alt Hacker NewsI will add a few more things to this:
- Document your data and security and share that with customers instead. You can say "We don't have SOC2 at the moment but here is all our security and data policy". It works 99% of the time for me.
- Very few companies truly have policy to reject a vendor if they don't have SOC2. Those are usually large enterprise or companies in sensitive areas such as Finance/Healthcare etc. Even then, SOC2 can be waived if you can demonstrate everything else.
Disclaimer: I run a bootstrapped SAAS with low 7 figures in ARR and even though we have ISO27001, we don't have SOC2 yet. However, we take our security/data etc very seriously and have tons of documentation and best practices that we always shafre with a customer who asks. Honestly, we will get SOC2 at some point just for the checklist as I don't really care too much about them otherwise.
Replies
I run a low 7 figures SaaS as well. This is the blurb I answer with when asked about SOC2 (yes, yes, AI generated):
"While we follow industry best practices that align closely with the requirements of SOC2 and similar frameworks, we have chosen not to pursue formal certification at this time. Maintaining multiple certifications and undergoing recurring audits across the various regions in which we operate would significantly increase our operational costs and, consequently, the price of our service."
> It works 99% of the time
I would add the caveat "...as long as you have no competition." If you're in a market where alternatives exist, and they have the certification, you're definitely transparently losing sales.
From the enterprise side, I can tell you vendor certification takes an order of magnitude more time/money/effort when the vendor says "we don't have cert X but here's a mountain of drivel you can paw through to try to assess risk." And not just once, but every single year during vendor reviews. It's just not worth it unless you're legitimately bringing something irreplaceable to the table -- to the point where even our executives know to google "companyname SOC2" before even engaging in a conversation.
Fully agree, the only downside is without a SOC2 you will be asked to fill out an insane 200+ questionnaire. Good news is you have all these great LLM tools you can do this work for you, and just check it over.