
Ask HN: What should I do when asked for SOC2? - groundthrower
I have a SaaS that is doing quite well, with some very large companies as customers. I do everything myself (have been able to do it by myself until now I guess).<p>I have now been asked for a SOC2 Type 2 report by a potential customer. I have a vague idea of what it is. Reading about the auditing process feels quite strange when I am the only one in the company. Do you have any ideas on how to proceed? I do not even know were to start.<p>Thanks
======
brudgers
It might mean that they are not a qualified lead because an SOC2 (whatever
that is) is not part of your ordinary service. That means the prospect is not
in your existing market segment, and pursuing the company as a client means
entering a new market segment.

Sometimes that makes sense. Other times it doesn't. If you're a one person
shop and the new market segment is generally served by multi-employee firms,
then it is probable that your business structure is unsuitable for the new
market segment. If for no other reason, than preparing an SOC2 is an
additional _marketing_ expense for you and not baked into previous cost
structure.

On the other hand, maybe it is a market segment that you want to enter.
However, odds are that the market is relatively efficient and there is a
reasonable alignment between market size and the number of people providing
services to meet its unique requirements. It is also probable that the
customers in that market have existing business relationships with existing
providers.

Or to put it another way, entering an established market segment is typically
a long term process and requires a meaningful commitment of resources before
profits are likely. Often, small shops are used for price comparison and
beating down the company that was always going to get the contract. It's worth
being cautious when a prospect educates you about your own business because it
means the prospect might not have a high opinion of your KSA's in regard to
their needs. Good luck.

------
davismwfl
Do they know you are a small company? An assembled and audited SOC2 report is
not inexpensive and is a lot to ask of a small firm to have already. What is
reasonable is if they are asking you to produce your processes/procedures of
how you feel you meet the requirements of SOC2. Also if you are using
something like AWS, that can help you satisfy some of the compliance side too.

I have been in your shoes where I ran a small company and got an opportunity
(eventual deal) with a large Fortune 500 firm and they were asking me for SOC
and ISO type reports early on. I was up front with them and said I was happy
to share all the details why I felt we were meeting those requirements but I
couldn't justify the $10's of thousands of dollars to assemble and have
audited these standards and reports at the time. Essentially they had their
typical vendor checklist they were looking at and just asked because it was on
the checklist. Once I went through the details, they were pretty understanding
and helped me get them the information they needed to demonstrate compliance
without us having to go through the insanity for a small company that some of
these standards require.

------
codegladiator
If you are hosted on cloud, you can probably ask your cloud provider for it.
for instance digital ocean provides it (i was recently asked for the same for
one of my services, and you can say no to banks)

[https://www.digitalocean.com/community/questions/is-
digitalo...](https://www.digitalocean.com/community/questions/is-digitalocean-
hipaa-or-pci-compliant)

> Our NYC2 facility is SSAE16 SOC-2 Type II certified. > Our NYC3 facility is
> SSAE16 SOC-2 and SOC-3 compliant.

------
codingdave
Honestly, say no. You are going to spend a large amount of time, energy, and
possibly money, on what amounts to a sales lead.

Instead, tell them that if the SOC2 is required to sign a deal with them, you
want to resolve all other due diligence first, and sign a preliminary contract
stating that if you then perform a successful audit, they will become a
customer. At that point, you aren't putting the money into a sales lead, you
are taking on a large step to on-board a new large customer.

~~~
slovette
This here, is a great example of what you think would work. It’s diplomatic
and reasonable. However, in my experience it reads well, but falls super short
in practice.

It’s usually a request because someone is following a policy checklist. Either
that someone is the same person you’re selling to (you’re lucky) or it’s a
paralegal going through due diligence (you’re unlucky). In either case, none
of what’s said here works because if they can’t check that box your dropped
off the attention list as they know they can’t get it past upper approvals.

So, if it’s the person your selling to and you’ve built a product they love,
then you _might_ have what a lot of enterprise sales people strive for: “an
internal ambassador or cheerleader”. But more often I think, that’s not the
case as it’s the paralegal that has 0 connection to your product value at all
or what you’ve built just isn’t necessary enough for the contact to work super
hard around policy for.

In the likely hood of these scenarios, it just doesn’t end with a sale that
keeps food on the table for early founder driven startups. It’s better to know
your target audience and spend time where you need to that results in revenue.
If that’s a SOC2 cert, go get it done.

 _edit_ apologies for typos. Mobile app isn’t the greatest. :/

~~~
codingdave
Doing everything needed for every sale can kill a SaaS. There is such a thing
as a bad customer, and customers who put burdens on your business that you
cannot sustain are bad customers, even if they look tempting because of their
size.

