Tarsnap is the world’s best secure online backup service. It’s run by Colin Percival, Security Officer Emeritus at FreeBSD, a truly gifted cryptographer and programmer. I use it extensively in my company, recommend it to clients doing Serious Business (TM) all the time, and love seeing it successful.
It’s because I am such a fan of Tarsnap and Colin that it frustrates me to death. Colin is not a great engineer who is bad at business and thus compromising the financial rewards he could get from running his software company. No, Colin is in fact a great engineer who is so bad at business that it actively is compromising his engineering objectives. (About which, more later.) He’s got a gleeful masochistic streak about it, too, so much so that Thomas Ptacek and I have been promising for years to do an intervention. That sentiment boiled over for me recently (why?), so I took a day off of working on my business and spent it on Colin’s instead.
After getting Colin’s permission and blessing for giving him no-longer-unsolicited advice, I did a workup of my Fantasy Tarsnap. It uses no non-public information about Tarsnap. (Ordinarily if I were consulting I wouldn’t be black boxing the business, but Tarsnap has unique privacy concerns and, honestly, one doesn’t need to see Colin’s P&L to identify some of the problems.) This post is going to step through what I’d do with Tarsnap’s positioning, product, pricing, messaging, and marketing site. It’s modestly deferential to my mental model of Colin — like any good consultant, I recommend improvements that I think the client will accept rather than potential improvements the client will immediately circular file because they compromise core principles.
Let me restate again, before we get started, that I am going to criticize Tarsnap repeatedly, in the good-faith effort to improve it, at Colin’s explicit behest. I normally wouldn’t be nearly as vocally critical about anything created by a fellow small entrepreneur, but I know Colin, I want Tarsnap to win, and he wanted my honest opinions.
What’s Wrong With Tarsnap Currently?
Tarsnap (the software) is a very serious backup product which is designed to be used by serious people who are seriously concerned about the security and availability of their data. It has OSS peer-reviewed software written by a world-renowned expert in the problem domain. You think your backup software is written by a genius? Did they win a Putnam? Colin won the Putnam. Tarsnap is used at places like Stripe to store wildly sensitive financial information.
Tarsnap (the business) is run with less seriousness than a 6 year old’s first lemonade stand.
That’s a pretty robust accusation. I could point to numerous pieces of evidence — the fact that it is priced in picodollars (“What?” Oh, don’t worry, we will come back to the picodollars), or the fact that for years it required you to check a box certifying that you were not a Canadian because Colin (who lives in Canada) thought sales taxes were too burdensome to file (thankfully fixed these days), but let me give you one FAQ item which is the problem in a nutshell.
Q: What happens when my account runs out of money?
A: You will be sent an email when your account balance falls below 7 days worth of storage costs warning you that you should probably add more money to your account soon. If your account balance falls below zero, you will lose access to Tarsnap, an email will be sent to inform you of this, and a 7 day countdown will start; if your account balance is still below zero after 7 days, it will be deleted along with the data you have stored.
Yes folks, Tarsnap — “backups for the truly paranoid” — will in fact rm -rf your backups if you fail to respond to two emails.
Guess how I found out about this?
I use Tarsnap to back up the databases for Appointment Reminder. Appointment Reminder has hundreds of clients, including hospitals, who pay it an awful lot of money to not lose their data. I aspire to manage Appointment Reminder like it is an actual business. It has all the accoutrements of real businesses, like contracts which obligate me not to lose data, regulations which expose me to hundreds of thousands of dollars of liability if I lose data, insurance policies which cost me thousands of dollars a year to insure the data, and multiple technical mechanisms to avoid losing data.
One of those mechanisms was Tarsnap. Tarsnap is a pre-paid service (about which, more later), so I had pre-paid for my expected usage for a year. I tested my backups routinely, found they worked, and everything was going well.
Fast forward to two weeks ago, when idle curiosity prompted by an HN thread caused my to check my Tarsnap balance. I assumed I had roughly six months remaining of Tarsnap. In fact, I had 9 days. (Why the discrepancy? We’ll talk about it later, I am not good at forecasting how many bytes of storage I’ll need after compression 12 months from now, a flaw I share with all humans.) I was two days away from receiving an email from Tarsnap “Your account is running a little low” warning. Seven days after that my account would have run down to zero and Tarsnap would have started a 7 day shot clock. If I didn’t deposit more money prior to that shot clock running out, all my backups would have been unrecoverably deleted.
I am, in fact, days away from going on a business trip internationally, which previous experience suggests is a great way for me to miss lots of emails. This is pretty routine for me. Not routine? Getting all of my backups deleted.
Getting all of my backups deleted (forgive me for belaboring that but it is a fairly serious problem in a backup service) would be suboptimal, so I figured there must be a way to put a credit card on file so that Colin can just charge me however many picodollars it costs to not delete all the backups that I’d get sued for losing, right?
But if you’re saying I should have a mechanism for automatically re-billing credit cards when a Tarsnap account balance gets low — yes, that’s on my to-do list.
Lemonade stands which have been in business for 5 years have the take-money-for-lemonade problem pretty much licked, and when they have occasional lemonade-for-money transactional issues, the lemonade does not retroactively turn into poison. But Tarsnap has been running for 5 years, and that’s where it’s at.
The darkly comic thing about this is I might even be wrong. It’s possible Colin is, in fact, not accurately stating his own policies. It is possible that, as a statement about engineering reality, the backups are actually retained after the shot clock expires e.g. until Colin personally authorizes their deletion after receiving customer authorization to do so. But even if this were true, the fact that I — the customer — am suddenly wondering whether Tarsnap — the robust built-for-paranoids backup provider — will periodically shoot all my backups in the head just to keep things interesting makes choosing Tarsnap a more difficult decision than it needed to be. (If Colin does, in fact, exercise discretion about shooting backups in the head, that should be post-haste added to the site. If he doesn’t and there is in fact a heartless cronjob deleting people’s backups if they miss two emails that should be fixed immediately.)
Positioning Tarsnap Away From “Paranoia” And Towards “Seriousness”
Let’s talk positioning.
You may have heard of the terms B2B and B2C. Tarsnap communicates as if it were a G2G product — geek 2 geek.
