Episode 735 | The 8 Levels of SaaS Platform Risk (A Rob Solo Adventure)

Rob Walling:
Welcome back to another episode of Startups For, the Rest, Of Us. I’m your host, Rob Walling. In this episode, I’m going to talk about the eight levels of platform risk as well as the three factors that contribute to platform risk. And I’m not just going to talk about the traditional, I have a Shopify app, or heaven forbid, your WordPress web host this week, but I’m going to look at platform risk from a sense of any type of reliance on an external platform. So if you use SendGrid to send email, how does that factor in? If you use AWS for your hosting or you use an open source package like WordPress, and honestly, this is a framework I came up with a few months ago and I jotted it down in a Trello board. I keep for a podcast episode topics, and I was just going to pull it out at some point, probably put it in a book, I’m sure talk about it on the podcast. 

And then the WordPress WP Engine kerfuffle flared up by now, that’s a couple weeks old, but it did remind me that I had this and had never really done a full refinement on it. And so this podcast episode is a way for me to kind of bring that out and talk through my thoughts of platform risk as I see it, especially it’s probably any startup, but realistically, there’s a little bit of a B2B SaaS bent to it, right? Because that’s the 191 investments I’ve made. And so I’ve seen different forms of platform risk blindside companies in different ways, and that is the basis for today’s episode. Before I dive into that, tickets for MicroConf New Orleans are on sale. You can go to MicroConf dot com slash us if you’d like to grab your ticket. The event is being held next March of 2025. Speakers are yet to be announced, and of course, I will be there in New Orleans. And if you want to get together with about 250 of your favorite bootstrapped founder friends, head to MicroConf dot com slash us. The tickets right now are the least expensive they will ever be, and they will go up in price, I don’t know, in a few weeks or a month or whatever. In addition, we are going to sell out. We sold out our Europe event, I believe we sold out at Atlanta last April. So if you want to get a ticket, there is no reason to wait. microcomp.com/us. 

Let’s dive into platform risk. So I’m going to start with these three factors that contribute or define platform risk. And each of these you might think of on a scale, whether it’s one to 10 or one to a hundred, there can be a small amount of risk for a specific factor or a large amount. So the first one I think of is a replacement. So if you are on a platform, whether that is using SendGrid to send email, whether it is hosting on AWS, whether you built a no-code app in Airtable or Bubble, whether you are a Heroku app or Shopify app, is a replacement available for this platform? And how hard is it to switch? And is the pricing approximately the same? So there are more questions than that, but those are kind of the high level, so it’s replacement. So we might think of, well, what is an easy replacement where it’s available? 

It’s not that hard to switch and it’s a commodity, so the pricing is the same. Well, that is something like I would say SendGrid postmark, mandrel mail gun. The switching cost is real. It is a thing, but it’s connecting to a new PI. And it depends on how deeply you’re integrated, obviously, but that switching cost is not catastrophic. And pricing in that space of sending email or even SMS, I think of Twilio and the cajillion, SMS APIs out there are a lot of replacements available, so that’s going to be a much easier spot. But what if you are built on Shopify’s API and you’re in the Shopify app store? Is a replacement available? How hard is it to switch? And is it priced the same? Well, the pricing doesn’t necessarily make sense in that context, but is a replacement available? How hard is it to switch? 

It’s kind of like, no, there really isn’t a replacement. And switching is basically impossible, right? Because if you were just a Shopify app and you’re like, well, they kicked me out of the app store, or they took my API access away, it’s like, well, we can go build a BigCommerce, a Magento, a WooCommerce version, but it’s not the same. It’s not a replacement, and that’s not really switching costs, that’s just building spinning up a whole new product. So the hard to switch is just astronomical. So when we think about replacement from one to 10 or one to a hundred, that takes you from easy to hard, at least in my mind. So the first factor was replacement, second one is customer concentration. And the question here is, are the majority of your customers on this platform, meaning that if you were kicked out or the API access were shut off, or somehow the platform suddenly said, you’re on Twitter’s API, and they say, we need you to pay us $12,000 a month. 