You need to know the lifetime value of this sale, and determine whether the
cost to land the deal and support them is greater than that value. Saying "No"
to a burdensome request covers that - if that kills the sale, that may be the
right answer for your business. If not, that also may be the right answer. But
you push that effort farther down the calendar, until you know which answer is
correct.

------
slovette
Ok, so I’ve read the comments here and from a business perspective, none of
them really hit the right answer.

I noticed in your post you mention that your clients are really big companies.
Which leads me to wonder how you haven’t seen a SOC2 request yet as it’s
fairly prevalent among larger clientele.

The real answer here lies in what your offering and who your target client is.
If they’re large clients, going through a SOC2 audit and compliance cert is
more than worthwhile as you’ve likely been lucky so far in not needing it.
You’re going to need it once you’ve hit that stage where you aren’t just
selling demos to team leads anymore and actually negotiating contracts with
legal departments.

I have 2 buddies that have built SAAS type solutions for enterprise (both ex
enterprise engineers building solutions for the same jobs they left) that are
solo and have gone through SOC2 because the clients they’re selling to require
it.

The real answer to this is more about who your building for and selling to.

At the end of the day, it’ll be an annoying process, but not overly
complicated for a 1-person company to go through. It’s largely documentation
based, which most of that is easily c/p from a template all the overpriced
consultants use. I don’t mean to downplay the integrity of the cert, it’s that
the experience for just you isn’t going to be the compliance nightmare that it
is for large teams of people that need to worry about door access control or
group policy defaults.

As long as all of the underlining tools and platforms you use are also
Compliant, you’re audit will be easier. Just plan to have to spend a TON of
time in MS Word.

------
softwarefounder
Yes. We're undergoing this now, and it's a very involved process that should
not be undermined.

We've looked into companies that help with this stuff, and usually it's around
50k to get setup, and a minimum of 20-30k annually to get "re-certified" with
a SOC2 report.

There's a newer SaaS company that claims to help with this sort of stuff
called Vanta. Haven't looked into them, but I've been meaning to.
[https://www.vanta.com/](https://www.vanta.com/)

Please understand that it's almost irrelevant on if your cloud provider has a
SOC2 report. SOC2 reports are centered around your internal processes, your
organizational procedures, how you store and protect data, etc.

------
Jugurtha
\- If it is a client you absolutely want to land, say to enter a sector, and
if the certification is something you decide you really need because
organizations in that sector require that too, could that client pay for the
certification out of the amount you'd charge them for your software? Or you
could you offer N months of premium support so you don't disturb your cash
flow.

\- Take a look at replicated.com, and enterpriseready.io and
[https://github.com/enterpriseready/enterpriseready](https://github.com/enterpriseready/enterpriseready)).

------
mtmail
You'll need to hire an auditor who will do an assessment. Usually pages and
pages of questionnaires and high fees, the auditor will do everything remote.
I've only dealt with PCI-DSS but I assume it's similar. Questions like who has
physical access to your servers, how often you change your wifi password, if
you have antivirus software installed on your production servers. It's a huge
time sink. I'd wait for at least the second or third request. Having the
report is no guarantee that more companies will approach you.

------
rman666
I’ve participated in a number of SOC 2 Type 2 audits. I’ve been in
cybersecurity and IT audit for a long time. You might want to reach out to
Vanta.Com. The first SOC report is always a bear. You’ll likely have to do one
every year. But, they get easier by the second one. If you are going to sell
to enterprise customers, it’s table stakes. Also see EnterpriseReady.IO for a
lot of other interesting requirements!