How does Tarsnap communicate that its G2G? Let me quickly screengrab the UI for Tarsnap:
15 6 * * * /usr/local/bin/tarsnap -c -f database_backups_`date +\%Y-\%m-\%d` /backups/ /var/lib/redis && curl https://nosnch.in/redacted-for-mild-sensitivity &> /dev/null
I’m not exaggerating in the slightest. That’s literally pulled out of my crontab, and it is far and away the core use case for the product.
Other things you could point to in describing Tarsnap’s current positioning are its web design (please understand that when I say “It looks like it was designed by a programmer in a text editor” that is not intended as an insult it is instead intended as a literal description of its primary design influence), the picodollar pricing, and numerous places where the product drips with “If you aren’t a crusty Unix sysadmin then GTFO.”
Example: Suppose you’re using Tarsnap for the first time and want to know how to do a core activity like, say, making a daily backup of your database. That’s the need which motivated that command line soup above. What does the Tarsnap Getting Started guide tell you to do?
If you’ve ever used the UNIX tar utility, you’ll probably be able to go from here on your own…
If you actually aren’t a master of the UNIX tar utility, don’t worry, there’s a man page available. (It won’t actually help you accomplish your goal, because you are not a crusty UNIX sysadmin.)
This positioning has the benefit of being pretty clear — you will, indeed, quickly get the point and not use Tarsnap if you are not a crusty UNIX sysadmin — but it is actively harmful for Tarsnap. Many people who would benefit most from Tarsnap cannot use it in its current state, and many people who could use it will not be allowed to because Tarsnap actively discourages other stakeholders from taking it seriously.
How would I position Tarsnap?
Current strap line: Online backups for the truly paranoid
Revised strap line: Online backups for servers of serious professionals
What does Tarsnap uniquely offer as a backup product? Why would you use it instead of using Dropbox, SpiderOak, Backblaze, a USB key, or a custom-rolled set of shell scripts coded by your local UNIX sysadmin?
Tarsnap is currently defined by what it doesn’t have: no Windows client. No UI. Essentially no guidance about how to use it to successfully implement backups in your organization.
Tarsnap should instead focus on its strengths:
Tarsnap is for backing up servers, not for backing up personal machines. It is a pure B2B product. We’ll keep prosumer entry points around mainly because I think Colin will go nuclear if I suggest otherwise, but we’re going to start talking about business, catering to the needs of businesses, and optimizing the pieces of the service “around” the product for the needs of businesses. We’ll still be pretty darn geeky, but treat the geek as our interface to the business which signs their paychecks and pays for Tarsnap, rather than as the sole customer.
Why should Tarsnap focus on backing up servers rather than even attempting to keep regular consumers in scope?
- The average consumer is increasingly multi-device, and Tarsnap absolutely sucks for their core use case currently. They want photos from their iPhone to work on their Windows PC. They have an Android and a Macbook. They have multiple computers at use simultaneously in their family. Tarsnap is absolutely unusable for all of these needs. These needs are also increasingly well-served by companies which have B2C written into their DNA and hundreds of millions of dollars to spend on UXes which meet the needs of the average consumer. Colin has neither the resources nor the temperament to start creating compelling mobile apps, which are both six figures and table stakes for the consumer market right now.
- Tarsnap’s CLI is built on the UNIX philosophy of teeny-tiny-program-that-composes-well. It’s very well suited to backing up infrastructure, where e.g. lack of a GUI would cripple it for backing up data on workstations. (We’ll ignore the lack of a Windows client, on the theory that UNIX has either won the server war or come close enough such that durably committing to the UNIX ecosystem leaves Tarsnap with plenty of customers and challenges to work on.)
- Data on servers is disproportionately valuable and valuable data is disproportionately on servers. Consumers like to say that their baby photos are priceless. Horsepuckey. Nobody rushes into burning houses for their baby photos. Empirically, customers are not willing to spend more than $5 to $10 a month on backup, and that number is trending to zero as a result of rabid competition from people who are trying to create ecosystemic lock-in. Businesses, on the other hand, are capable of rationally valuing data and routinely take actions which suggest they are actually doing this. For example, they pay actual money to insure data, just like they buy insurance on other valuable business assets. (Appointment Reminder, a fairly small business, spends thousands of dollars a year on insurance.) They hire professionals to look after their data, and they pay those professionals professional wages. They have policies about data, and while geeks might treat those policies as a joke, they are routinely enforced and improved upon.
An immediate consequence of focusing Tarsnap on servers is that its customers are now presumably businesses. (There exist geeks who run servers with hobby projects, but they don’t have serious backup needs. Have they taken minimum sane steps with regards to their hobby projects like spending hours to investigate backup strategies, incorporating to limit their liability, purchasing insurance, hiring professionals to advise them on their backup strategies, etc? No? Then their revealed preference is that they don’t care all that much if they lose all their hobby data.)
How do we talk to the professionals at businesses? First, we can keep our secret geek handshakes, but we also start recognizing that most businesses which are serious about their data security will have more than one person in the loop on any decision about backup software. Why? Because having something as important as the security of their data come down to just one person is, in itself, a sign that you are not serious. No sophisticated business lets any single person control all the finances for the company, for example, because that is an invitation to disaster. We also recognize that these additional parties may not be geeks like the person who will be physically operating Tarsnap, so we’re going to optimize for their preferences as well as the geeks’.
What does this mean?
We decide to look the part of “a serious business that you can rely on.” Tarsnap.com is getting a new coat of paint (see below) such that, if you fire your boss an email and say “Hey boss, I think I want to entrust all of our careers to these guys”, your boss doesn’t nix that idea before Malcom Gladwell can say blink.
We start arming our would-be-customer geeks to convince potentially non-technical stakeholders that Tarsnap is the correct decision for their business’ backup needs. This means that, in addition to the geek-focused FAQ pages, we create a page which will informally be labeled Convince Your Boss. Many conventions which geeks would be interested in, for example, let their would-be attendees print letters to their bosses justifying the trip in boss-speak (ROI, skills gained as a result of a training expenditure, etc). I sort of like Opticon’s take on this. Tarsnap will similarly create a single URL where we’ll quickly hit the concerns non-technical stakeholders would have about a backup solution: reliability, security, compliance, cost, etc. This page would literally be 1/5th the size of this blog post or less and take less than an hour to write, and would probably double Tarsnap’s sales by itself. The page will not mention command line interfaces, tar flags, crontabs, or picodollars.
