Hi Dave,

What we've realized in creating our products is that one of the most important things is buy-in from the people who are supposed to use the system. If the person setting up the software can't get the rest of the organization to use it, it falls flat. So we try very hard to make sure that all users of the software feel comfortable with it. This, in our minds, include respecting the privacy settings of everyone using the system.

If Highrise didn't do this, people who desired to keep things private would just do it outside of Highrise. They'd keep in their own personal file on their own computer and would use Highrise even less. I don't think anyone would win from that.

I certainly can't tell you what's right for your business. I absolutely respect that Highrise is not a good fit for you. I will note, though, that Highrise is the fastest growing product we've ever had and that small businesses are by far the dominant customer group. Again, that doesn't mean it's right for you just because it's right for others. Just sharing that to put this in context.

Also, I think the main point here is that if an employee wants to hide an interaction or a contact or an email or anything else, they're just not going to use systems with corporate surveillance. So if you want to send a private email, you can use your personal gmail account instead. If you want to store a price file, you can use your personal dropbox or whatever.

The point being that no controls in any software package can stop employees from willfully hiding things from their employer. That's a game you're never going to win. Instead, I think it'd be better to simply rely on policy. Your policy can be that "do not store private notes that I don't have access to in the system". If people violate that policy, they can get reprimanded or even fired.

In any case, I do appreciate the feedback on this. We're certainly not right all the time. And we're definitely not right for all the people all the time.

Well, this is nothing new of 37signals. They do have some very loyal customers, but quite a few are put off by the kind of arrogance and know-all attitude they exhibit (like on the forums). There are plenty of instances. Yet, at the end of the day, their products sell well, and I guess it will remain that way for some time to come.

Having used Highrise for a month now I must agree with the author's security points. This morning I thought through the process of using an outside contractor to perform telemarketing. No can do with Highrise; too risky. I'll be moving on shortly and it's too bad because the sales people love it. Salesforce has done a great job of making a once understandable tool into a house of mirrors. I went with Highrise because I don't have the time to learn to Salesforce even though it's pricing is small business acceptable.

One measure of protection for Highrise's data insecurity is to export it every day. The Admin can see all contacts. A sales person could keep a tandem database of contacts no matter what CRM tool the company uses. Highrise just makes it ridiculously easy to do.

DHH is completely missing the point and on multiple levels.

1. A corporate CRM system is not intended to store personal information. Contacts and all other data stored in the system is owned by the company, not the individual. Most employment agreements make this point explicitly.

2. The issue is not whether or not users have a right to privacy. It is whether the system provides a comprehensive security architecture or not. And Dave is right, High Rise does not. Even very small businesses who have only 2 or 3 sales people require the ability to prevent individual sales people from accessing other sales people's leads, customers, and deals, while at the same time providing the sales manager, usually the owner of the company, with complete visibility of all the sales activity of all the sales people.

3. In High Rise data access control is placed in the hands of the individual user and is managed on a record by record basis. Not only is this a risky and inefficient method of access control, there is no method provided by High Rise to identify who has access to what records. This is a gaping security loop hole.

4. A comprehensive security architecture with access control rules that can be applied efficiently and consistently across all users and all records in the data base is something completely different from a "corporate surveillance" system. The issue is not whether big brother is watching. It is that you cannot manage your sales team, sales processes and customer support procedures effectively without a security architecture.

In addition to the points Dave makes, I would argue the single biggest drawback to High Rise from a sales management perspective is the lack of ability to manage the sales pipeline and sales process.

In High Rise revenue is tracked with the Deal record. A Deal can be of one of three types, Pending, Won or Lost. You can filter Deals by any of these three criteria. This is probably sufficient if your sales cycle is comprised of only two possible stages, 'Pending then Won' or 'Pending then Lost'. But most sales processes are far more complex. Furthermore, there is no way to sort Deal records by the dollar amount or any other value. Nor is there a way to project a future date that a deal is expected to be closed. And since users can determine whether or not a Deal is visible to other users, such as the sales manager, it is not possible for the sales manager to get a reliable answer to even the most basic queries such as; "How much revenue is Joe going to bring in next quarter?" Or, "How many of our deals are in the final negotiation stage and need to be closed this month?" Or, "What is the total value of our pipeline for this year?" To be fair, you can filter Deals in High Rise by historic time frames, but not future time frames.

Other major drawbacks: no way to distinguish leads, suspects, prospects, etc. from customers, no ability to capture leads from web sites, no outbound email, no reporting capabilities of any kind, no ability to assign and track performance against quotas, no customization capabilities of any kind, no ability to sort records in any way other than alphabetic order

I think High Rise is OK as a contact manager, especially for individuals or small companies who do not have a requirement to track the sales pipeline or manage sales people. But, I don't see it as a viable CRM or SFA solution for the reasons listed above.

I have been using Highrise for almost a year now and although I continue to use it, it's not because I like it. It's because it is entirely cheap and easy to use. At my corporate day job, the org uses Microsoft CRM and I have to say I like it much better. Of course, we're comparing peanuts to caviar here in pricing. In a start-up environment Highrise CRM does a good job at what it's mean to do. I agree with Dave and some of the other commenters. It would only take a little bit to make this product better. Security and better role permissions would definitely help. The interface is also cumbersome without any flexibility. Overall, Highrise's strength is it's simplicity and it does well in the low-end CRM segment. If my company grew, I wouldn't hesitate to move onto another product.