
- Working with Database Backups: On-demand backups and restoration
- Two-factor Authentication: Securing your Aptible accounts
The next Aptible Update Webinar will be on January 25, 2017, at 11am PST/2pm EST.
Webinars are recorded and made available for viewing if you cannot attend the live session.
How does a major open-source framework approach upgrades? Find out in Robert’s talk at the Ember.js NYC meetup last month.
If you find this interesting, join us!
Frank spoke at AWS re:Invent last week, in a session about architecting for HIPAA compliance. The entire panel is worth watching.
Having just come through Y Combinator, we frequently get asked whether it was worth it. The answer is absolutely yes, no hesitation. While the experience is still fresh, I want to encourage you to apply for the next cycle and give some advice for getting in.
You have a early-stage startup, or at least an idea for one. You know Y Combinator is fantastic: the network is legendary, the terms are fair, the other founders are incredible, and it provides an amazing lift for customer acquisition, fundraising, and recruiting.
The catch is that acceptance rates are brutal. Somewhere below 3% of applicants get an offer.
Should you skip this application cycle and apply later, when your company is more mature?
You should apply now, even if you don’t think you are ready.
There are two main reasons for this:
The application process itself is valuable. Preparing the application requires you to think carefully about your idea, your company, your market, your team, and the obstacles in your way. Forcing yourself to reflect honestly is painful, but extremely beneficial. Seize the opportunity to do it now.
You have a better chance than you think. The traits YC looks for in companies and founders are well-known and addressable. By “well-known,” I mean go read PG and Sam’s essays. By “addressable,” I mean you can improve your chances with focused work and practice. If your company doesn’t have the ideal characteristics, you can acquire the important ones. If you have the right ingredients, you can learn to convey that clearly and concisely.
That’s why you should apply now.
Here’s how to get in:
Step 0: Make something people want.
I’m kidding but not really.
“Make something people want” is YC’s motto. It’s also what they look for in companies. It’s not always sufficient, but it is necessary. If you do it, the rest can fall into place. If you don’t do it, you’re toast. Or Clinkle.
Others have written about how to find something to make that people want. I won’t get into that here, but I will add that most of the YC application process reduces to proving you’ve made something people want.
How do you prove it? Having paying customers is convincing. Having a lot of users is also convincing.
Showing that people want something similar to what you made or that you could make something people want are not convincing.
Sign contracts, take preorders, get LOIs, fill a waitlist, collect emails from customers saying how they can’t wait to pay you. Stop reading this and go do whatever you can to prove people want what you make. Now!
Step 1: Apply
Now, armed with proof that you make something people want, you are ready to apply.
Spend time thinking carefully about the questions. Don’t spend any time trying to game the application.
- Be honest with yourself. You know what your weaknesses are. Don’t shy away from them, but don’t waste too much time worrying if you can’t change them. For example, when we submitted our application, Aptible had no paying customers. We work in a regulated industry (healthcare) where getting security and stability right is critical, and we were confident that waiting was the right choice.
- Use every question to show that people want what you make. We made sure to explain what our waitlist looked like and how many customers had signed contracts to pay soon.
- One or two sentences is fine for most answers. Be clear and direct, then move on.
- Don’t overthink the video. Introduce yourselves, briefly explain what you’re working on, and spend the rest of your time explaining how you know people want what you make. Follow the instructions. Here’s our video.
Step 2: Interview
The application questions are a subset of the questions you may be asked at an interview.
Before our interview, Frank and I:
- Collected all of the known Y Combinator interview questions we could find
- Wrote out 1-2 sentence answers
- Agreed on which founder would lead on the answer, and
- Practiced with flash cards until we could answer every question fluently
Writing your answers out will help you formulate concise, consistent responses.
To test our fluency, we did mock interviews with each other, with our startup/tech friends, and with YC alums.
Mock interviews are the best way to practice. You will be shocked and disappointed by how incompetent you sound at first. Don’t worry, you’ll improve dramatically with repetition.
As one of our investors puts it, “You’re going to be telling people what you do eight times a day for the rest of the company’s life. Get good at it.”
Below are the questions we used to prepare. I don’t remember where we found each one, so apologies to the original sources. I’ve grouped them into categories by how important I think they are. The groups are my own and do not reflect YC’s views.
Remember: One or two sentences each. If you prepare longer answers, you’ll be flustered when the YC partners cut you off to ask another question. James Cunningham and Colin Hayhurst (GoScale, S12) built a fun app with a timer to help you practice concise answers.