Now to maintain it are 80%, 90%, even 70, 60% of your customers on this platform in a way that essentially will decimate a huge amount of your revenue. Now, what’s interesting is this is separate from the third factor, which is I’m saying lead flow or customer flow. That’s on an ongoing basis receiving new customers, say from an app store listing or a marketplace listing. And that’s different, it’s related, but it’s different than customer concentration because in theory, I could go build a Twitter client, I could be getting zero lead flow from Twitter, but a hundred percent of my customers could be concentrated on Twitter or on Facebook’s API. Again, if I’m an app that postponed, for example, that helps you post to Reddit, Instagram, Facebook, Twitter, and all those Grant, he’s a TinySeed founder, started Postpone and it was just for Reddit. And so when we funded him, we said, your customer concentration is basically a hundred percent Reddit. 

We think you should diversify into other platforms. And he was already on board with that. So now he has a little more diversity across the different platforms. Now, great example with Postpone. Does postpone receive any lead flow from being in a Reddit app marketplace? No. So you can have concentration and you can have the risk of that concentration without the lead flow, and you can have the lead flow. I guess in theory, you could have, let’s say I was on four platforms. I was like Shopify, BigCommerce, WooCommerce, and Magento, and I had 90% of my customers on Shopify and only 10% across the other three. But let’s say the other three were sending me a lot of leads, I just branched into ’em, and usually this is not the case. Usually actually branching into other platforms is a lot harder than you think. We’ve seen Tiny, I’ve seen TinySeed companies and non TinySeed companies try to do it and it can work, but in the majority of cases I’ve seen it hasn’t worked. 

So the example there though was to say you could have lead flow in those three smaller non Shopify apps, but not very much customer concentration kind of still early. So these three of is there a replacement, customer concentration and lead flow are the three factors that I think of when I try to rank order these levels of platform risk. So now that I’ve defined these three factors, the contributing factors of platform risk, I want to walk through the eight levels of platform risk, and I will talk through the contributing factors and how they relate to each of them. Interesting data point. As of a week or two ago, I had seven levels of platform risk, and the WordPress WP Engine kerfuffle basically begged the question of, well, let’s say you are built on WordPress, what’s the platform risk of that? And there’s different things. WP Engine uses WordPress and they’re a web host, but what if you had a B2B SaaS company that was built on WordPress as the core, so it was kind of a no-code thing hacked together with plugins. 

That’s almost a related, but a different question. And so I added that as another layer. The answer of course is always, well, it depends on a lot on the specifics of how you rank these. All of these are valid levels. It’s just comparing being built on WordPress versus being hosted on AWS. I have ordered those in a certain way, and I think in different situations they could be swapped a little bit, but to me, this list is directionally correct and it takes those three factors and applies it to a bunch of different scenarios that I’ll give examples of. So moving from least amount of platform risk, what I consider the least amount up to the most amount of platform risk, basically where you have the most exposure and the most risk of your business being killed. And so I’m going to go one through eight again, where one is the lowest, eight is the highest, the most dangerous level one is almost no platform risk. 

It is where you own your own server in a cage with redundant power, you run your own SMTP servers to send emails. The platform risk here is any development language you use, right? Plus your internet service. I mean, basically you are not reliant on a host, you’re not reliant on anything to send email. You’re not built in no code. I guess your oh, and your risk there is where are you getting leads from and do you have customer concentration and where are you’re getting leads from? And in this case, I’m assuming there’s just almost none, right? You have this great variety of leads coming from all over the place, and there’s no customer concentration in terms of them being reliant on an external API. So this ones, it’s so unrealistic, I just kind of want to skip by it. None of us are going to do that, right? 

The second level of platform risk, I think of it as you being reliant on a platform that is a relative commodity and it’s easy to switch away from. Again, relatively easy. I know we could make an argument, I’m going to say SendGrid and Twilio, an SMS provider, email provider, those are commoditized and they are relatively easy to switch. There’s no lead flow, there’s no customer concentration. It truly is just a replacement decision. And one might say, well, SendGrid integration will take you months to migrate away from. Usually that’s not the case. Usually it’s a couple of weeks. I believe we did this with Drip because we went from, we had three or four different email providers that we were using that were APIs that sent emails, and it would take us a matter of weeks to switch, and we were sending hundreds of millions of emails a month. 