------
borplk
Trust me just say no and move on. It's a huge and expensive headache that only
makes sense for companies that are already large and complicated. The red
tape, bullshit, bureaucracy, and processes that you will have to add and
adhere to ruins any small fast-moving company.

------
groundthrower
I just wanted to say thanks a lot for great answers and perspectives. I would
like to clarify that it is more than a potential customer, I am now in the
reviewing process and it seems they there are no other contenders. That said I
just told them that we can ride along with AWS SOC2 and they seem to be fine
with it, at least for now.

------
codegeek
Depends on the nature of your SAAS. If you are not dealing with very sensitive
data, you could try to negotiate that with them and instead, prepare a "Self
Assessed Security Questionnaire" and send to their IT/CIO team.

We do this for our SAAS business whenever we are asked by larger prospects but
we don't deal with very sensitive data.

------
dyeje
You probably should just pass unless you have other prospects asking for this.
It's going to be quite a bit of time, effort, and money. You could also
explain your situation and hope for the best.

------
e1g
SOC2 is an industry signal that you are committed to security, and it is table
stakes for an enterprise SaaS vendor (deals >$100k). It is not relevant if you
are actually committed - it's the signaling that counts. The fact that you got
large customers without it means you are either lucky, sold based on prior
warm relationships, or the client was negligent bordering on incompetent.
Either way, congratulations - it's a good problem to have as long as you
charge accordingly.

First, some wrong answers:

1\. "Here is the AWS SOC2 report". Your cloud provider is just a vendor, and
sending your vendors' boilerplate is unrelated to your security posture.
Saying this will signal that you don't know what SOC2 is, or what they are
asking for, and everything you say after this will fall on deaf ears.

2\. "We don't have this as we focus on innovation and speed". For infosec
people, this is the same as an aspiring F1 racer saying they never got a
driving license for those reasons.

3\. "We are small, and we don't need this for our operations". This is also a
signal: there is no documented knowledge, repeatable processes, backups,
worker redundancy, risk management, or any operational planning. "Now, can we
have your data?"

If you accept SOC2 as a necessary evil in your new life, you'll need to set
aside ~$30k and 100 hours over the next six months to get a Type 2 (there is
no "certificate" for SOC2, that's not a thing). The absolute minimum would be
four months, and for first-timers, it might take 8-10 months.

But we're talking about a signal here - to show that you take security
seriously. One right answer could be something like this - "At StartupCo, we
are deeply committed to information security. Our customers trust us with
sensitive data because we designed our ISMS based on the industry's best
practices and recommendations from CIS and NIST. Our infrastructure is
designed around on the principle of the least privilege at every level -
firewall rules, network permissions, server configuration (based on CIS Level
2 benchmarks), IT user accounts, and even our internal Wi-Fi routers. We
encrypt all data at rest with AES-128, and in motion with TLS. All data
access, including admin access, is logged off-site, and our IDS/IPS systems
automatically report any unexpected activity. Next on our ISMS priority list
is to engage external auditors to obtain 3rd party attestations, starting with
SOC2. In our current schedule, we plan to receive the Type1 report in Q1,
followed by Type2 in Q3".

Assuming your operations are sound and everything you claim is true, this will
give the big company a clear signal that you understand security. You are
committed to this. You have a clear pathway to external validation, and they
have plausible deniability.

As much as startups boast about scaling, Enterprises do things "at scale" by
default. The only way that works if you have clear rules, and your people
follow those rules. "Require SOC2" one of those rules. It's not a bug; it's a
feature that discloses which players understand the game. Play by their rules,
get paid.

~~~
groundthrower
Good points. Being a European company I guess this still entitles us?

Here we are talking more about iso 27001 but maybe these are more orthogonal
than I first thought?

~~~
e1g
SOC2 is for the US as ISO27001 is for EU. The two overlap somewhat, so there
are some efficiencies for doing them at the same time when you get into the
audit mode. When I ran both for our startup, I found ISO27001 to be easier to
get.

------
mtmail
[https://www.founderquestpodcast.com/episodes/what-is-
penetra...](https://www.founderquestpodcast.com/episodes/what-is-penetration-
testing-and-how-does-it-work) talks how they (SaaS) went through the process.

