I think the most interesting part about OP’s story is the question about how did self-hosted solution notify Mattermost server about potential Russian/Belarus connection? Even if the compliance automation was faulty, it’s still interesting how Mattermost found out of a Russian connection at all. (I am assuming this compliance email wasn’t sent out to everyone/larger group of people by mistake, and the OP happened to have a Russian user)
Mattermost CEO here,
Thanks for the question. Like many companies we use a 3rd party service to check if someone we’re doing business with a company that has been flagged on export compliance.
HN has a lot of people building SaaS and open core companies, so hopefully this thread is a good way to learn about export compliance, which is something we've been doing for many years, though it's gotten extra important in 2022 due to so many new sanctions showing up.
Think of it this way (in a simplified, high level view that doesn't capture all the detail, but intended to share the aesthetic):
1. When you're an early stage company based in the U.S. starting to sell open core licenses or SaaS you typically hire a lawyer to do the legal agreements and help negotiate contracts.
2. If it's a good lawyer, they might talk about "export compliance" and how your company might need to think about doing an assessment on how your product is classified in the context of U.S. export compliance restrictions.
3. If they're a really good lawyer, they may even recommend an export compliance consultant for you to use.
4. After you get your export compliance classification, you're going to need a way to implement the right checks to ensure you're not violating U.S. export compliance laws based on your classification and your customers.
5. You quickly realize you need to buy a tool to do this--not only to check at the time of transaction, but also to alert you if the status of a customer changes (for example, if a customer is added to a list of organizations flagged by public sector organizations).
6. You look at different options, and end up purchasing one and integrating it with your other systems, including Salesforce (sales automation) and Marketo (email automation). In this case, we purchased a subscription to Descartes.
Hopefully that helps share context. Please feel free to ask other questions here.
Ian, you might want to clarify that the only thing submitted to the 3rd party service is the company name of the customer and there was no submission of any customer logs.
Some other commenters in this thread think that you log their ip and submit their ip.
It's a pretty reasonable conclusion when the vendor claims to know where you're using the software, and the evidence is that the vendor claims to know where you're using the software.
My impression from the OP is that the company does not claim to operate out of Russia or Belarus. Presumably, neither would the website. Clearly there's some other method by which that third party makes that determination, and clearly that method produces false positives.