So again, this is why it’s probably the most realistic one that a lot of us are exposed to, and this is where it always bothers me. I’ll be on X Twitter and someone will say, oh, man, you build on Airtable or Bubble and there’s platform risk. And some smart outlet comes in and says, oh, yeah, well, you host on AWS and that’s a platform, and you send emails through SendGrid, and so that’s also a platform, and you have risk too. And it’s like, but they’re not the same. And that’s the point of this list is to have them in order of increasing risk or exposure. And I think being reliant on a commodity, whether it’s hosting or whether it is an API of some sort, I think at the same level as imagine if you have a VPS or you have a Docker container and you’re on commodity hosting somewhere, and you can basically just pull that and spin it up in, I don’t know, half a day, a day, two days, whatever. 

It’s that relatively low switch in cost and it is commoditized. I think that fits in this category as well. So the third level of platform risk, which is just a little riskier than the one I just is when you’re using these large cloud providers, Amazon Web Services, Google Cloud, Azure, this is where you still don’t have customer concentration or lead flow, that’s irrelevant. Obviously those are more dangerous. And so those are in the higher levels of platform risk, but moving away from A-W-S-G-C-P, Azure, whoever else, it’s not just spinning up a Docker thing and moving the VPS or whatever. I think the switching costs is significantly more than moving away from an API, like a SendGrid or an SMS because this is the infrastructure where your entire app is, and you start to get reliant on a lot of services. And so this one also has a varying degree. 

It’s a slider of like, well, if I’m only using an EC2 instance and everything’s there, then maybe low-ish switching costs. But by the time I have auto scaling and I have six different types of servers, I have the front end and the API and I have a database and I have Redis servers and I have sidekick workers, and I am using Amazon’s not proprietary, but they’re more like the Redshift thing, and I’m using a bunch of stuff in Amazon. Switching away from that at that point becomes very, very painful and migrating to another platform. You just, again, that’s why it’s the third level I think a platform is. Now, if it’s such a pain to switch, why do I think the risk is relatively low? Because at least to date, A-W-S-G-C-P and Azure are not, they’re not in the business of being aggressive. They have no motivation to, their business model is selling you stuff for a certain amount of money, and so they want you to be happy. 

They keep rolling out new stuff, they keep dropping prices. It’s the opposite of, I’ll get to it in a second, but the no-code providers where they keep raising prices and where any of those could go out of business any day, and they’re not profitable. For most part, I think most of the no-code providers have raised a bunch of money and are still not profitable. And that’s where Judgment McCall like A-W-S-G-C-P and Azure, I don’t think are going to be aggressive and make people want to migrate off, unlike other startups that are still in that early, say, monetization or growth phase. So that was the third level, which was medium to higher switching costs. There are replacements available, again, A-W-S-G-C-P, Azure and others, but there’s no lead flow or customer concentration. 

Hiring senior developers can really move the needle in your business, but if you bring on the wrong person, you can quickly burn through your runway. If you need help finding a vetted senior results oriented developer, you should reach out to today’s sponsor lemon.io. For years, they’ve been helping our audience find high quality global talent at competitive rates, and they can help you too. Don’t just take my word for it, listener. Dylan Pierce had this to say about working with lemon.io. The machine learning engineer, they helped me hire was very professional and even learned a new tech stack to set up an environment to train and deploy machine learning models. He documented his work clearly so I could train it in the future with additional data. I’m super happy with the results. And longtime listener, Chaz Yun hired a senior developer from lemon.io and said his hire quote, definitely knew his stuff, provided appropriate feedback and pushback and had great communication, including very fluent English. He really exceeded my expectations. Chaz said he definitely used lemon.io again, when he’s looking for a senior level engineer to learn more and get a 15% discount on your first four weeks of working with a developer head to lemon.io/startups. That’s lemon.io/startups. 

The fourth level of platform risk is the one that I added for the WordPress kerfuffle. And here’s an interesting thing. I have an open source software like WordPress, and so that’s kind of vague as the fourth level. Here’s the thing, there’s no customer concentration, there’s no lead flow. The question is, is there a replacement? Is it easy to switch and is it priced the same? Well, open source software doesn’t have to be free as in price, free as in beer, but most of it is, I think the majority of it is. So price is probably less relevant. The question is how hard is it to switch and is a replacement available? And the further question that begs is, well, how deeply are you integrated? If we look at WP Engine, that is obviously reliant on WordPress. Couldn’t WP Engine just fork the WordPress code? I believe it’s GPL, right? 

