You’ve found a big market gap and are rapidly building the next SaaS unicorn. You’ve convinced big name investors of your smarts, and raised a sizeable seed round. Now, your engineers are cracking away at it and you’re pitching to your first marquee customers. It’s full steam ahead, and things look bullish.
Then, you hit a speed bump.
Your first big prospect drops you a mail saying, “we’re really excited about trying out your product. But by the way, are you guys SOC II compliant?“
As it turns out, you’re not. 😮
If you find yourself in a situation like this, this guide is for you. Here’s how to achieve SOC 2 Type II compliance fast, like we did, by following these 5 steps.
Step 1: Decide on Scope and Observation Time
SOC 2 covers 5 trust service criteria: security, availability, processing integrity, confidentiality, and privacy. The current maturity of your startup and the demands of your specific software category should inform which you want to pursue compliance for. Besides security (which is a must-have), you get to choose which other criteria you want to include in your assessment.
Security is the most important criteria to fulfil, as it serves as the foundation for everything else. Early-stage startups should prioritise this. In addition, you should ask your potential customers if they require any other trust service criteria that may be critical in your category. For example, processing integrity will be crucial if you are building a SaaS product in Fintech.
Availability may be an important criteria your customers have concerns about uptime, including Service Level Agreements (SLAs). This might be especially important for infrastructural products such as databases.
Confidentiality is usually important if you find yourself storing customer data that is covered by a Non-Disclosure Agreement (NDA). This might be especially true for startups touching on government data.
Similarly, Privacy is usually important for companies storing personal identifiable information (e.g., employment, health care data). If data privacy is an important trust standard for your startup, you might also be working towards GDPR compliance. While there are some similarities between GDPR and SOC II, there are also key differences. It’s important to understand the full scope of GDPR compliance and what’s needed to fulfill those.
After deciding on the criteria that you want to prioritize, the next step is to decide on an observational period. There are two layers to the SOC 2 process: Type I, which evaluates your security systems at a single point in time, and the more stringent Type II, which checks for compliance continuously over a longer period.
How long this timeframe should be is a matter to align with your auditors, but we strongly suggest 6 months — enough time to be confident that your security measures are robust and reliable, but not too long as to delay roll out. Remember, SOC 2 Type II compliance need to be renewed every 12 months, and your monitoring continues even after initial audit, so there’s no reason to prolong your first audit period unnecessarily.
Step 2: Pick a compliance platform
Compliance platforms help you project manage and automate the range of processes required to achieve SOC 2, and picking one that best fits your needs is important in making sure everything goes smoothly downstream.
You should know that any of these tools will technically work in helping you achieve SOC 2 compliance, but some will make it easier than others to do so. While the usual range of considerations such as pricing, quality of support and ease of use are factors you should have in mind, probably the most important criteria to evaluate these platforms against is how extensive their automation capabilities are.
Automating the security monitoring and reporting process is especially important when pursuing SOC 2 Type II compliance because manually gathering and uploading the evidence of security compliance SOC 2 requires can be extremely time consuming over a 6 month period. A good compliance platform plugs-in seamlessly into your security tech stack to automatically and continuously gather monitoring information so you and your auditors can effortlessly see the security status of your data systems.
For this reason, you want to choose a compliance platform which has the appropriate integrations into the tools in your current security tech stack. We’ll cover considerations around selecting security tools in Step 3. But the best compliance platforms should integrate into a wide range of tools so your automated SOC 2 monitoring and reporting continues, even if you change the specific security tools you use.
We spent some time comparing different platforms, and decided on Drata. Here are some reasons why we thought they worked best for us, and would for most early-stage startups:
- Comprehensive and actionable support — it was our first time doing SOC 2, and getting help understanding its different requirements, how they pertained to our situation, and what to do to satisfy them was important to us. Drata not only provided good guidance within their app, but also had a team that was highly responsive, allowing us to clarify questions we had with humans when we needed.
- Deep integrations into a wide range of security tools, allowing us to automate almost all monitoring and reporting processes
- An intuitive interface that our employees could easily figure out and use, so that they could get trained on SOC 2 security policies without much friction.
- Past experience working with our auditors
- Competitive pricing
Some thoughts on other alternatives we were considering:
- Tugboat did not support integration into Heroku, which hosts our web app. But, as a non-SOC 2 point, their GDPR and CCPA frameworks did help us work towards those data privacy standards.
