Episode 788 | Do I Need a Co-founder? And More Listener Questions (with Derrick Reimer)

Rob Walling:
If you’re listening to another episode of Startups, For the Rest Of Us, I’m Rob Walling, and today I’m joined by fan favorite Derek Rimer. As we dive in to listener questions, this episode runs a little long and I let it run long because we dove really deep into a couple of these questions and I felt like the deeper we went, the more kind of knowledge we unlocked, and so I really appreciated Derek spending the time with me today and going over our allotted time, and I hope you’ll stick around to the end even though it’s longer than a typical episode because I really do think some of the things we dug into today are far beyond the surface level of what we could have dug into by only spending five or six minutes answering each question before we dive into our conversation. MicroConf Europe is only six weeks away. 

It’s in Istanbul, Turkey from September 28th through the 30th. We already have an amazing docket of speakers, including Michelle Hanson, Mark Thomas, James Mooring, and myself. We’re going to have more than 170 attendees, and last year we had folks from across 30 countries and something like 25, almost 30% had at least a hundred k of MRR, not a RR. So it’s a really amazing group of bootstrap founders to be in a room with. This event will sell out, and in fact, we are 89% sold out at this point. We’ve sold out all of our in-person events for the past few years, so if you want a ticket, you’re going to want to head to MicroConf dot com slash Europe. In addition, I want to tease that we are going to be releasing the first episode of season five of TinySeed Tales on Thursday, so keep your eye out for that in this feed. I hope you enjoy the new season. And with that, let’s dive into my conversation with Derek. Derek Reimer, welcome back to the show. It’s  

Derrick Reimer :
Great to be  

Rob Walling:
Back. It’s great to have you, man. We are digging into listener questions today. Have some across some great topics like how Crucial is a co-founder, how can I balance security with producing products and many more? And our first comes to us from Thomas Parker. I’m hoping I’m pronouncing his name, but he’s asking how crucial it is to have a co-founder.  

Speaker 3:
My name’s Thomas. Thanks for all the value you create and share. A friend told me about TinySeed when I was starting my project Prism, which you can find at Prism Guide last fall, and I’ve gotten a lot from the podcast since then. I’m wondering how crucial you think it is to have a co-founder, especially in terms of general success, but also in terms of being a company that TinySeed would potentially fund. I have a 15 year career in the niche world of self-directed education where I co-founded an education model and nonprofit network called Agile Learning Centers. I’ve worked on tech projects on the side as a product or project manager, but I’m not a developer. This past fall I realized I had enough technical knowledge that was some AI coding tools. I could probably build an application that could solve some pain points that the school my wife and I run has had for over 10 years as it relates to documenting and communicating the value of emergent self-directed learning. 

I was in a cave for 10 weeks with Claude. I had a friend who’s an experienced engineer give me advice and check my work along the way. Fast forward seven months and I’ve got a dozen micro schools using the application and a bunch more planning to use it this fall along with verbal commitments to pay for it starting in September. It’s currently July 4th. I thought that after getting this first version up and running, I would definitely need a technical co-founder to depend on, but now after building a lot of new stuff, especially with Claude code and having another friend check the work, I’m starting to wonder if maybe I don’t, of course I’ve tried to poach friends from their high paying jobs, but no dice. I don’t want to work with the wrong person, but I also love the idea of having someone that I can really depend on and think deeply about the product with. So should I keep sailing or hit the brakes and find a technical  

Rob Walling:
Partner? And I want to say one thing before I pass it to you, Derek. I actually think this is maybe two questions. One, there’s this idea of just having a co-founder period. The other is having a technical co-founder. If I’m not, and I’m building SaaS specifically, so maybe we can separate those two and you can answer one or both. I’ll just kick it to you and then I obviously have some thoughts on my own.  

Derrick Reimer :
Yeah, this is an interesting one I think because we’ve, even you and I think in listener questions before I’ve talked about co-founder dynamics and having ’em, but I think the interesting piece here is sort of that line of thinking around, okay, but we’re kind of entering a brave new world here of AI tooling that allows non-technical people to get really far with building software products, whether you call it a prototype or an MVP or even pass it as a full blown production grade application doing this without necessarily having the rigorous oversight of someone technical on the team. And I think that’s really the interesting of the moment bit here, and I don’t want this to come off as disrespectful at all to tenacious founders who are doing this and building products without having someone technical on the team. But in general, I find this a bit alarming. 

I would feel like I always have to put a timestamp on this. We’re talking mid-summer 2025, things might be different in three months, six months a year, who knows where tooling’s going to go, but at least in this moment, I’ve worked a lot with LLMs helping me write code in my various products, and I would say I would’ve a hard time trusting an LLM to produce code that is necessarily up to snuff on security and just maintainability in general. But I think there’s been a lot of memes passed around over the last few weeks and months about apps that are vibe coded that then people are hacking really easily. So especially if you’re not prompting an LLM with the knowledge that a developer would have, you don’t necessarily know what to ask it to do in terms of making sure that authorization and access are locked down on all end points and just all the different things you would think about as a web developer. 

The LLM may not know if that’s a priority for you, and if you don’t ask it to do it, there’s a chance it won’t. These types of things don’t often get caught until someone pops open and developer tools and looks at the API request it’s making in the background and discovers, oh, you have this unsecured endpoint where I can query all your users or whatever. So I think there’s a lot of reasons to be concerned about trying to go deep into production with a code base that hasn’t been at least kind of curated by a developer. I know you mentioned he has a friend who’s a developer who’s kind of spot checking his code, and that’s good on him for doing that, but I think if you’re going to build a SaaS, it’s worthwhile to try to have someone as soon as possible on your team kind of in charge of the technical side. 

