u/TurnoverEmergency352

First time I picked KYC I checked SOC 2, asked sales about the API, shipped it. In hindsight that was insane but it felt thorough at the time.

Second round was different. Where does the document recognition tech come from, in-house or licensed. Where does engineering sit now and five years ago. Who owns the company and in what jurisdiction.

The Sumsub coverage this month is basically a live case study for why those questions matter. Russian-born founders, Russian OCR in the stack until 2021, Cyprus holding company, currently verifying voters in the Belarusian opposition election. Each piece has an explanation, the stack of them is what makes compliance nervous.

Shortlist that survived was Persona smoothest to integrate, Onfido the safe middle, Au10tix strongest on supply chain and jurisdiction.

Inherited this cloud setup tha'ts a mess across aws and some azure. multiple accounts with overlapping resources, stuff spun up over the years, no real tagging, and costs creeping up because no one really knows what owns what.

trying to clean it up incrementally without tearing everything down. full rebuild isn't realistic right now.

main things i am focusing on:

1. finding unused or duplicate resources

2. standardizing naming and tagging

3. consolidating where it makes sense without breaking stuff

4. cutting cost on things nobody actually needs

Tried a few inventory tools but they mostly just dump everything without telling you what to actually do next.

What worked for you in situations like this, any scripts or just process that helped move things forward without causing downtime?

I swear, every time i book a trip for a client, they get that sudden urge to explore something new at the last minute. One minute, theyre fine with just the regular sightseeing, and the next theyre saying “hey, lets do a city tour, but like, right now, in 3 hours”

Does anyone else get those requests? Its always a struggle to find something available that wont just be a generic touristy thing. And sometimes by the time i get to book it, i find out that everything is either sold out or just completely overbooked. 

How do you all manage these spontaneous requests without pulling your hair out, especially when youre dealing with tight timelines and limited options?

Im handling over 100 tour bookings every month and its getting out of control. Confirmations, cancellations, last minute changes... everything is scattered across emails, spreadsheets, and different platforms. How do you keep everything organized without going crazy?

We have been working on a few cloud setups lately and keep second guessing architecture choices right before deploy. Things like scaling patterns, load balancing, and failover look fine on paper, but it’s hard to know how they will behave under real traffic.

We have tried dry runs and simulations, but they don’t reflect actual usage patterns. by the time something is validated, it’s usually already in production.

How are you validating architecture decisions before rollout. Is this mostly load testing and chaos engineering, or is there something more reliable??

Running a small attraction place and people keep telling me I should get on these big booking sites but no clue how this works in practice, I don't get who sets what or when.

Do you pay them up front or only after a booking actually happens?

Some reps make it sound like it's zero risk and you just turn it on and money shows up but that feels too easy.

Anyone here who started as a total beginner with otas and managed to set it up in a simple way how did you approach it and what would you do differently now?

We moved our prod environment privileged access to a JIT model about 14 months ago. Engineers request elevated access through a workflow, it gets approved, they get a time limited role, it expires after 2 hours. Thought we had done everything right. Least privilege, approval trail, automatic expiration.
SOC2 Type II audit started last quarter. Auditor pulled our JIT access logs and said great, I can see who requested access, who approved it, and when it expired. Now show me what they did with it.
We did not have that. We have CloudTrail in AWS so some API calls are logged, but for database access, for SSH sessions into instances, for any interactive work that happened inside the network boundary, we had call logs with no context and in some cases nothing at all. The JIT system told us a person had access for 2 hours. It did not tell us whether they read one file or exported a table.
The auditor's position was that the approval controls are the front door, and session activity is the actual evidence that the access was appropriate. Having the door log but not the room log is half a control.
We are now evaluating session recording. BeyondTrust, Teleport, StrongDM are all on the list. The problem we keep running into is that session recording either covers SSH and RDP well but misses database query traffic, or covers databases but requires routing everything through a proxy which our engineering team views as a latency and reliability concern for prod operations.
Has anyone found a session recording setup that gives auditors what they need across SSH, RDP, and database protocols without creating enough friction that engineers route around it or it becomes a single point of failure for prod access?

I work in ops for a small tours company and right now I feel like I've completely destroyed our business in one morning. We run high end food and cultural experiences in paris, and today I was updating one of our premium gourmet walking tours. It's one of our best selling experiences a 4 hour food tour with wine pairings, private chef tastings, and small group access, normally priced at 150 euros per person with a strict limit of 12 guests.

We use a few different booking platforms to manage sales, and I was rushing while testing a new integration between our listings. Somehow, instead of updating the test version, the live listing went public on a huge marketplace with the price showing as 0 euros instead of 100.

I didn't notice until it was way too late. It went live around 10am paris time, and by 10:20 there were already 150 confirmed bookings. 100 people now think they've secured free spots on a premium tour that we absolutely cannot run for free and definitely not for that many people.

The platform auto confirmed everything because of the zero price, and now the app is full of excited messages asking about pickup times, dietary restrictions, and special requests. Some booked as guests, so we can't even contact all of them directly. I took the listing down as fast as I could, but the damage is already done.

Our real paying customers on the correct booking channel are now confused and angry because they're seeing free spots floating around online. Support tickets are piling up, emails are nonstop, and the owner is currently on calls trying to figure out refunds, penalties, and whether we're about to lose a huge amount of money.

Between lost revenue, platform fees, and possible cancellations, we could be looking at over 20k gone because of one stupid mistake. One of the platforms we use for overflow has stricter policies around pricing errors, which might help a little, but overall this is still a complete nightmare. I genuinely don't know how we fix this without destroying our ratings across every site we use.

Has anyone here dealt with a massive oversell or a free listing disaster like this before and please how did you recover from it?

We have been on aws for about four years and somewhere along the way we started using more and more managed services that don't have a clean equivalent anywhere else. lambda, step functions, eventbridge, aurora: it made everything faster to build but now i'm not sure we could move even 30% of the stack without a full rewrite.

i had a conversation with the team last week about disaster recovery options and the honest answer was that everything assumes aws is available. no real fallback, no portability.

not saying we need to move, but the idea that we have zero options is uncomfortable. how do you design for portability without making everything twice as complicated to build and maintain?