They fork it now, I guess then there’s a whole plugin ecosystem. I don’t know what happened with there. So that’s an, I don’t know. It feels like there’s risk there, but they have options. If you were a SaaS company and you had built your entire SaaS or your, I guess no low-code SaaS or your entire productized service, say around WordPress, and suddenly WordPress changed their licensing or they, I don’t know, broke all the plugins that you use and they just broke your business, what would be the replacement for that? Well, you’d have to go and build it somewhere else, right? You’d have to go build it in no code, have code written, do it manually. I don’t think a replacement in this case, it’s the job to be done. I know Ghost is similar to WordPress, but the job to be done of what you’ve built in WordPress, I don’t know that it translates so well to just another CMS. 

And so this one’s interesting in that longer term, I have this at four right now, meaning it’s higher risk than say your A-W-S-G-C-P or cloud provider. This would’ve been probably down around two or three before the WP Engine, WordPress kerfuffle, and this is how weird these things are, is that given that WordPress has shown that they are going to be aggressive, not making themselves out to be a friendly platform right now. And so I think that is why for sure I kicked them up in terms of the actual risk, the big question is if you had a business built on WordPress, how hard would it really be to switch? And if oh, in a week or two we could build it in bubble, then this really should probably be down more around SendGrid. The number two right SendGrid SMS providers are where it’s a commodity and it’s easy to switch. 

That’s more of how I would feel about it. But if your business is a 2 billion business that completely relies on the plugin ecosystem and you’re at the mercy of WordPress than I do think that there is a significant level of platform risk. So level five is high switching cost, but there are replacements and there’s no lead flow or customer concentration. The best examples I can think of here are no code. It’s building on Airtable Bubble. I was putting Stripe in there. I don’t know that Stripe fits or doesn’t. I guess switching from stripe’s kind of a pain. And I guess it depends on are you in their subscription ecosystem as to whether it’s like a medium or a high switch in cost. But in any case, this is where in order to switch, you kind of have to rebuild everything from scratch, right? There is no export your code from any no-code platform I’ve heard of. 

And if you could, how do you import it into a different platform where it’s all just proprietary tech, right? And this again, is where the argument that some no coders make or just some people make is like everything has platform risk. And it’s like, yeah, but they’re not all the same. It gets worse if you’re a Shopify app, there’s a super aggressive platform that’s worse than all the ones that mentioned so far, and we’ll get to that one in a minute. And so the idea here is that if you’ve built a million dollar business and it’s a bubble app, how long would it take you to completely rebuild that in another platform if bubble 10 x their pricing if bubble went out of business, if Bubble had two weeks of outages and one might say, well, couldn’t AWS 10 X their pricing? Yeah, highly, highly unlikely. 

I just don’t see it. That’s not been the pattern. But what about AWS going out of business? Highly, highly unlikely. And that’s why I put ’em down at the two level and is AWS going to have a two week outage? Again, highly, highly unlikely. A small no-code startup is more likely to have any of those black swan ish events happen. And that’s why I have them at number five. Coming in at number six, I have all your leads coming from a single marketing channel such as Google. So basically it’s 100% lead flow risk. Now, I’m not including app stores in this like app marketplaces I will get to those are seven and eight, but in this case, I’m thinking of being solely reliant on a single flow of leads. And I think is that a platform risk? I do think there is risk there. There is no replacement usually, right? 

There’s no direct replacement. If you rank in Google and you get amazing organic search trying to replace that with something else, switching costs is irrelevant. You can’t do it, right? Customer concentration is irrelevant because they’re not reliant on Google once they come through SEO, but your lead flow and your plateauing feasibly, it could kill the business. And here’s what’s interesting is you’ll notice in these eight levels, the lower end ones are all kind of technology and it’s the business factors, it’s the growth and new customers and customer concentration that I’ve put at the six, seven, and eight spot. Those are the ones that are so hard to replace. And I’ve seen several businesses killed. You talk about Google changing their algorithm every what, 3, 6, 9 months and entire affiliate businesses that were doing millions of dollars basically go to zero overnight. So the reason I have this as number six is that if bubble 10 x their pricing or had a big outage, you could rebuild that. 