I think there’s also the piece of most of these tools today that help you build a V one of a product are kind of effective because they’re able to hold most of the product in the context window of the LLM. So in the early days, it kind of knows everything all the time and it can keep building stuff, but as soon as your code base gets sufficiently large where it doesn’t all fit in the context window, that’s when figuring out how to basically manage the context gets more and more difficult and it starts producing things that it doesn’t necessarily know. You have this other area of the code base not all in context, and so you start getting spaghetti code, duplicate code, things that are not well factored, and I think that’s kind of a hard cliff that a lot of people are bumping up against these days. Now maybe we’ll get to the point where there’s nearly infinite context and this is not a concern anymore, but at least for now, this could be something unforeseen that will catch you out when suddenly the AI is not really able to produce features like it has been in the past because you reached this hard limit.  

Rob Walling:
Yep, a hundred percent on the same page. And what strikes me is the conversation you and I had two, three months ago. Well, it was the whole d and d group and you specifically were talking about your process with how you use AI to help augment and make you faster writing code. I haven’t done it right? I haven’t used AI to write code, and you basically said, yeah, tell it what to do. And then I looked through it and I’m like, oh, it did all this wrong, and then I tell it to fix these things and then I make sure that it’s fixed. You as the super senior dev are spot checking and making sure it’s security, it’s maintainability, it’s ness, it’s whatever else, and you’re sanity checking that. It’s the same way where if I ask chat GPT to help me outline a YouTube video or to help me brainstorm blah blah, blah, or I have a tweet I want to say on this thing, like write the tweet, I then look at that and say, man, it really messed up by my, I have a taste, I have an editorial eye. 

I never copy and paste straight out of Chad GBT into anything. It’s never a hundred percent there. It might get 90% and in most cases it’s more like 75% and I have to then tweak it and transform it to make it to me, make it good, make it great. And so without that step, that’s where as a non-technical or as an entry-level dev using chat GBT, it’s kind of two entry-level devs working together is what it feels like. And here’s the thing that can work, I’m going to do a metaphor here with construction, like of constructing a building, you and I as not, I mean are handy enough to use a screwdriver and nail boards in the thing with a place you and I could go out back on my property and we could build an outhouse. I would feel confident that you and I could figure that out. 

We could watch YouTube, we could go to Home Depot and we could even maybe build a tool shed from scratch. Now maybe it wouldn’t all be right angles, but we would figure it out. The moment that I said, dude, I want to build a two car garage, will you come help me? That’s when I start thinking exactly. It was like, no, this is not a good idea. Well, what if I was a like, dude, I want to build a one story house. Come help me a two story house. I want to build a commercial building that’s three stories. I want to build a skyscraper you can build if you’re going to build a tiny little utility that converts PDFs to MP threes, which isn’t really a thing, but you know what I mean, cool vibe, code, that thing. It does one thing that’s your outhouse. 

The moment you’re building Savvy Cal, the moment you’re building drip, you’re talking commercial buildings, you’re talking maybe not skyscrapers, but it’s a totally different thing. And so that’s where as a non-technical founder, you just got to be really careful with this stuff. It can often work in the short term. You can get something into production that’ll work in the next, it’ll work for a month, it’ll work for five months, it’ll work for six months and then until it doesn’t bugs all over the place until you change any line of code and it breaks six other places, AI doesn’t fix that. It’s the same thing we see with TinySeed companies across 204 companies. We funded and I think 300 something founders and 85 to 90% of the companies have at least one technical founder and the ones that don’t, the 10, 15% that don’t code maintainability, code velocity, security, just all this stuff is always their number one issue inevitably. And so it’s not that we don’t fund teams with non-technical founders, but this will be your biggest headwind.  

Derrick Reimer :
Yeah. Do you feel like this is always the question, so you’re a founder, solo founder, at least like he is for the moment and he’s considering, should I chop and try to find a co-founder or should, I guess the alternative would be maybe you find someone, a dev contractor who’s within a budget range that he could afford and have that person start to take over the vibe coded code base, or how important do you think having someone with equity stake at this stage versus hiring contractors? Yeah, I know I can think of some folks that are good friends of mine that are in this seat of solo founder and I’m sure they’ve struggled here and there to even know how to hire developers. So that’s something that’s tricky, right? So yeah, how do you think about this?  

Rob Walling:
That’s always a hard part and that’s usually the issue with folks who let’s say pre AI and pre no code, well, not pre no code, but before no-code got really good at building stuff. Even three, four years ago, non-technical founder would hire a freelancer, a contractor because again, alright, so I’m going to build a one story house or a two story house. I’m not going to ask Derek to come over, but I am going to hire a single carpenter off of Craigslist and say, come build that house. Do they know how to architect a house? Do they know structure? They don’t. They know how to write some code is the analogy. And so a carpenter can nail boards together and we’ll know some stuff, but that house is not going to be what it should be. You really do need expertise in a team of people, and that’s product and all the other stuff. 

That is the tough thing is how do you know how to hire a developer who really knows what they’re doing when you don’t know what you’re doing? Now you can get a friend or you can hire a super senior dev to help you interview and it might work out In most cases, that person stays with you for six to 12 months, then they leave. Then the next person you hire says, we need to rewrite this entire code base from scratch. It’s completely, I mean I see this over and over and over, which is always like, oh boy, this’s the headwind, right? So this is one of those tough things. If I were to say, I want to me Rob Walling, I want to get into manufacturing, I’m going to design and manufacture tabletop board games, or I want to design and manufacture hardware of some kind, I have no experience doing that. 

So it’s like should I learn it? I’m not a designer. Should I learn design or should I go hire a designer? I guess design’s a tough one. That’s one you can just identify. This is where some of the analogies breakdown is. There’s no long-term maintainability of design. If the design is good and I see that the pieces look good and the board looks amazing, great ship it, it’s a game code, much like a building has this under, what is it? It’s like the iceberg. There’s stuff under the water that you don’t see that this will you a year down the line or two years down the line once you’ve had success that, so we’re pretty doom and gloom on this and it’s not always the case, but it is the majority of the cases who are not having a technical co-founders really can come back to bite you.  