We speak our customers’ language(s). This doesn’t mean that we have to suppress Colin’s/Tarsnap’s nature as a product created by technologists and for technologists. It just means that we explicitly recognize that there are times to talk tar flags and there are times to talk in a high-level overview about legitimate security concerns, and we try not to codeshift so rapidly as to confuse people.
We burn the picodollar pricing model. With fire. It’s fundamentally unserious. (Ditto Bitcoin, the availability of which is currently Tarsnap’s view of the #1 most important they could be telling customers, rather than boring news like “Tarsnap is used by Stripe” or “Tarsnap hasn’t lost a byte of customers’ data in history.”)
Pricing Tarsnap Such That People Who Would Benefit From It Can Actually Buy It
Tarsnap’s current pricing model is:
Tarsnap works on a prepaid model based on actual usage.
| Storage: |
250 picodollars / byte-month ($0.25 / GB-month) |
|---|---|
| Bandwidth: |
250 picodollars / byte ($0.25 / GB) |
These prices are based on the actual number of bytes stored and the actual number of bytes of bandwidth used — after compression and data deduplication. This makes Tarsnap ideal for daily backups — many users have hundreds of archives adding up to several terabytes, but pay less than $10/month.
Colin, like many technologists, is of the opinion that metered pricing is predictable, transparent, and fair. Metered pricing is none of predictable, transparent, or fair.
Quick question for you, dear reader: What would you pay for using Tarsnap to back up your most important data?
You don’t know. That’s not a question, it’s a bloody fact. It is flatly impossible for any human being to mentally predict compression and data duplication. Even without compression and data duplication, very few people have a good understanding of how much data they have at any given time, because machines measure data in bytes but people measure data in abstractions.
My abstraction for how much data I have is “One MySQL database and one Redis database containing records on tens of thousands of people on behalf of hundreds of customers. That data is worth hundreds of thousands of dollars to me.” I have no bloody clue how large it is in bytes, and — accordingly — had to both measure that and then do Excel modeling (factoring in expected rate of growth, compression ratios, deduplication, etc etc) to guess what Tarsnap would cost me in the first year. (Why not just say “It’s a lot less than $1,000 so I’ll give Colin $1,000 and revisit later?” Because I have two countries’ tax agencies to deal with and my life gets really complicated if I pre-pay for services for more than a year.)
I screwed up the Excel modeling because, while I correctly modeled the effect of increasing data requirements due to the growth of my service in the year, I overestimated how much data compressed/deduplication would happen because I was storing both plain text files and also their compressed formats and compressed files do not re-compress anywhere near as efficiently as non-compressed files. Whoopsie! Simple error in assumptions in my Excel modeling, Tarsnap actually cost 4X what I thought it would.
By which I mean that instead of costing me $0.60 a month it actually costs me $2.40 a month.
This error is symptomatic of what Tarsnap forces every single customer to go through when looking at their pricing. It is virtually impossible to know what it actually costs. That’s a showstopper for many customers. For example, at many businesses, you need to get pre-approval for recurring costs. The form/software/business process requires that you know the exact cost in advance. “I don’t know but we’ll get billed later. It probably won’t be a lot of money.” can result in those requests not getting approved, even if the actual expense would be far, far under the business’ floor where it cared about expenses. It is far easier for many businesses to pay $100 every month (or even better, $1,500 a year — that saves them valuable brain-sweat having to type things into their computer 11 times, which might cost more than $300) than to pay a number chosen from a normal distribution with mean $5 and a standard deviation of $2.
So the pricing isn’t clear/transparent, but is it fair? “Fair” is a seriously deep issue and there are all sorts of takes on it. As happy as I would be to discuss the intersection of Catholic teaching on social justice and SaaS pricing grids, let’s boil it down to a simple intuition: people getting more value out of Tarsnap should pay more for it. That quickly aligns Tarsnap’s success with the customer’s success. Everybody should be happy at that arrangement.
So why price it based on bytes? Metering on the byte destroys any but the most tenuous connection of value, because different bytes have sharply different values associated with them, depending on what the bytes represent, who owns the bytes, and various assorted trivialities like file format.
Here’s a concrete example: I run two SaaS products, Bingo Card Creator and Appointment Reminder. Bingo Card Creator makes bingo cards, sells to $29.95 to elementary schoolteachers, is deeply non-critical, and is worth tens of thousands of dollars to me. Appointment Reminder is core infrastructure for customers’ businesses, sells for hundreds to tens of thousands per year per customer, is deeply critical, and is worth substantially more than tens of thousands of dollars.
So the fair result would be that BCC pays substantially less than Tarsnap for AR, right? But that doesn’t actually happen. My best guesstimate based on Excel modeling (because BCC never bothered implementing Tarsnap, because I’m not mortally terrified that I could wake up one morning and Mrs. Martin’s 8th grade science bingo cards created in 2007 could have vanished if my backups failed) is that BCC would pay at least five times as much as Appointment Reminder.
What other intuitions might we have about fairness? Well, let’s see, my company is engaged in arms length dealings with Tarsnap and with many other vendors. I think it sounds fair if my company pays relatively less money for non-critical things, like say the cup of coffee I am currently drinking ($5), and relatively more money for critical things, like say not having all of my customer data vanish (Tarsnap).
I recently did my taxes, so I know with a fair degree of certainty that I spend more than $10,000 a year on various SaaS products. (Geeks just gasped. No, that’s not a lot of money. I run a business, for heaven’s sake. By the standards of many businesses I have never even seen a lot of money, to say nothing of having spent it.)
This includes, most relevantly to Tarsnap, $19 a month for Dead Man’s Snitch. What does DMS do for me? Well, scroll back up to the entry from my crontab: it sends me an email if my daily tarsnap backup fails. That’s it. Why? Because “the backup did not happen” is a failure mode for backups. Tarsnap does not natively support this pretty core element of the backup experience, so I reach to an external tool to fill that gap… and then pay them 10X as much for doing 1/1000th the work. What?
(Let me preempt the Hacker News comment from somebody who doesn’t run a business: Why would you use DMS when you could just as easily run your own mail server and send the mail directly? Answer: because that introduces new and fragile dependencies whose failure would only be detected after they had failed during a business catastrophe and, incidentally, be designed to avoid spending an amount of money which is freaking pigeon poop.)
So how do we charge for Tarsnap that accomplishes our goals of being predictable, transparent, and fair?
