I intend to create a software service that would involve processing large amounts of biochemical data. Often this data could be digital representation of samples from patient tissues – so it is potentially sensitive data. My service itself will be closed source and served through a web-based interface. This data will only be used for analysis and interpretation for which I want to charge users who derive value from it.
However, the users of such services are known to be paranoid about concerns around the privacy and misuse of this type of data, and rightly so. I fear that a simple declaration may not be enough for them to take me seriously. In that case, how and what measures can I take to convince or at least be able to signal that their data is safe on my servers? That I will not be using it for anything fishy.
I have never run a SaaS business before, but I cannot be the first person to have a concern like this. If possible, it would be nice to hear of solutions that single developers like me can take care of, instead of expensive audits as I imagine large organizations typically go through for this sort of stuff.
In case it is relevant, I plan to use AWS for the whole backend and serve users in many different jurisdictions.