Derrick Reimer :
Yeah, I mean I think about how hard even being a developer, how hard it is to keep a code base maintainable. And I would argue most developers don’t have a code base as maintainable as they would want it to be because you make decisions and then you learn some things and a year goes by and you learn more about what features you maybe should have built from the beginning and now they’re bolted on in a way where you’re not quite happy, but you’re constantly making these practical decisions of like, I’m not going to go back and rewrite this entire subsystem. It’s not worth the effort. So instead we’ll bolt the thing on, but it’s not as pristine and perfect as it could have been. And then you just layer those decisions on again and again and again over the life cycle of a product and before you know it, you’re always contending with a certain amount of technical debt that you don’t want to have around, but you can’t justify pumping the brakes on the entire business to go and pay down that technical debt. So yeah, it’s just a lot to think about even as a developer and if you don’t have a developer on the team, the AI is not going to be, the AI is just, it’s just fancy auto complete really for thinking about it. So it’s not necessarily, yeah, it’s not thinking about these things.  

Rob Walling:
And that’s the thing. Back to your earlier question, which I didn’t answer, which was could you hire a developer and how important is it that they have equity? In my opinion, this is one of these things where this is not an always absolute thing. You just hear there’s a leaning, I’m like 90%, 95% on these opinions. There is a little wigga room. I have seen some work, I’ve just seen so many not work for me. If I was starting a SaaS tomorrow, I would want to be working with a developer who had ownership of that code base and who had equity in the company and I would find that person is what I would do, especially if I’m not going to write the code, I can’t imagine doing it any other way and having it long-term work. It’s the thing, it can work in the short term, get the MVP as you said, or get that just enough to prove it out. 

But it’s likely if they don’t have equity and want to be in it for the long term that you are going to have to rewrite it. And we see this, we’ve funded a handful and I don’t know the exact numbers, but it’s five or less of no code basis, no code apps I guess I would call them. They’re built in Airtable bubble, that kind of stuff. And all of them have been rewritten or will need to be rewritten. It just doesn’t work when it’s pure SaaS play. If you’re a service on top of SaaS, it’s one thing, you can manage it, but I think it’s just too core to the business to not have someone have ownership of that. It’s kind of like saying, I’m going to hire my first sales person right now and have them do all the selling and it’s like they don’t even know what you have as a founder. You kind of have to do that.  

Derrick Reimer :
I will say on the non doom and gloom side of this, I feel like five years ago we would’ve said, try to prove out your idea by building something, cobbling something together with spreadsheets and a Google Doc and a Google form or whatever naming the tools jour from that era. And I would say now it’s a lot easier to build something that looks a lot closer to a full-blown production app as your prototype for something out. And so I think that still that’s a good thing and that will help you do your validation efforts better. And then I think the big thing is having the restraint to not keep a prototype in production if it’s not actually up to par on what you want to maintain, but you should probably try to make that decision as early on as possible. I think it’d be pretty painful if you take your prototype and then you end up bringing it into production and you go a year, two years in where you have all these customers using this thing and then you have to stop the world and rewrite. 

That’s going to be pretty painful. I’ve always been a fan of the product you build from the start, try to keep that code base and not have to scrap it and start over if at all possible because you build up so much knowledge and you pay down, you find bugs and you fix them and all of that gets lost if you scrap the code base. So yeah, so I think that’s the tricky thing and maybe this code base that has been built by the non-technical founder is still usable and moldable into something else. It’s possible you might be able to hand that off to a developer and they can sort of continue maintenance of the same code base, but I don’t know, I would be thinking about trying to do this as early on in the life cycle as possible once you’re sure like, yep, we’re going to go forward with this as a business.  

Rob Walling:
And I like what you’ve said about the plus side is that the tools today are so much better than they were five years ago, whether it’s AI or no-code, they are, you can build full blown line of business apps. Now we have several within MicroComp and TinySeed that were built by non-technical people who just kind of figured it out and we use ’em and we didn’t have to pay a bunch of money to have ’em built, and we certainly are not paying a third party. And that’s the thing is not only for validation, but if you get to three K, 5K MRR with something that’s clunky, but it’s a tool shed or a garage that you’ve built with ai, that’s a lot of validation there. Now standing still for six months to rebuild it, which is usually about what it takes from what I’ve seen. 

Again, this is not a tiny little utility that does PDF to MP three conversion. This is a real app that actually has logic and such. Standing still for that time can be painful, but what other option do you have? You’re a non-technical person starting a SaaS. There is a headwind there for better or worse. So thanks for that question, Thomas. I hope it was helpful. And I think the second thing we never, this is the longest answer ever to a question, but second thing we didn’t address was just having a co-founder in general and he asked specifically around TinySeed funding. So we have funded gobs of single founder companies and I don’t remember the exact number, but it’s probably 50% if I’m guessing our single founder and another 35% are two founder. If I were to just ballpark it, so that puts us to 85, maybe even more. 

Maybe it’s like 60 35 or something, probably not that you get the idea, it’s half or more are single founders and that’s fine, especially if you are a technical founder. The biggest challenge of being a single founder is it’s kind of lonely. You don’t have as much of a sounding board now. You can have advisors, investors, mastermind, partner, just friends, network or smart people that you can reach out to, especially if you’re in, obviously if you’re in a network TinySeed, you have a ton of smart people you can reach out to, but even in the broader MicroComp space or whatever, but the loneliness and the I’m all on my own thing, it can get old. Some people love it and most people eventually find that it’s a little bit of a drain to not be able to celebrate the wins with someone and to also go through the hard times with someone. You and I both done both. You’ve been a single founder as you are right now. You and I were together on Drip. I’ve had both single founder and co-founders on my stuff, but what’s your reflection on just that difference?  