- We’re going to introduce the classic 3 tier SaaS pricing grid. This will give the overwhelming majority of our customers a simple, consistent, predictable, fair price to pay every month.
- We’ll keep metered pricing available, but demote it (both visually and emphasis-wise) to a secondary way to consume Tarsnap. It will now be called Tarsnap Basic. Tarsnap Basic customers are immediately grandfathered in and nothing about their Tarsnap experience changes, aside from (perhaps) being shocked that the website suddenly looks better (see below).
- We honor Colin’s ill-considered price decrease which he awarded customers with following the recent AWS/Google/Microsoft/etc platform bidding war.
We’re going to use our pricing/packaging of Tarsnap to accomplish price discrimination between customer types. Our primary segmentation axis will not be bytes but will instead be “level of sophistication”, on the theory that quantum leaps in organizational sophistication/complexity roughly correspond with equal or higher leaps in both value gotten out of Tarsnap and also ability to pay.
Here’s some potential packaging options as a starter point. These don’t have to be frozen in time for all eternity — we could always introduce them in April 2014, keep them around for 6 months, and then offer a new series of plans at that point in response to customer comments, our observations about usage, the degree to which they accomplish Tarnsap business goals, and the like.
The questions of what the pricing/packaging is and how we present it to customers are related but distinct. This is the version for internal consumption — actual design of the pricing grid took more than 15 minutes so I decided to nix it in favor of shipping this post today.
| Tarsnap Professional | Tarsnap Small Business | Tarsnap Enterprise |
|---|---|---|
| $50 / month | $100 / month | $500 / month |
| All of Tarsnap Basic | All of Tarsnap Basic | All of Tarsnap Basic |
| 10 GB | Unlimited storage, up to 500 GB of media | Unlimited storage, up to 1 TB of media |
| Priority support | Priority support | |
| Onboarding consultation | Onboarding consultation | |
| Custom legal / compliance documentation | ||
| POs & etc |
That’s the offering at a glance. What changed?
We’re de-emphasizing “count your bytes” as a segmentation engine. I picked 10 GB for Tarsnap Professional because it feels like it is suitably generous for most backup needs but could plausibly be exceeded for larger “we want our entire infrastructure to be Tarsnapped” deployments. Importantly, I’m *not* segmenting by e.g. number of machines, because I think the market is moving in a multi-machine direction and Tarsnap is so effective and elegant at supporting that sort of incredibly valuable and sticky use case that I don’t want to impede it. (Tarsnap also must implement multi-user accounts and permissions for larger businesses, because that is a hard requirement for many of them. They literally cannot adopt Tarsnap unless it exists. That’s a natural addition at the Small Business or Enterprise level, but since that feature does not currently exist I’m punting from including it in the current packaging offering. Once it’s available I say put it on Enterprise and then grandfather it onto all existing customers to say “Thanks for being early adopters!”, and consider adding it to Small Business if you get lots of genuinely small businesses who both need it but balk at $500 per month.)
We’ve added “effectively unlimited” storage to Tarsnap. I think Colin just blew approximately as many gaskets at this change as I blew when I heard he was lowering his prices. Revenge is sweet. See, Colin has always priced Tarsnap at cost-plus, anchoring tightly to his underlying AWS costs. Tarsnap is not AWS plus a little sauce on top. AWS is a wee little implementation detail on the backend for most customers. Most Tarsnap customers don’t know that AWS underlies it and frankly don’t care. If you assert the existence of strangely technically savvy pixies who have achieved redundant storage by means of writing very tiny letters on coins guarded by a jealous dragon, and Tarsnap used that instead, Tarsnap would be the same service.
Tarsnap isn’t competing with AWS: the backups being safely encrypted is a hard requirement for the best customers’ use of Tarsnap. I can’t put my backups on AWS: instant HIPAA violation. Stripe can’t put their customers’ credit cards on AWS: instant PCI-DSS violation. We both have strong security concerns which would suggest not using unencrypted backups, too, but — like many good customers for Tarnsap — we never entertained unencrypted backups for even a picosecond.
So we’re breaking entirely from the cost-plus model, in favor of value-oriented pricing? What does this mean for customers?
They don’t have to have a to-the-byte accurate understanding of their current or future backup needs to guesstimate their pricing for Tarsnap anymore. You could ask people interviewing for position of office manager, without any knowledge of the company’s technical infrastructure at all, and they would probably correctly identify a plan which fits your needs. Stripe is on Enterprise, bam. Appointment Reminder is on Small Business, bam. Run a design consultancy? Professional, bam. Easy, predictable, fair pricing.
Why have the media limit in there? Because the only realistic way you can count to terabytes is by storing media (pictures, music, movies, etc). Colin is in no danger of selling Tarsnap to people with multiple terabyte databases — there’s only a few dozen of those organizations in the world and they would not even bring up Tarsnap to joke about it. (That’s, again, said with love. AT&T will not be using Tarsnap to store their backed up call records.) You won’t hit a terabyte on e.g. source code. If someone does, ask for their logo for the home page and treat their COGS as a marketing expense.
How does Colin justify the “media” bit to customers? Simple: “Tarsnap is optimized for protecting our customers’ most sensitive data, rather than backing up high volumes of media files. If you happen to run a film studio or need backups for terabytes of renders, drop us a line and we’ll either custom build you a proposal or introduce you to a more appropriate backup provider.”
Colin probably blew his stack about Tarsnap no longer being content neutral, because this requires us knowing what files his customers are storing in Tarsnap. No, it doesn’t. You know how every ToS ever has the “You are not allowed to use $SERVICE for illegal purposes” despite there being no convenient way to enforce that in computer code? We simply tell customers “Don’t use this plan if you have more than 1 TB of media. We trust you. We have to, since the only information our servers know about your use is $TECHNICAL_FACT_GOES_HERE.” If this trust is ever abused in the future Colin can code up a wee lil’ daemon which checks customers accounts and flags them for review and discussion if they hit 30 TB of post-compression post-deduplication usage, but it’s overwhelmingly likely that nobody will attempt to abuse Colin in this fashion because serious businesses take stuff that you put into contracts seriously. That’s 99.54% of why contracts exist. (Most contracts will never be litigated. If anyone ever abuses Colin and does not correct their use when told to, he’ll simply point to the “We can terminate you at any time for any reason” line in his ToS written there by any serious lawyer.)
