Yes, that is good advice. We are reviewing all our processes about domain registries right now. Major lesson learned, and I would encourage other companies to think this through and learn from our experience today.
I learned this the hard way just a few months ago with Namecheap. Those guys dumped all of my personal information to some people (my name, address, phone number, etc.). I have kids in my home and all they offered me was $100 in Namecheap credit, which I didn't accept out of principle. I spoke with a lawyer and the privacy laws in the U.S. seem to make it not even worth going after them. Registrars basically can do what they want and it's hard to hold them accountable.
I almost has a domain frozen with namecheap after one warning.
If I missed the warning email or checked my email after 24 hours they would have completely suspended my domain. I'm talking about a site with MILLIONS of visitors per month and ten thousands of posts per day, not some small blog.
I did some work for a client in 2017 who was starting a cryptocurrency business. This involved buying a domain name for him to transfer to him later.
Well in 2018 there was some internal strife in his business that ended with a lawsuit being started. The opposing party started sending subpoenas to Namecheap asking for all information from 2018 onwards in relation to his account. What ended up happening was they released all of my information about my purchases, domains, personal information(anonymized credit card info, my actual physical address, information about my other unrelated clients domains, etc.)... going back to the start of my account.. several years worth of data prior to 2018. All clearly out of scope of the subpoena they were served.
Not only that, Namecheap never notified me of this.. in violation of their own privacy policy. They're supposed to notify their customers of the release of their information in relation to subpoenas by email or certified mail. Instead I found out much later from my previous client when he was given a copy of all of my information. And presumably his opposing parties in the crypto space were also given all of my information.
Seems kind of messed up to release all of that erroneously, without warning... especially to shady people in the crypto space.. you know, with people getting kidnapped over this stuff.
TL;DR Namecheap will drop your info, even if you paid to protect it as soon as they're given a single demand letter. And they won't stop at just giving up the info that's asked for (with 0 fight and 0 notification to you) there's a chance they'll release ALL of your account information.
Cloudflare Secure Registrar - I know you guys probably in some ways compete with Cloudflare, but maybe give them a call. Or for that matter become your own registrar and get into the corporate registrar business. With this experience under your belt, no doubt you'll crush it!
FWIW, CF's registrar is nice, but also represents an extreme form of lock-in on the part of Cloudflare -- the registrar subscription is specifically tied to your enterprise plan and will be terminated if you are not using other CF products.
Oh, fantastic! I'll let my former colleagues know, assuming no one else has reached out to them (this was a pretty specific piece of feedback we had re registrar, so great to hear that it's changed).