Derrick Reimer :
Yeah, I see the pros and cons of both and obviously I’ve done both in different seasons. For me, I love working autonomously because I can move so fast and I can kind of stretch my abilities in a bunch of different areas and I find some joy in that for sure. But I also think on the flip side, the really hard part about it is it takes so much activation energy all the time from the founders of a company. I don’t think the same thing comes from employees. It has to come from the founders or founder to just keep the energy going behind a company and you’re usually going to have one bias in one direction. Mine is definitely, I’m biased towards building and the business and marketing side is a necessary thing because I’m building a business and I’m not just building a product with no customers. 

So what that means is I’m constantly having to fight against my desire to just build more and to focus on the other areas. And if I had a co-founder who was the kind of classic split of one person in charge mainly of product and dev and the other person in charge of sales and marketing, then you can both kind of default to your zone of genius and that’s where you spend most of your time and you both deploy your founder activation energy in that direction and it’s a great thing. So I think yeah, it’s a challenging road to be a solo founder, especially if you find yourself kind of in the midpoint cycle of a business where it’s like we just kind of have to muscle through this and keep going and keep mustering that activation energy and balancing the zone of genius thing and being willing to devote a good chunk of your time towards an area where maybe you don’t feel like that’s your passion, but it’s necessary for the business.  

Rob Walling:
That’s a good summary. So thanks for that question. Hope it was helpful. We’re going to bounce to our next one. This is from Kelly about how to balance security with producing products.  

Speaker 4:
Hi Rob. I’m a software engineer and I would love to start my SaaS journey through contracting. I have a family member who is in an underserved industry that could use a lot of help when it comes to automating mundane tasks and creating workflows. I know to automate tasks for myself, but how could I possibly make and package something for someone else in a secure manner? I feel like I need a degree in cybersecurity before ever feeling qualified to produce something for a customer. Will I ever reach a point of, okay, this code is safe. It feels like code needs to be absolutely perfect before shipping, so I become too scared to even start. I fear I will spin my wheels and never ship anything because it will never feel secure enough. Love the podcast. Thanks so much for all your help and  

Rob Walling:
Insights. I liked her phrase about getting a degree in cybersecurity or something like that. So as always, this is that balance of risk versus reward and what you’re willing to take on. But Derek Rimer, you have shipped many, many applications including very complex ones into the wild with real live customers, and you do not have a degree in cybersecurity, so I do not. How do you think about  

Derrick Reimer :
This? Yeah, I find this funny too that this follows the previous question where we’re kind talking about vibe coded code bases and how they’re a little lax on security. And then here we have the other side of it where I think Kelly identifies herself as a software developer. I don’t know what her exact experience is, but has the technical background and yet is still nervous about the security risk of shipping code into production with real customer data. And I can definitely empathize with that. I mean, I feel like I’ve had to fight malicious actors in all the businesses I’ve had, whether it’s spammers trying to abuse our systems, that’s usually how it plays out to my knowledge. I’ve never had someone try to hack a database and successfully get into any systems, but just knowing that at all times there are bad actors out there scanning the internet, trying to break into web applications can be a bit unnerving. 

So I have a couple of thoughts on this. I think you’re probably, again, I don’t know your background exactly, but you’re probably more qualified than you think you are. I think these days as we’re learning about web development, a lot of these things are just sort of either baked into the frameworks that we’re already learning. So if you’re using Rails or Laravel or Phoenix or any of these modern frameworks, they come with a ton of best practices baked into them because there’s just so many developers using them all the time, and most of us don’t have that degree in cybersecurity. So we’re having to lean on the tooling that the open source community kind of has collectively pulled together. And these days, all of these major frameworks have so much built into save you. I remember back in maybe the two thousands or something people were dealing with SQL injection attacks all the time where people try to paste in a string to hack an SQL query. 

And these days I would say 99% of web developers are just using ORMs, the object relational mappers built into the framework and that handles all of the escaping and sanitizing of user input. So the odds that you’ll run into an SQL injection attack are very slim if you’re using the baked in tooling that has been heavily tested and just kind of patches over a lot of those problems. The other thing I think about is kind of leaning hard on platform as a service whenever possible for actually deploying stuff and kind of keeping your infrastructure as simple as possible. So these days I don’t stand up my own EC2 instances and make myself be responsible for patching the firewall and making sure that there’s no open ports and all that kind of stuff. Like yes, you can do that, but it’s extra time and there is that fear that you’re going to miss something or there’s some kind of operating system patch that you didn’t apply in time. 

So rather than worry about that these days, I like to lean on platforms as a service that I trust that will manage all those aspects for me, and it just keeps things simple. Now it’s their liability to make sure that the OS is patched and that the firewalls are in place. And of course if you’re choosing a reputable one, they should have all that stuff documented about their process for it. And there’s a handful of these that are very well established at this point. So that’s the approach I choose. Same for the database. I don’t stand up my own servers to run my own databases. I use a managed database host that has all of their firewalls locked down, and really what you want to be concerned with is where data lives and where it flows. So if you’re using managed providers for your servers and your databases and you can kind of easily map how the data flows between them, you’re going to be in pretty good shape.  

Rob Walling:
That’s a great summary, but Derek, isn’t everyone moving to rolling your own hardware? You want it to go bare metal hard. You see this online and it’s like, dude, if you have a hundred million dollars in a RR and you’re board, you should go roll your own hardware. You know what I mean? And I already talked about this on the podcast or has it just been private where it’s like, come on man, it’s not a good use case for 99% of bootstrappers.  