I will briefly observe, with regards to cost control, that if every customer used 100 GB of data then this would cost Colin single-digit dollars per customer per month, that 100 GB of (de-duplicated, compressed) data is actually incredibly rare. Since the happy use case for Tarsnap involves virtually never downloading from the service (because backups are inherently write-seldomly-read-very-very-very-infrequently) AWS’ “bandwidth free incoming, bandwidth cheap outgoing” will not meaningfully affect costs-of-goods (i.e. Colin’s marginal expenditure to have the Nth marginal client on Tarsnap).
I will also briefly observe that Colin does not currently have a terminate-your-account option in his ToS. Why? Probably because no lawyer was involved in creating it, a decision which should be revised in keeping with positioning Tarsnap as a serious business which transacts with other serious businesses. Lawyers will occasionally ask technologists for silly contractual terms which have no relation to technical reality. Reserving the right to terminate accounts is not that kind of term. If any clients strongly object to it, they can have their own lawyer draw up a contract and pay Enterprise pricing after Colin’s lawyers have reviewed and negotiated the contract. You want to hear why SaaS businesses should always keep a no-fault-terminate option available? Get any group of SaaS owners together and ask for horror stories. A surprising number of them involve literal insanity, involvement of law enforcement, threats, and other headaches you just don’t need to deal with for $29/$50/whatever a month.
What does priority support mean?
It means that Colin will answer emails to prioritysupport@ before he answers emails to support@. That’s it.
I know, I know, this blows geeks’ minds. Is it OK to charge for that? Of course it is. You advertised what they were getting, they accepted, and you delivered exactly what you promised. That’s what every legitimate transaction in history consists of.
Why would customers buy this? Perhaps because they have company rules such that they always purchase the highest level of support, and the difference between $50 and $100 a month is so far below their care floor that that avoiding requesting an exception is worth the marginal cost to them. Perhaps because when their backups have a problem a difference of a few minutes is actually an issue for them. Perhaps because it isn’t really an issue for them (if it is, Tarsnap’s SLA is a nonstarter, seeing as Tarsnap has no SLA) but they like to see themselves as important enough that it is. Perhaps because they’re worth billions of dollars and run credit card transactions for hundreds of thousands of people and why are we even having this discussion of course they want priority support for our backups. (That’s called “price insensitivity” and every B2B SaaS ever should take advantage of it.)
What is an onboarding consultation?
Nobody buys Tarsnap because they want to use Tarsnap. They buy Tarsnap because they have a burning need in their life for encrypted reliable backups (or a need for not losing their data in event of a breach or a fire or a hard drive failure or all the other ways you can lose data). Tarsnap is a piece of the puzzle for meeting that need, but it isn’t all of it.
Can I confess ineptitude with UNIX system administration? I founded a company, but I’m not a sysadmin. My first several days of using Tarsnap were marred because the cronjob entry which I thought was supposed to do a timestamped backup every day was failing because of improper use of backticks in bash or some nonsense like that. Whatever. Now that it works it doesn’t matter what the problem was, but back when I implemented Tarsnap, that was a problem for me. I guarantee you that Colin could have dealt with that problem in seconds. I would love to have had him available to do that. Now in actual fact I could probably have just sent Colin an email and he would have gladly helped me, but I didn’t do that because I’m a geek and I hate imposing on people, so why not make that offer explicit?
There’s many other ways to fail at backups other than screwing up your crontab. Did you want to backup your MySQL database? Did you backup the actual data files rather than a mysqldump? Sucks to be you, but you won’t know that until the most critical possible moment, likely several years from now. Did you forget to print a hard copy of your Tarsnap private key? Sucks to be you, but you won’t know that until your hard drive fails. etc, etc
Colin is a very smart guy and he has more experience at backups than many of his customers, so why not offer to make sure they get up and running on the right foot? He does consulting anyhow (or did, back when Tarsnap was not paying the bills), so just do it in the service of the product: ask customers about their businesses, make sure they’re backing up the right information on a sensible schedule, and offer to assist with the non-Tarsnap parts of the puzzle like monitoring, auditing, compliance, etc etc. (That would, incidentally, expose Colin to real-life justifications for features which should absolutely be in-scope for Tarsnap, like monitoring.) It makes it easier for clients to justify using Tarsnap, easier for them to succeed with using Tarsnap, and easier for them to justify to other stakeholders why they went for the Enterprise plan rather than the Professional plan. Businesses are quite used to paying for experts’ time.
(From Colin’s perspective, by the way, the effective hourly rate on these free consultations will eventually absolutely ROFLstomp his highest hourly rate. I charged $30k a week back when I was a consultant, and onboarding Appointment Reminder customers is still monetarily a better use of my time. “Hundreds of dollars a month” multiplied by “many customers” multiplied by “years on the service” eventually approaches very interesting numbers.)
What does custom legal / compliance documentation mean?
Many larger businesses require certain contractual terms to buy software, even SaaS which those contractual terms do not contemplate. (e.g. “You should provide us with media containing the newest version of the software on request, delivered via courier within 7 business days.” <– an actual term I’ve been asked to sign for SaaS). Instead of saying “We have a ToS which is a take-it-or-leave-it proposition”, say “We’re willing to have our lawyers look over any terms you have, and will either counteroffer or accept them depending on whether they’re reasonable. This is available at our Enterprise pricing level.”
If your organization is sophisticated enough such that it can afford counsel and layers of scar tissue that generate custom language required to use software, it can afford Enterprise pricing. If it’s not, you can use the easy, affordable options in the other columns. (And while we won’t say this in so many words to clients, if you think you get custom legal work done for you at the lowest price, you are irrational and we do not desire your custom. I’ve had clients ask me to sign their handwritten-and-scanned contracts which all but obligate me to give them my firstborn if Microsoft eats their Googles… and could I get the $29 a month pricing, please. I’m not even going to waste my lawyer’s time with looking at it for less than $500 a month.)
In addition to improving Colin’s ability to get people up to Enterprise pricing, this opens new markets up for him. For example, an IT company working with US healthcare clients might ask Colin to sign a BAA. (I think, as a founder of a company which has to care about that, that Tarsnap is likely out of BAA scope, but somebody might ask him to sign that anyhow. Better safe than sorry, etc.) Rather than saying “No.”, Colin should say “Let me one that run by the lawyer.”, who will advise him that while it’s a paperwork hassle the first time it exposes him to zero legal risk. So Colin would gladly cash that $500 a month check while mentioning explicitly on the website “Do you need HIPAA compliance for your backups? We can accommodate that!”
