← All posts

A founder's guide to SOC 2 without a dedicated team

You just got off a call with a prospect. The contract is real. The check is bigger than your last round. They want a SOC 2 report before procurement signs. You have six months and no Head of Security.

This guide is the path through it.

Step 1 — pick the right scope

You do not need every Trust Services criterion. Most SaaS companies start with Security only. Add Availability if you have an SLA. Add Confidentiality if your customers store sensitive data with you. Skip Processing Integrity and Privacy until you have a real reason.

Cost difference: Security alone vs full five-criteria audit is roughly 2–3x.

Step 2 — pick a Type I before a Type II

A Type I report attests that your controls exist on a single date. A Type II attests they have operated effectively over a 3–12 month window.

Most prospects want Type II. But Type I is faster (4–6 weeks), cheaper, and gets you a draft document you can hand to procurement while the Type II audit window runs in the background. Type II then comes 6 months later as a no-drama upgrade.

Step 3 — pick a compliance platform

Drata, Vanta, Secureframe, Sprinto, Tugboat Logic — they all do roughly the same thing: connect to your AWS / GCP / Azure / GitHub / Okta / Google Workspace / Slack and continuously check that your controls are in place. Pick one. The differentiator is the auditor relationship and the price, not the product.

This is worth the $7,000–$25,000/year. Doing the evidence collection manually will burn 200–400 hours of founder time you do not have.

Step 4 — pick an auditor

Your compliance platform will recommend two or three. Some independent ones are also good (Insight Assurance, Prescient Assurance, A-LIGN). Decide based on:

  • Industry experience. SaaS, fintech, healthtech each have peculiarities.
  • Auditor responsiveness. Ask current customers. A slow auditor blocks deals for months.
  • Cost. Type I: $7,000–$15,000. Type II: $15,000–$30,000.

Step 5 — the controls you must implement

Most of what SOC 2 asks for, you probably already do informally. The audit forces you to document it. The most important controls:

People

  • Background checks at hire.
  • Security training at hire and annually thereafter (a 30-minute video + quiz is fine).
  • Documented access reviews quarterly (who has access to what — your compliance platform automates this).
  • Documented offboarding (revoke laptop, SSO, GitHub, Slack within 24 hours of termination).

Access

  • SSO for all critical systems (Okta, Google Workspace, JumpCloud).
  • MFA enforced everywhere SSO touches.
  • Least-privilege IAM in cloud accounts.
  • Documented role definitions.

Code & change

  • Pull-request review required before merge.
  • Branch protection on main (no direct pushes).
  • Automated tests run on every PR.
  • Audit log of who deployed what to production.

Data

  • Encryption at rest (your cloud provider does this — confirm it).
  • Encryption in transit (TLS 1.2+ everywhere).
  • Documented backup procedure with at least one quarterly restore test.
  • Documented data retention policy.

Vendors

  • A list of every third party that touches customer data.
  • A copy of each one's SOC 2 (or SIG, or DPA).
  • Annual review.

Incident response

  • A documented procedure for what happens when something breaks (who calls who, what the timeline is, where the runbooks live).
  • A test of the procedure at least once a year (a tabletop exercise is fine).

Step 6 — the first 90 days

| Week | Action | |------|--------| | 1 | Pick scope, platform, auditor. Sign contracts. | | 2 | Connect cloud + identity + GitHub to the compliance platform. | | 3 | Write the policies. Most platforms have templates — edit them, do not copy verbatim. | | 4 | Roll out training. Push everyone through it. | | 5–8 | Remediate findings the platform surfaces. Most are MFA gaps, missing docs, stale users. | | 9–12 | Type I audit. |

Step 7 — what you can defer

You do not need:

  • A separate Head of Security. The CTO can own this.
  • A 24/7 SOC. Most SMEs use a managed-detection-and-response (MDR) provider — or none, and document the risk.
  • A bug-bounty program. You can run one later.
  • ISO 27001 simultaneously. Get SOC 2 first; if a customer asks for ISO, the gap is small.

Where NoDowntimeShield fits

Your compliance platform answers the question "are the controls in place?" NoDowntimeShield answers "are they working right now?" — daily monitoring of the production-side controls auditors flag in their walkthroughs (TLS, secret hygiene, exposed surfaces, dependency vulnerabilities). The two work together.

Start at /check — the SOC 2-relevant findings are tagged in the report so you can map them straight into your compliance platform.