Derrick Reimer :
Yeah, ultimately, I think it’s the only justification you can really make for it is one, if you just want the technical exercise of doing it, but two, if you want to try to save cost and at the scale that I would say 99% of listeners of this podcast are at, it’s not worth trying to save the cost. Just lean on these companies that are building this tooling and assuming all the liability for, there’s a huge incentive for these platform as a service companies to not have vulnerabilities. And I like to rely on that  

Rob Walling:
Big time and you and Al, even with thousands of customers paying you, you’re still able to afford like a pass is not a blocker for you. With Drip, we started on Heroku and Drip was very big and very complicated and we did have to migrate off within the first year I think, which was a pain. I remember that being a big hassle, but I’m glad we started where we started. It got us there quick. We didn’t have to roll our own stuff. And frankly, maintaining the DevOps effort from then on to maintain our servers was necessary. It was a pain in the ass.  

Derrick Reimer :
Yeah,  

Rob Walling:
It was a pain in the ass. If we could have stayed on even paid Heroku quite a bit of money, we would’ve done it. So it’s another reason I appreciate Kelly’s question, and I think you’ve covered it quite well.  

Derrick Reimer :
I would say it’s the kind of thing where if you have to ask the question, then that means you’re probably in a pretty good position to build something that’s quite secure. It’s when you’re not thinking about security at all, it’s when you’re going to run into problems. So just the fact that you’re asking is a good sign and if you feel like there’s some fundamentals that maybe you’re missing, I’m sure this is not a great answer, but I’m sure if you just Google for a basics of web security kind of course or something like that, there’s got to be some things out there that kind of just outline these are the top things to be thinking about when you’re trying to secure a system just to give you that primer.  

Rob Walling:
Yeah, so I hope you appreciate that answer. Kelly, obviously we’re not security experts, nor are we lawyers or anything. A lot of it is around risk tolerance and frankly, we used to, when I was a contractor consultant writing code dollars per hours, we had the gold plated, the gold plated version of the software, which is like, oh, we’re going to spend, this was back in the early two thousands, so it’s like an extra 20% to write some tests and an extra 20% to do a ton of security, this and that. And the quote got bigger and bigger and bigger, and it’s like it’ll be relatively secure, it’s net, and we follow best practices. So even without that extra 20%, it’s generally secure enough, but if we spent that extra 20 grand or 40 grand or whatever, we can really lock it down. And that’s kind of what you’re balancing here is it’s like how much effort do you put, do you have an LLC right now versus kind of just being a sole proprietorship? 

Do you have insurance? I forget what all the insurances are around a business. We have an operations person that handles that, but there’s two or three types of insurance. Do you have those from day one with zero customers? Most people don’t. Not to say you shouldn’t. I’m not giving you advice to not to, but that’s kind of where we are is thinking about how far do we go to fix problems that may or may not happen at this point. So thanks for that question, Kelly. Our next question is another question about security. This one’s about security and compliance objections when bootstrapping enterprise SaaS. Steven says, I’m building an app and the ideal customer I’m targeting works in sales at enterprise companies. I’m trying to bootstrap, but one objection I’m encountering is that these enterprises have high bars for security and compliance. For example, they expect any new vendors to have SOC two type two, ISO 2 7 0 0 1, I dunno if I’m pronouncing that right. And or GDPR compliance ISO 27,000 in one. I don’t know how you would say that. 2 7 0 1. How have you seen Bootstrap startups tackle these requests, even though they’re not my ICP? Would you just sell to SMB and mid-market until you had enough revenue to invest in these kinds of security audits? I’ve seen all manner of approaches to this, but how have you thought about this?  

Derrick Reimer :
Yeah, I think so. Some of this is for my own stuff. Some of this is just from talking to other TinySeed founders who have been sort of dealing with this lately. But I think one I would try to assess how vital is having these formal certifications, how actually much do they care? Could you potentially get by with a really robust set of security documentation and policies showing that you have an instant response plan and yada, yada, yada, all the different things, the policies that these formal frameworks want you to have in place. Could you get by with having some of this stuff without investing in the full audit? Maybe that’ll get you still into your ICP, but you’ll probably still deal with some objections. But is that enough to get started and maybe get your first couple of customers and assuming you are charging a high enough price point, which this sounds like kind of true enterprise, so this should be hopefully a decently high price point then that you could maybe use that to sort of then parlay into a more formal security audit to get formal certification. 

The thing that I’ve learned from other founders who have at a relatively small scale actually gotten SOC two certification is that it’s not as bad as we make it out to be like, yes, it’s a lot of paperwork, it’s annoying, especially us impatient founder types have a real hard time slogging through a lot of paperwork that feels like security theater, but in reality, it’s not unattainable. There’s platforms that have all of these documents that you’re going to need for the audit, all kind of cataloged, you pay them for it, and then you get these checklists and you can go through one by one and set all your policies and wire up all of your hosting platform for making sure that you have all the controls in place in your systems. So there’s a lot of automated tooling around it. And then it’s just the expense of paying for the audit and you generally get your own auditor for these things. 

So you don’t want to go too cheap to where people won’t trust the audit that you have, but also you don’t want to spend hundreds of thousands of dollars on an audit that’s way too expensive. So you need to try to find an auditor that’s kind of within a budget range that you can accept. But basically I think this is more of a speed bump than a roadblock to use Rob Walling par lots. And if you’re truly selling to the enterprise where the price point supports it, then I wouldn’t be too afraid of trying to get some of these certifications.  

Rob Walling:
Yeah, I’ve seen a mix. I’ll be honest. We have some tiny C companies that get it pretty quickly. Some tiny C companies take the money, our money and put it towards SOC two because I believe the first initial is what, 20 to 30 grand maybe? And that’s a lot for a bootstrapper out of pocket. But if you take TinySeed money, it can help you get it. And if it really is an issue, it gets you a long way to the second part of his question where he’s like, would you sell to SMBs and mid-market even if it’s not in the icp, in order to get enough revenue and prove it out, I might. Yeah, I would have to make that decision if truly the enterprise is my end customer and as you said truly they are going to want SOC two or something, especially from a little no name startup, there’s a reason because everyone’s scared of data breaches and they want you to know you have it. 