Speaking of which: there should, eventually, be a Tarsnap in $INDUSTRY pages on the website for all of the top use cases. On the healthcare page you could brag about HIPAA compliance, on the payment processing page about “Stripe uses us!” and DCI-PSS compliance, etc etc.
What is the transition strategy from metered pricing?
Simple. Metered pricing is now called Tarsnap Basic and is available from one weeeeee little text link somewhere on the pricing page, or alternately by contacting Colin directly. It has everything Tarsnap has as of the writing of this article. Nobody who has ever used Tarsnap Basic has anything taken away.
Colin will be shocked and amazed at this, but very few customers are going to actually search out and find that link, he will not experience significant decreases in the number of new accounts he gets per month, and — I will bet pennies to picodollars — he discovers that, amazingly, the people who prefer Tarsnap Basic are, in fact, his worst customers in every possible way. They’re going to take more time, use the service less, and in general be more of a hassle to deal with.
We grandfather in existing Tarsnap Basic clients. If there is anybody paying Colin more than $100 or $500 a month for Tarsnap currently, Colin can either a) advise them that they should upgrade to one of the new plans (if they’re not using media files), b) immediately upgrade them to the new plan himself, or c) tell them “You’re now on a special variant of the new plans, such that you have no limit on your media files. Otherwise it just purely saves you money. Have a nice day.” I feel that all of these are the right thing to do, and they might be the only recommendations in this post which Colin actually won’t object to. Yay.
Why grandfather in clients? It will cost us a bit of money in opportunity costs, but a) keeping commitments is the right thing to do, b) we can justify it as being a marketing expenditure to reward the loyalty of our early adopters, and c) the portion of customers receiving deeply discounted Tarsnap services will quickly approach zero because Tarsnap has yet to even scratch the surface of its total addressable market.
Why keep Tarsnap Basic at all? Honestly, if this were a paid consulting gig, I would be pulling out my This Is Why You Brought Me In card here and going to the mattress on this issue: Tarsnap’s metered pricing is a mistake and should be killed, not rehabilitated. You pick your battles with clients, but this one is worth fighting for. Unfortunately, I believe that years of ragging Colin about picodollar pricing has caused him to dig in his heels about it, such that he feels it would be a rejection of the core of Tarsnap if he were to go to better pricing options. Since I hope that Tarsnap actually improves as a result of this post, I’d be more than happy with an incremental improvement on the pricing.
What is a PO?
A PO is a Purchase Order. It is a particular document enshrined as part of the purchasing ritual at many businesses, which often require a bit more ceremony to buy things than “Give us your credit card and we’ll Stripe it.” Colin can now respond to any requirement for heightened purchasing ceremony with my magical phrase “I can do that with a one year commitment to the Enterprise plan.”
Can we pay with a PO? **“I can do that with a one year commitment to the Enterprise plan.”
Do we get a discount for pre-paying? “I can do that with a one year commitment to the Enterprise plan.” (Let’s be generous: $500 a month or $5k for the year. Cheaper than a week of a sysadmin’s time!)
Can you help us work up an ROI calculation for our boss? “I can do that with a one year commitment to the Enterprise plan.”
Do you accept payment in yen? “I can do that with a one year commitment to the Enterprise plan.”
Can we pay you with a check? “I can do that with a one year commitment to the Enterprise plan.”
Tarsnap’s clients and Tarsnap will both benefit from Tarsnap charging more money
More money in the business will underwrite customer-visible improvements to the business, such as e.g. buying actual insurance for data which is in his care. It will allow him to prioritize features that core customers really need, like e.g. the recurring billing thing which has been on the back burner for several years now. It will let him not have to worry about cash flow as much as he is presumably doing currently, allowing him to take customer-favorable actions like not deleting all of your backups within days of a transient credit card failure.
It will allow Colin to buy his way around the bus number question. (“What happens if you get hit by a bus?” Currently: Nothing immediately, but eventually the service might fail. We hope we fail at a time convenient for you to not have any of your backups? Later: Don’t worry, we have systems and processes in place to cover business continuity issues. Our lawyers have a copy of our credentials in escrow and we have a well-regarded technical firm on retainer. In the event of my death or incapacitation, contracts activate and the business is wound down in an orderly fashion, such that your data is never lost. You’d have several months to decide whether to keep your backups with a successor organization or migrate them to other providers, and our successor organization would assist with the migration, free of charge. We have this described in a written Business Continuity Plan if you’d like to take a look at it.)
It also, frankly, compensates Colin better for the enormous risk he took in founding Tarsnap (as opposed to e.g. working in-house at any of his clients). I know Colin is pretty happy with the living Tarsnap currently affords him. Bully for him. I hate attempting to change anyone’s mind about core philosophical beliefs, but on this particular one, Joel Spolsky did me an enormous favor back in the day and I’d like to pay that forward to someone else in the community. (Particulars elided because it was a private conversation, but Joel convinced me not to just get BCC to the point of self-sufficiency and then retire, and part of the rationale is relevant to Colin.)
What we’re fundamentally concerned with here is an allocation of the customer surplus — the difference between what customers would pay and what they actually pay — between the customers and Colin, in his capacity as Chief Allocator For Life Of All Tarsnap-related Surpluses. Colin is currently deciding that his customers are the most deserving people in the entire world for those marginal dollars.
Is that really true? Appointment Reminder, LLC is a force for good in the world, I hope, but it certainly doesn’t match my intuitions as the highest and best use of marginal funds, and it really doesn’t care about the difference between the $2.40 it currently pays and the $100 it would happily pay. That won’t even cause a blip in business. As the founder, the LLC’s bank account is very much not my own pocket, but I’m probably the best informed person in the world about it’s balance, and I’d literally not be able to notice the difference after a month.
Can I tell you a story about Anne and Bob? They’re trying to divide a carrot cake fairly between the two of them. Carrot cake, if you’re not familiar with it, has delicious carrot-y goodness and is topped with very sugary white frosting. In the discussion of the fair division of the cake, Bob mentions “By the way, I’m severely diabetic. I can’t eat sugary white frosting. If you give me any of it, I’ll scape it off.”