- Vanta had a user interface that was not as intuitive as we would have liked, and was more expensive than Drata. However, they do have strong credibility, having helped well-known SaaS companies achieve compliance, and they have been around the longest.
- Secureframe is another provider in the space that might be worth considering. We did not have a chance to do an in-depth review, however.
For a more in-depth coverage of SOC 2 providers and their pros and cons, check out this post by our friends from Nira.
Once you’ve picked your compliance platform, simply follow the guidance provided within its app to implement all the necessary data security policies and protocols required for SOC 2 compliance.
Step 3: Pick an auditor
The next step in your SOC 2 process is to select an auditor. Any licensed CPA firm that specializes in information security can do the job, and you’ll probably get a few recommendations by asking around or from your compliance platform provider. We had a great, seamless experience working with the Johanson Group.
If you have a shortlist of auditors and are wondering how to choose between them, note that most will have similar accreditations e.g. registered with the Public Company Accounting Oversight Board. Such labels should be seen as standard must-haves, rather than a compelling reason to choose one over another.
Instead, the more important question you should be asking potential auditors is: have they audited software companies at a similar stage and in a similar industry to you? This is critical because an auditor who already understands your situation will be able to provide specific guidance, and save you time spent explaining technical details about your product and category.
Step 4: Build out your Security Stack
As your compliance platform will tell you, you may be missing some key security tools that you need to achieve SOC 2 compliance. While the types of tools and features you will need will differ depending on the maturity of your company and your specific industry, we will cover the general must-haves here, and explain how we chose between options.
Note that for each type of tool, most options will do the job as far as SOC 2 compliance is concerned. You should choose based on:
- Which option integrates with your existing tech stack
- What pricing works best given your current stage of maturity
- What facilitates ease-of-use for your employees
Additionally, cloud providers like AWS or Heroku typically have built-in native security tools which you may want to consider. We rarely chose to go with these because 3rd party apps were generally more cost-efficient for our early-stage needs — but they might work well for you if your product is more mature.
Here are the tools we went with, and why:
- Web App Firewall: Sqreen — as it works well with Heroku which hosts our app
- Background Checker: Certn — as it performs background checks internationally; our employees are based in 3 different continents
- Vulnerability Scanner: Intruder.io — which comes with Penetration Testing in addition to vulnerability scanning. They had a free tier we could try out, and we really appreciated their attentive, detailed customer support.
- Password Manager: Dashlane — we just picked one randomly, but we are also considering a few other providers. Dashlane has lots of interesting features like a built-in VPN, and was price-competitive. However, it did cause some bugs with other tools we are using (e.g., Grain), so it might be worth trialling a few password managers to see how they fit with your stack.
Step 5: Write your SOC 2 security system description
After you’ve followed the detailed guidance on your compliance platform, and filled out the missing layers of your security tech stack, your final task is to write a security system description that you will be required to submit to your auditors.
Unfortunately, there isn’t a generic template for this, given how much this differs by the specific nature of your product category.
However, that doesn’t mean that you need to figure out how to write this up from scratch. Instead, we suggest referring to what companies similar to yours have done. For example, we looked at two other companies — Segment and Census, as reference when writing our own, because of some architectural similarities we saw between their products and ours.
How do you get security system descriptions from other companies to refer to? Many companies (including ours) will provide their SOC 2 compliance reports upon request, under relevant NDAs, and if you are not a direct competitor. These reports can be extremely helpful in helping you figure out your own approach to specific security protocols for your own product. Additionally, they provide useful examples of how you should craft the structure and language of your own report.
All done! Let the auditors do their work
With that, you’re basically done. Submit your security system description to your auditors, give them access to your compliance platform, and leave things running for the observational period you’ve decided on. If you’ve done all the above, you’ll achieve SOC 2 Type I compliance immediately and Type II compliance in 6 months time.
You can now confidently reply your prospective customer: “Yup, we’re SOC 2 Type II compliant. Let us know if you’d like to see the report,” and close out that big deal.
Who knew SOC 2 compliance could be that easy? 😎
Eager for more tips on how to get complicated things done fast at your SaaS startup? Be sure to sign up to below to receive the latest guides and inspiration from our Product-Led Sales blog. We’ll also be sending to subscribers additional SOC 2 content in the future, such as comparisons between providers and our recommended security stack.