It’s just it’s hard. It is difficult to bootstrap a business when you need that. And so most of the companies that I see, most of the TinySeed companies that I see thinking about SOC two who have not gotten it yet, it is because they have a kind of non-enterprise ICP that is building their MRR in the meantime until they can justify getting SOC two type two. If you never sell to enterprise and you don’t need SOC two, don’t get it. It’s a pain. This is just my advice, I should say. I wouldn’t get it if I didn’t really, really need it. As you and I both know, we hate heavy process and just security theater. It’s not that bad, but it really is just stuff. I didn’t get into startups. I didn’t get into building my own company to do that. But with all that said, generally it’s probably a good thing for the industry. 

It ensures that folks aren’t just going willy-nilly and building AI prototypes and pushing it. I don’t think you can get talked to back to our first question. So yeah, it’s a tough balance and it is kind of a bootstrapping conundrum. If you raised funding, whether from TinySeed or Angels or whatever and you’re going into the enterprise, it would just be a no brainer. You just get it. You just do it. You spend the few months and you pay the money and you just do it because it will win you more deals if you’re selling an enterprise. The balance is what if I’m not sure yet, how do I know when to justify it? And I think that’s kind of what we’re talking about is like, yeah, I’d probably try to figure out if there was an ICP that can also use the product that’s not in the enterprise or you just got to go all in and make that decision.  

Derrick Reimer :
Yeah, I’ve been doing HIPAA compliance framework for my new product line that’s doing kind of appointment scheduling for medical is one type of customer where they value that. So I think it has quite a bit of overlap actually with SOC two. But the nice thing about HIPAA is itself attesting, so you don’t pay for an external audit or it’s not required to basically to claim HIPAA compliance, but there’s a bunch of controls that you want to have in place so that in the event that something happens and so that you can demonstrate to your end customers that we have all these controls in place to support our claim of HIPAA compliance. But in general, I found a lot of these things seem like overkill. They are overkill for the size company that we are, most of the default policies have eight different roles kind of by default in them. 

So these are the responsibilities of the CEO. These are the responsibilities of the IT manager, the VP of global sales, the VP of global hr, the dah, dah, dah. And these are the default roles enumerated in a lot of these things. And in most cases, I collapse all of them down into these are the responsibilities of the CEO o. So it’s like clearly these things are kind of designed by default for larger companies. But that being said, a lot of the practices that they’re asking for are actually good things to have in place. Good kind of from a legal perspective and from a liability perspective. So there are kernels of good in there, even though it’s well known that having SOC two compliance doesn’t actually mean that your product is secure. It just means you’ve gotten the check mark, but there’s still good in there to infuse into the way you handle data, the way employees engage with it and all that.  

Rob Walling:
So thanks for that question. Hope it was helpful. Our last question for the day comes to us from Misha on building a lasting culture with a bias toward action.  

Speaker 5:
Hi Rob, this is Mike, frequent listener, occasional question asker. You have another question for you. Building out a startup, it’s growing well, getting friends to help us, looking to hire some engineers soon as we’re doing that. One conversation we’ve had a few times is about building a culture with a bias towards action, bit of a corporate speak there. It’s a conversation that I’ve been part of throughout my career. It’s rare to find that in my experience, whether it’s a large company or a five person startup, there’s no guarantee that that’ll be the case. So how do you think about that be a conscious decision? So instead of focusing just on, we’re going to hire people who we deliver over ship frequently or interview for people over ship, but really thinking about the culture of the organization from the start where we can focus on go build stuff, go ship things. You don’t need permission, don’t go breaking stuff, don’t go break the law, however, go experiment. What are your thoughts on that? What have you seen work again as a conscious decision by the founders and by the leadership of the startups, the companies that you’ve invested in part of?  

Speaker 6:
Thank you.  

Rob Walling:
Alright, Derek, what are your thoughts here? As someone who has a bias towards action? It’s interesting because oftentimes when I have a trait or when I have the urgency, a lot of founders do, it can sometimes be hard to get other people to do that because it’s so intrinsic to you. You’re not even sure how I motivate them to do this. So I’ve given a ton of thought to this concept and idea over the years, but I’m curious to hear your thoughts first.  

Derrick Reimer :
Yeah, in my mind it comes down to kind of two pieces I think. How do you get this instilled into your company? Well, I think it comes down to who you hire, what’s the personality traits of those people and their past experience and also what are the ways that you operate? It’s one thing to say in a mission statement, we bias towards action, but do the ways you operate actually align with that? So on the WHO piece, I think the big thing is I’ve found in talking to developers who have worked for larger companies almost exclusively tend to have sort of this sort of slow methodical way of operating the air on the side of caution. It’s create something but then wait for full consensus and everyone to check off on it. And it’s the way you need to operate in a lot of larger companies because maybe they’re more risk averse and that’s just how they do it. 

And I think that can be really difficult to work out of somebody to pull it out of their mind. I’m not saying it’s impossible. Maybe you’re talking to someone who’s like, I’ve worked in these environments and I hate it and I just want to be able to take initiative and move faster so that maybe you find someone who’s been in large company environments and is kind of reacting against it and looking for seeing your company as a breath of fresh air where they can actually stretch their legs and do their craft without all that ceremony and stuff. But yeah, I think that’s something really important to kind of suss out and just what are they motivated by, what are they comfortable with? I think there’s a lot of people who maybe are just more comfortable in that larger corporate environment where there’s a lot of safeguards and there’s a lot of cross-checking. 

