This'll be unpopular, but if you want to keep it super lean and avoid being asked for compliance certs like SOC2/ISO, you could consider building it as an installable app on top of a platform your customers already trust
ie. a Salesforce App.
That way, they already use/trust the environment where the storage/processing of their sensitive data is taking place, akin to an old school 'on prem' solution (but without as much headache for you)
IMO just get ISO 27001 to demonstrate that you are managing the sensitive information properly, and you will also improve your client confidence.
I work as ISO 27001 auditor, and help companies get ISO 27001 certified in no time (1-2 months), with a budget from 5k - 8k in total (external support and certification included). The goal it to keep it simple, save costs, and in the end get the company certified.
"Oh, wow, I had no idea it was that affordable, we should talk..." is the response you are hoping for, correct? Self-promotion is not prohibited, but it goes better if you engage with the discussions here beyond just your own marketing.
Anyhoo, I don't think thousands of dollars for certification makes sense for a solo dev who is kicking an idea around.
The helps only if your extendee is providing a PaaS for you and makes guarantees. Last time I made a slack extension, for example, I had to egress and ingress client data.
ie. a Salesforce App.
That way, they already use/trust the environment where the storage/processing of their sensitive data is taking place, akin to an old school 'on prem' solution (but without as much headache for you)
Worth thinking about