And if you’re hosted on AWS or using SendGrid or using WordPress, you can rebuild it. The risks are there, but they’re lower than if you lose Google where there is no replacement and you lose all your organic rankings, it can be existential to the business. The seventh level of platform risk, I’ve put a friendly app ecosystem. So an example of this is Heroku, like Heroku apps in general, thrive. Heroku has not, at least to date, and this could change, but they have not screwed their developers unlike number eight level of platform risk or aggressive platforms. But Heroku is one example. I’m sure there are many, many others. In fact, we have a list of I think 80 SaaS marketplaces and it’s microcomp.com/latest/ SaaS dash marketplaces. We link it up in the show notes, but there’s Salesforce app exchange, Zoho Marketplace, HubSpot app, marketplace, Pipedrive, less Knowing, CRM, Microsoft App Source, slack app directory, on and on and on. 

There are 80 of ’em. I won’t read them here. And look, here’s the thing, can I name all of the ones that are friendly and all the ones that are aggressive? No, I don’t know enough about them. I would guess that big companies like Salesforce and now Slack because it’s owned by Salesforce are kind of a pain in the ass. And if they’re not yet that they will become that. And I would guess that smaller companies and those that have not yet been acquired by a bigger player, a public company or private equity are going to be likely more friendly. But those are just guidelines. If you think about this, it’s theoretical in a way of like, well, a friendly platform is friendly until it’s not, and that’s really what platform risk is. When we think about the aggressive platforms that I’ll name in level eight, they all were friendly at one point. 

And so that really is the scary part of being built on in that marketplace and why being in a marketplace holds the seventh and eighth spot in terms of platform risk. And the eighth and final level of platform risk is of course an aggressive platform. This is where there is no replacement. You basically have a hundred percent customer concentration. You have a hundred percent of your lead flow from this platform, and the platform is not developer friendly. So this is Shopify, Twitter, Facebook, I’m sure there are more that I could pontificate about. I’m naming these because they have completely decimated companies that we’ve heard about or that I’ve invested in. You hear Jordan Gaal talk about Shopify coming after Cart Hook, and that’s not the first nor the last time that Shopify will do that. We heard Twitter jerk around anyone using their API once Elon Musk bought it, and I think they did this. 

Didn’t they do this about eight or 10 years ago with Twitter clients? I actually don’t remember, but they did something big back then. Facebook, do you remember? I think it was Zynga, right? It was doing tens of millions of dollars on the Facebook app marketplace, and Facebook just pulled the rug out from under room because they don’t give a shit about their developers. I mean, they’ve been pretty obvious about that. They care about Facebook and no one else. And so there are other aggressive platforms. Again, I do not have an exhaustive list. I just don’t have experience with all of the 80 platforms that we’ve listed at that MicroConf link I said earlier. And so this is where there’s just an existential risk if that you have a Shopify app that’s doing millions of dollars a year and they come and knocking, you’re getting all your leads from them, your customers are concentrated on their platform, and there just literally is no replacement. 

There’s nowhere to switch. Again, we can say, oh, we could go to BigCommerce, WooCommerce, and these other things, but it’s not the same. That’s starting a brand new business. And that risk that we’ve seen play out many times, and that’s why these app marketplaces are number eight in my list of eight levels of platform risk. Hope you enjoyed this episode. I think the list is directionally correct, and I could see either there being another one added if someone were to email in question that started For the Rest Of Us dot com, or you hit me up on X Twitter at Rob Walling, I think there might be another one that I’ve maybe not thinking about, or I could see them gently reordering. There is a little bit of an, it depends, right? I said it’s like if you’re built completely under WordPress and completely in it, it depends on is your switching costs low, medium, or high to rebuild it somewhere else? 

That could move that one up or down by one, but it’s not going to move it to three slots. It’s not going to suddenly become as bad as having a Shopify app where they are just known to be really aggressive with it. So that’s what I mean when I say I think the factors are in line, and I think the list is pretty tight. And again, directional correctness such that next time someone on X Twitter says everyone has platform risk, you can chime in with, well, there’s different levels of it, and here are eight of them. This podcast episode, they’ll obviously be listed out in the show notes, and I’m certainly going to be referring back to this in the future, probably included in a book or course at some point. I do think it’s helpful for us all to have a paradigm in a framework around it. So thanks so much for listening this week and every week. It’s great to have you here. This is Rob Walling signing off from episode 735.