And so trying to put someone who that’s in their DNA into your company, it’s probably going to be tough to get someone to bias to action. And then I think just the way you operate, I think it requires you to trust people a lot to take ownership of things. And that’s something I think you have to evaluate in yourself to make sure a lot of times people who are biased to action also can be control freaks. So I think that’s something you have to be careful. Are you hamstringing the people that you want to have trust in and you want to give them a lot of leash to do things and move fast, but are you trying to micromanage stuff? Because that can counter against this narrative of we want to bias towards action, but I also want to maintain strict control over everything. You’re going to hamstring yourself. So I think that’s the other piece that one’s more about you as the founder or as the person leading the company. Are you actually allowing people to ship code? Do you require multiple code reviews on every single feature? If you do, you might be working against your desire to have biased to action. So those are just a few thoughts.  

Rob Walling:
I had all of those written down. Derek and I do not compare notes before we do these. And oftentimes I make notes as you talk because thinking out loud or thinking in my head I guess in this case, but especially the last piece you said of you can say you want to buy a storage action, are you ready for people to make mistakes? Are you ready for people to do things that you don’t agree with or that they took the action and you’re like, why did you waste eight hours doing that? And it’s like, well, I was acting in the way I thought I would. You know what I mean? And so are you ready for there to be miscommunications or for you to lose control of things? And then a lot comes back to who you hire because judgment, if they’re going to have a bias towards its action, you want their judgment to be good. 

There are some folks we know their judgment just in general on certain areas is just not good and they can’t get out of their own way. And I wouldn’t want them to have a bias towards action at my company. I think the things that they’re going to work on are not going to move the needle or are going to be misdirected. So similarly, I kind of broke it down in my head into three parts, two of which you said, you said it’s who you hire, and that was one of mine. And then you said it’s how you operate. I have who you hire, and specifically just like you said, small companies I have in parentheses, meaning I pretty much if I run a five person team, almost without exception, I will not hire someone from a 500 person team. Just won’t do it because retraining that culture, that thinking that there is no process you have to do your stuff is so very hard. 

And so again, I say almost without exception, I want people from other small teams who have worked on teams of five to 20 period end of story. And that kind of helps limit that. You talked about how you operate, which came to this phrase that I wrote down, which was you can’t punish people for making mistakes. If you want everybody to have a bias towards action, mistakes are not bad on their own because they show that people are moving in a direction. Now if someone makes either the same mistake over and over or they’re just constantly, again, this comes back to their judgment that they kind of are just always not doing things really well. Well then you’ve made a hire or you’re not communicating well. The other couple things that I thought about were communicating this on a frequent basis, and you touched on this when you said if it’s in a mission statement or a vision statement or whatever, bias towards action, or I guess it would be values, but it’s like no one cares. 

It’s every week or every day or whatever. Are you communicating that there is an urgency to what you’re doing? And actually John Esco did a pretty good job of this. He was the CEO who took over Drip, I guess after me and Clay Collins. And he would say in the weekly meetings every, we’re in a start. Every month is like a quarter. Every week is like a month. We got to get stuff done. That’s how he communicated it. I communicated differently. The TinySeed MicroComp team feels a sense of urgency. They all do. And I don’t use that same metaphor that John did, but we all know we got to get stuff done. The team is small and we’re super, how do I say? We punch above our weight. We’re very efficient. We do the work of a team that’s twice our size. There’s an urgency because we’re just getting it done. 

And there’s a constant communication of, here’s the other thing. What we’re doing matters. If you are a mid-level developer manager at Target or Best Buy or General Mill, whatever, I’m not trying to throw shit at any individual company, but just some big company of 5,000 people, you’re often working on stuff that just kind of doesn’t matter. And how much buy towards action do you want to have when you just don’t give a shit about what you’re building? The luxury, one of the luxuries we have as small companies is any individual person, engineer, whatever, can have a huge impact and ship stuff to production and interact with customers. And do you remember these days with MicroConf TinySeed, I say we’re trying to multiply the world’s population of independent self-sustaining startups. That’s cool. If you’re on board with that, it’s really fun. That’s the urgency. And we communicate that often. 

There’s a vision there. There’s an interesting problem and there’s urgency to get stuff done. So there’s a bias towards action. But even with Drip, we were building email marketing software, marketing automation software. Is that that interesting? You know what, the team, the 10 of us when we got acquired, people were really into it. We were into it because there was something really interesting about being close to the metal. We all believed in this scrappy team. We were number 12 on venture beats or list of the best marketing automation platforms. And we were like seven people in a closet in Fresno. And all the 11 ahead of us had raised tens of millions, if not hundreds of millions of dollars. That was cool. We were the underdog. And there was something about the bias sword action was part who we hired. You think of everybody on the team at that time. 

And also we just felt it. We felt like we were doing something interesting and each of us were making a difference. And collectively we were making a dent somehow in the broader market that people were paying attention. There was a feedback loop of you did something this week and next week customers are raving or ranting about it as the case may be, but at least we did something interesting. So that’s kind of a long way of saying it. And I almost want to put all of the stuff I just said into chat GPT and say, give me four bullets, but you, you know what I mean, really summarize that. 

But I think you touched on hiring and operationally, and I think both of those are valid, but I also would put forth that there’s that vision and that interesting problem. And Avi Cal has the same thing. It’s like I’m building scheduling links and scheduling software, and one could say, well, you could do that in a very boring way and be like, oh, cool, come work for us and build stuff. But the people who work with you are like, let’s do this. Why is that? Because it’s cool because they’re making an impact because it’s fun and because they see the customers using it, and there’s this virtuous feedback loop.  

Derrick Reimer :
Yeah, I think it’s the people who are working with you should also be kind of enamored with this notion of being able to have an impact on your corner of the industry. I think most companies out there would say that they’re trying to have an impact. The 5,000 person company, 10,000 person company, it’s moving in a direction and it’s making some kind of impact as it continues to chug along. But when you’re one of 5,000, one of 10,000, you, your ability to move the needle is very low versus being in a smaller environment. And so I think that should be probably top of the list on the reason why someone to join your team do they care about that. Because if they don’t, then they’re not going to be necessarily motivated by that, and you need a lot of that motivation to move at the pace that’s required on a really small company.  

