(1) SOC2 is somewhere between $10,000 and $20,000 if you do it cheap.
(2) That's a dollar amount that most bootstrappers can swing.
(3) Critically, you don't do SOC2 until you have a critical mass of purchases requiring it.
(4) Many (most?) of your customers, especially your early customers, won't require it, and/or will have alternate paths for companies without a SOC2 attestation.
(5) When you finally do hit the big deal that absolutely demands an attestation, you can often cut a contingent PO: you sign the deal, deliver the stuff, but you don't get paid (or you don't get the last tranche) until you get the SOC2 attestation.
(6) You can get a SOC2 attestation real, real quick.
There may be other things keeping people from bootstrapping SAAS businesses, but this isn't one of them.
SOC2 is also waaaay less expensive on the development side if you do just a little upfront development in dev tooling: logging, backups, encryption in transit and at rest, tagging data with sensitivity levels, IAM policies, and CI. I've seen a few founders who invested a few weekends pre-funding into this sort of tooling get to SOC2 and have almost no development costs (still have to document those processes though).
You don't even need to bother with the encryption and sensitivity levels (your data classification policy can be just that, a policy). The ace move is to roll a set of SOC2 policies that just captures what modern dev teams do anyways; that was the idea behind https://latacora.micro.blog/2020/03/12/the-soc-starting.html.
The right way to think about SOC2 is that it's a ~$15k outlay that will come up when a major customer proposes a P.O. that justifies it, and little else.
(2) That's a dollar amount that most bootstrappers can swing.
(3) Critically, you don't do SOC2 until you have a critical mass of purchases requiring it.
(4) Many (most?) of your customers, especially your early customers, won't require it, and/or will have alternate paths for companies without a SOC2 attestation.
(5) When you finally do hit the big deal that absolutely demands an attestation, you can often cut a contingent PO: you sign the deal, deliver the stuff, but you don't get paid (or you don't get the last tranche) until you get the SOC2 attestation.
(6) You can get a SOC2 attestation real, real quick.
There may be other things keeping people from bootstrapping SAAS businesses, but this isn't one of them.