There’s many fair ways to cut that carrot cake, but (assuming that Anne likes sugary goodness and would happily have all of it if she could), any proposed allocation of cake that gives Bob one iota of frosting can be immediately improved upon by transferring that frosting to Anne’s piece instead. This is true regardless of your philosophy about fairness or cake cutting, or whatever Anne and Bob might contemplate regarding the delicious carrot-y portions. Even stevens? That works. Give Bob extra cake because Anne isn’t particularly hungry? That works. Anne has a lethal allergy to carrots and so wants none of the cake? That works, too. Anne and Bob belong to an obscure religion founded by cryptographers which dictates that in case of conflict over resources ties go to the person whose name has the lexicographically lower MD5 hash when salted with the name of the resource at issue? That works too! Just don’t give Bob the frosting because that’s just not the best way to cut the cake.
This stylized example uses absolutes, but in the real world, Colin and his customers are cutting a cake composed of encrypted-backup-so-your-business-doesn’t-fail goodness iced with whole-tens-of-dollars-a-month. The customers mostly don’t care about the frosting. Colin should take all of it that is available to him. Aggregated over hundreds or thousands of customers it is absolutely lifechanging for Colin, Tarsnap, or whatever people or organizations are implicated by Colin’s terminal values.
Even if Colin desires to subsidize people whose use of Tarsnap is economically suboptimal when compared to Appointment Reminder’s (and thus who can’t afford the $50 a month), Colin should not cut prices on Appointment Reminder to do it. He should instead charge AR (and hundreds/thousands of similarly situated organizations) $100 a month and then use the $100 to buy, hmm, “a shedload” of AWS storage, allowing him to charge nothing to whatever people/schools/charities/etc he wants to benefit. You could call even put that on the pricing page if you wanted to. Tarsnap Dogooder: it’s free if you’re doing good, email us to apply.
Colin has twice proposed that there should be a special optional surcharge if customers feel like they’re not paying enough. Let’s run that one by the 6 year old with the lemonade stand: “Why don’t you do this?” “Because few people would pay for it, and it would complicate the discussion about buying lemonade, and it would make them feel really weird, and if they wanted to be charitable they’d probably have a markedly different #1 priority for their charity right now than middle class kids with entrepreneurial ambitions.” All true, 6 year old!
I might also add, as someone who was dragged kicking and screaming into being a responsible grownup running a serious business, that while I personally can choose to donate money the business can’t. If it isn’t necessary it isn’t a business expense (that’s phrased 必要経費 — quite literally “necessary business expense” — by my good buddies at the National Tax Agency — and yes, for the 43rd time, I really can read Japanese).
Memo to OSS developers: I can pay money for software licenses, even if the license is just “MIT, but we invoice you”, but I cannot just put business funds in your tip jar.
Tarsnap Needs A Fresh Coat Of Paint
I have abominable design skills. That said, I still wouldn’t ship Tarsnap’s design, because it is the special flavor of poorly designed which could actually cost sales. (Many non-beautiful sites do not cost sales. Example: look at every bank or enterprise software company ever. Very few would win design awards. They just have to waltz over the very low does-not-scare-the-customer-bar. Tarsnap trips.)
Here’s what I’d tell a contract designer hired to re-do the Tarsnap CSS and HTML: “Competitors to Tarsnap include Backblaze, SpiderOak, Mozy, and the like. People who could make the decision to use Tarsnap might be familiar with and generally appreciate Twilio, Sendgrid, and Stripe. Steal liberally from their designs and keep nothing of the current design. Heck, you can even copy their mistakes, like using carousels. No mistake you copy from those folks will be anywhere near as bad as it looks right now. Lorem ipsum out the text. If you have any question about a visual element rather than asking Colin or I you should ask any Project Manager or Team Lead you know ‘Would this cause you to run away from the screen in revulsion?’ and you can keep absolutely anything where the answer is ‘No.’”)
A visual redesign will probably cost Colin four to low five figures. That’s cheap at the price of the business it will bring in within even the first month, but hey, let’s hypothetically assume it isn’t in the budget. In that case, we go to Themeforest and buy any SaaS template which isn’t totally hideous. Here’s one.
Pardon me for ten minutes while I pay $20 and deliver a quantum leap in visual experience…
And done.
Old: 
New:
Seriously, I have live HTML for that, and it probably took a whole 20 minutes. Rewriting the entire Tarsnap website from scratch would be roughly one day of work.
That testimonial from Patrick Collison is, by the way, legit. It could easily be accompanied by a logo wall of customers in a redesign.
I’m really ambivalent on what could go in the large image that I placeholder’d out, by the way. Literally anything. A stock icon enterprise shot would work, a skewed listing of arbitrarily database backups could work, a photo of some model exuding “I feel the thing that can only be felt by people who did not just lose all of their backups”, anything. Even “This space intentionally left blank” is more professional than the existing Tarsnap site. That could be fixed after fixing re-occuring billing or the cronjob which goes around deleting people’s backups.
Ordinarily I would suggest A/B testing designed changes, but Colin won’t ever actually run an A/B test and this is a clear improvement, so in this case I’d settle for shipping over certainty.
Getting Started With Tarsnap — Slightly Improved
Get Started Now is probably not my most innovative call to action button copy ever, but it’s an improvement over the existing call to action button… principally because the current site has no call to action button. If you’re good at scanning blocks of text, you might find the link to [get started with Tarsnap]. Go ahead and load that in a new window, then come back.
Can you tell me what you need to do to get started with Tarsnap? Feels like an awful lot of work, right? That’s partially because it actually is a lot of work, and partially because it’s communicated poorly.
The Getting Started guide for software which assumes the user knows what a man page is includes the actual text “Go to the Tarsnap registration page, enter your email address, pick a password and enter it twice, and agree to the Tarsnap terms and conditions. Hit Submit.” Is there any crusty Unix admin in the entire world who needs this level of detail in instructions to get through a form? All this does is make the process feel more painful than it already is. Also, why is that button called Submit? I lack any information that customers for Tarsnap are masochists and accordingly Submit-ting is probably not what they came here to do, so how about we re-use that CTA “Get Started Now” or something similar.
We then go to the client download page. Wait, scratch that, the instructions-for-building-from-a-tarball page.
“Hey kid, if instead of lemonade, you were selling a paper cup, a sugar cube, and a lemon, how much of that would you sell?” “Mister, you ask really dumb questions.”