These are the most important questions. They are all different ways of determining if you make something people want. You need to have a good answer, or an excellent reason for not having an answer. Many of these are in the application itself.
- What are you working on?
- Who would use your product?
- How do you know customers need what you’re making? How do you know people want this?
- How will you make money?
- How much money could you make per year?
- Why isn’t someone already doing this?
- Why will you succeed over others? What do you understand that others don’t?
- What have you learned so far from working on your product?
- How much does customer acquisition cost?
- How many users do you have?
- Where do new users come from? How do users find out about you?
- How are you meeting customers?
- What is your distribution strategy? How will you grow?
- What makes new users try you?
- Why do the reluctant users hold back?
- What is your growth like?
- What is your user growth rate?
- What’s the conversion rate?
- How many users are paying?
- Who is going to be your first paying customer?
- What resistance will users have to trying you and how will you overcome it?
- How are you understanding customer needs?
- What are the top things your users want?
- What has surprised you about user behavior?
- What’s new about what you make?
- What problems and hurdles are you anticipating? How will you overcome them?
- Six months from now, what’s going to be your biggest problem?
These questions concern narrative, team, and tactics. They are important, but only if you make something people want first.
- Why did you choose this idea? Why did you pick this idea to work on?
- Where is the rocket science here?
- How does your product work in more detail?
- What do you understand about your users? What domain expertise do you have?
- What are the key things about your field that outsiders don’t understand?
- What’s an impressive thing you have done?
- How did your team meet?
- Why did your team get together?
- Who in your team does what?
- Who would you hire or how would you add to your team? Who would be your next hire?
- What part of your project are you going to build first? What are you going to do next? What is the next step with the product evolution?
- If your startup succeeds, what additional areas might you be able to expand into?
- Who are your competitors?
- Who might become competitors?
- What competition do you fear most?
- What is your burn rate?
- How long can you go before funding?
- Have you raised funding?
These are questions that have a correct answer.
- What will you do if we don’t fund you? Keep working on this, because it’s a good idea that we can execute.
- Would you relocate to Silicon Valley during YC? Yes.
- Who is “the boss”? (Agree on one founder.)
If you get asked these in an interview, either you’re not doing well or you’re being tested. Try to preempt them with good answers to the more critical questions.
- How do we know your team will stick together? Will your team stick at this?
- What else have you created together?
- Are you open to changing your idea?
- Someone just showed us an idea like this right before you guys. I don’t like it. What else do you have?
Have answers, but don’t stress about these questions.
- What systems have you hacked?
- Tell us about a tough problem you solved?
- In what ways are you resourceful?
- What is something surprising you have done?
- What’s the funniest thing that has happened to you?
- What’s the worst thing that has happened? What’s the biggest mistake you have made?
Step 3: Start Now
Step 3 might be “Accept”, but if you interview, you should have already decided. You give up ~7% of the company for $120k in funding. YC will increase the value of your company by much more than 7%, without question. You will not get a better deal from fairer, more transparent partners anywhere.
You will only have about 100 days between getting accepted and Demo Day to make the most convincing case possible to investors. If you don’t get in, you have about 200 days to prove you can make something people want before you can apply again. Start now.
Good job on making it to the end! Feel free to ping me on Twitter or with the contact link above if you have questions. After interview invitations go out, I’ll volunteer a limited number of mock interview spots on Twitter.
You can find the Hacker News discussion for this post here.
Update - October 29, 2016: Formatting edits.
YES! Finally! The Aptible team and I are very happy to announce our public launch.
Frank and I started Aptible because we saw how difficult it was for technology companies to navigate the regulatory environment in healthcare. We believe that many of the most intractable problems in healthcare can be addressed with great technology, and we are working to empower smart, dedicated people to tackle them.
For the last few months, we have been working closely with a group of companies that represent the future of digital health. We are looking forward to telling you their stories in the coming weeks.
We are also excited to announce our relationships with three fantastic organizations:
Aptible is proud to be part of Y Combinator’s S14 batch. All of the partners have been amazing - YC is one of those rare organizations that is every bit as great on the inside as you hope it would be from the outside. Thanks especially to Justin, Garry, Kat, Jon, and Aaron for helping us prepare for this launch.
Today is the beginning of something very special. With an incredible team and the support of our customers and partners, we are going to rapidly accelerate the adoption of technology in healthcare, and help a lot of people on the way. If you want to be part of this, let us know, or email me at firstname.lastname@example.org.