Rob Walling:
Good stuff, man. So thanks for that question, Michelle. I hope that was helpful. Derek Rimer, folks want to keep up with you. You of course are Derek Rimer on X Twitter, and the best scheduling link on the internet is savvy cal.com. But give us an elevator pitch for the new functionality because you teased it in the episode and it’s about it’s appointment booking. And that’s different than scheduling. Who should reach out to you or at a minimum should sign up if they’re interested in revamping their stuff?  

Derrick Reimer :
Yeah. Something that we’ve heard over the years is from people who are building something kind of like scheduling related in their business that requires them to take appointments from people, but they need to build all these custom flows around it. And so they’re not necessarily looking for an off the shelf savvy Cal meetings, meeting, booking type of thing. They’re looking for more of scheduling infrastructure that they can weave into their platform. And so we finally decided to tackle that problem. In addition to our meeting scheduling software that everyone knows and loves, hopefully we have this kind of new appointment scheduling software and we’re trying to, in this initial rollout phase, trying to talk specifically to agencies that are building these types of custom flows that involve scheduling. We’ve already onboarded our first customer and they’re a fertility clinic that needs to take initial consultations from their website, and they had this very manual process that involved calling the office and putting something on the schedule in the medical record system. And so we worked with our first agency partner to build this custom intake flow that includes the Savvy Cal appointments booking widget, embedded right into it, and it’s gone well. So we’re looking for basically more people who are building these types of projects. Could be medical, could be for law firms. There’s a bunch of different types of service-based industries that might be able to make use of this.  

Rob Walling:
Amazing. And if they want to reach out to you, what’s the best way for them to get ahold of you?  

Derrick Reimer :
Yeah, hit me up over email. It’s derek@savvycal.com and I would, I’d love to chat.  

Rob Walling:
Amazing. That’s D-E-R-R-I-C k@al.com. Yes. Thanks again, Derek. Thank you. Thanks again to Derek for coming back on the show, and thank you for sending in all those amazing listener questions. If you have a question you’d like to hear us answer on the show, you can head to startups For the Rest Of Us dot com, click ask a question. In the top nav video and voicemail questions go to the top of the stack as well as more intermediate and advanced questions, but we do get to all the questions at some point. So thanks again for listening this week and every week. This is Rob Walling signing off from episode 788, listener. You have found the hidden track of this podcast episode. I’m springing this on Derek. He has no idea that he’s going to be answering espresso trivia from frothy to hardcore. It’s going to be good.  

Derrick Reimer :
Okay.  

Rob Walling:
All right. Let’s do a few of these courtesy of chat GPT. So here’s the best part is if it hallucinated any of the answers you get to tell me, oh no, that’s actually wrong. But I asked it for folks who don’t know you are my go-to. If I’m going to ask someone about espresso, about what is the perfect temperature for the, how many psi should I tamp the, you have a manual espresso? Am I saying this thing right? Am I using the right terms?  

Derrick Reimer :
Yeah, yeah. Like a miniature version of an espresso machine you’d see at a coffee shop.  

Rob Walling:
Got it. So like super legit and you make the best lattes I’ve had at someone’s house. Alright, first question. These goes from easy to hard. What is the name of the creamy caramel colored foam that forms on top of a properly pulled espresso shot?  

Derrick Reimer :
What is crema?  

Rob Walling:
Yeah, Alex. Alex, what is crema? Yes indeed, sir. Ding, that gives us one correct answer. What’s the ideal brew temperature range for extracting espresso? You can answer in Fahrenheit or Celsius. I have both or Kelvin and I can do the conversion  

Derrick Reimer :
Add 50,000 to exactly  

Rob Walling:
273, I believe.  

Derrick Reimer :
Yeah. Okay. I’m trying not to cheat right now because if I look across my office, there’s a little readout that’s blinking the temperature. It’s like the PID unit that constantly keeps a constant temperature in the boiler. And this has stalling now because, I’m trying to  

Rob Walling:
Think, this has a range of 10 degrees, but you could, if you name the exact middle, the range or something in  

Derrick Reimer :
Ballpark, I think we could do it. This is somewhere around in the high one nineties to 2 0 5, something like that. Oh,  

Rob Walling:
There you go. Perfect. It says between 1 95 and 205 degrees Fahrenheit for those of you anywhere in the world, but the US that’s between 90.5 Celsius to 96 degrees Celsius in case you were curious. Very good. Dude, that’s two out of two so far. What’s the generally accepted pressure in bars? It says, but you can do PSI if you want. What’s a generally accepted pressure used for extracting espresso?  

Derrick Reimer :
I want to say it’s around 15 bars.  

Rob Walling:
I have nine.  

Derrick Reimer :
Nine. Nine bars?  

Rob Walling:
Yep.  

Derrick Reimer :
Yeah. Okay.  

Rob Walling:
Alright. Maybe we’ll do one more. I mean, is this even fair? Do you know espresso history? Which Italian company is often credited with inventing the modern espresso machine?  

Derrick Reimer :
Take a guess. La Marzo.  

Rob Walling:
La Poni.  

Derrick Reimer :
Okay.  

Rob Walling:
Yeah, let’s count that one. That one feels like it’s like I, what’s the recommended weight range in pounds or kilograms for tamping espresso to ensure even extraction  

Derrick Reimer :
30 pounds of pressure.  

Rob Walling:
There it is. Ladies and gentlemen, this is why Derek Remer has a permanent guest spot on startups For the Rest Of Us. It’s not,  

Derrick Reimer :
But I was going to make you lose my espresso cra. I was a little,  

Rob Walling:
Little nervous, really sweating it. I just throw things at you without even telling you. All the startup knowledge that we’ve just shared in this episode doesn’t compare to what you’ve just dropped to all the listeners. Thanks for  

Derrick Reimer :
Participating. It’s good stuff.