Colin should pick any five distributions and have the packages ready to go for them. Heck, you can give people copy/paste command lines for getting them up and running, too, if you’re feeling really generous.
You can demote the build-from-tarball UX for advanced users or people using obscure distributions. This will substantially ease the user experience here. Even folks who are quite comfortable with reading pages of instructions to compile software don’t do it for fun.
After successfully getting the client installed, we then have to configure our server’s key pair. That can (probably?) be integrated into the get-the-right-package described earlier. (If you wanted to be really clever, you could come up with something such that the user never has to e.g. plug in their username and password because you already know it since they just gave you their username and password prior to navigating to the instruction page, but hey, that will actually take a few hours/days of programming. We can do it a few months from now.)
There is a really important instruction in the Getting Started guide which is easy to overlook, even with being bolded:
STORE [THE KEY FILE] SOMEWHERE SAFE! Copy it to a different system, put it onto a USB disk, give it to a friend, print it out (it is printable text) and store it in a bank vault — there are lots of ways to keep it safe, but pick one and do it. If you lose the Tarsnap key file, you will not be able to access your archived data.
Tarsnap will appear to work if you ignore that instruction. Ignoring it will, almost certainly, mean that actually using Tarsnap was for naught, because if your machine dies your ability to access your backups dies as well.
1) At the very least, Colin should email everyone who signs up a new machine 1 hour later asking them to confirm that they have, in fact, moved their key file somewhere safe. I guarantee you that this mail will catch many people who didn’t. (I only noticed that instruction two weeks into my use of Tarsnap because, like many people, I don’t read on the Internet.)
2) I know Colin currently conceptualizes Tarsnaps as “backups for the paranoid” and this resonates with some of his users, but as long as we’re moving to Serious Business, let’s give serious businesses their choice of levels of paranoia to embrace. You can default to the current “You manage your key and, if you screw it up, well I guess then you’re totally hosed” but supplement that with “Optional: We can hold a copy of your keys in escrow for you. [What does that mean?]” This gives people who prefer Tarsnap to be absolutely 150% unable to decrypt their information to be able to get that, but also lets folks trade modest security for reliability. Many businesses care about reliability more than the modest security tradeoff.
For example, where do you think my Tarsnap keys are? Storage on my person is out of the question, and storing in a physical location is difficult when I split my time between two continents, so they’re somewhere in The Cloud. I’m taking a gamble that that cloud provider and I are at least as good at securing that key file as Colin would be. I trust us, but I trust Colin more, so I wish there was a simple “In case of emergency, get Colin on the phone and have him securely transfer a copy of the key files backed to me” option in case disaster strikes. (And again, that sort of thing is historically something people are happy to pay for. If I were to hypothetically use the “print out a copy of the key and put it in a safe deposit box” option that actually costs more than Tarsnap does currently.)
What Happens After We Install Tarsnap?
Currently, absolutely nothing happens after you install Tarsnap. It just leaves you to your own devices. There’s a very lackluster getting started guide which barely reads you the command line options.
Does the user want to read command line options? No. Probably 90% of users need one of, hmm, five things?
1) I want to back up my database. How do I do that?
2) I want to back up my source code. How do I do that?
3) I want to back up this entire freaking server. How do I do that?
4) I want to back up my website. How do I do that?
5) Somebody told me to get the important stuff backed up. I’m not sure what is important. Any help?
It doesn’t hurt the experience of Crusty UNIX Sysadmins (TM) an iota to write a decision tree into the website which would give handy, detailed instructions for people encountering these very common needs. They’d be more likely to get Tarsnap into a place where it is useful, more likely to spend more money (on Tarsnap Basic), and more likely to ultimately achieve success with having restorable, usable backups via adopting Tarsnap, as opposed to muddling their way through backing up MySQL and accidentally getting files which can’t actually be restored.
What Else Could We Change About Tarsnap?
Lots.
- The marketing site includes no testimonials or case studies. Solicit and add them. Stripe seems to be an easy layup here, since they’re already on the record as loving Tarsnap.
- There’s no reason to go to Tarsnap or cite Tarsnap except if you want to use the tool or you personally like Colin. Colin’s a likeable guy, but he could also be a likeable guy building the Internet’s best set of instructions for backing up arbitrary systems. How to back up a Rails app! A WordPress site! A Postgres database! etc, etc . They’d get him highly qualified traffic from people who are very motivated to learn about robust, secure ways to back up their systems. Too knackered to write these pages, Colin? I sympathize, what with all the exhausting work lifting money off the table and into your pockets, but now that you have lots of money you can pay people to write these pages for you.
- There’s an entire Internet out there of companies whose businesses implicate backups but which do not want to be in the backup business. Let’s see: Heroku, WPEngine, substantially every SaaS with critical data in it, etc. Colin could approach them serially and offer easy integration options if they are willing to trade exposure to their customer bases. It’s a win-win: target company gets the world’s best answer to the “Is my data safe with you?” question, Colin gets scalable customer acquisition, target company’s customers get our-data-does-not-vanish.
- Tarsnap assumes as single-user-with-godmode privileges, which doesn’t map to the understanding of many businesses. Accounts should have multiple users and access controls. Audit logs and whatnot are also options. All of this will help people justify Enterprise pricing and also help people justify using Tarsnap in the Enterprise at all, since — at present — Tarsnap fails a lot of company’s lists of hard requirements. (You don’t need every company in the world to be able to use you, but there’s plenty of features which unlock hugely disproportionate value for customers and for Colin relative to the amount of time they take to make. Multiuser accounts doesn’t double the complexity of Tarsnap but it probably singlehandedly doubles Tarsnap’s exposure to dollars-spent-on-backup, for example.)
- Tarsnap doesn’t currently do the whole backup puzzle. It doesn’t have monitoring, it doesn’t have convenient ways to restore, etc. Tarsnap could easily create more value for users by filling those sub-needs within backups and could potentially even consider branching out some day.
Ten thousand words, crikey. OK, I’ve said my piece. If you’d like me to do something similar for your business, I’m not actively consulting anymore, but you’d probably be well-served by getting on my email list. I periodically go into pretty deep coverage of particular areas of interest to software companies, and — occasionally — there’s an announcement of commercial availability of this sort of advice. Speaking of which, I should get back to building the stuff that people pay for, in anticipation of fun new ways to give Tarsnap more money.
