Hacker News new | past | comments | ask | show | jobs | submit login

SOC2 is also waaaay less expensive on the development side if you do just a little upfront development in dev tooling: logging, backups, encryption in transit and at rest, tagging data with sensitivity levels, IAM policies, and CI. I've seen a few founders who invested a few weekends pre-funding into this sort of tooling get to SOC2 and have almost no development costs (still have to document those processes though).



You don't even need to bother with the encryption and sensitivity levels (your data classification policy can be just that, a policy). The ace move is to roll a set of SOC2 policies that just captures what modern dev teams do anyways; that was the idea behind https://latacora.micro.blog/2020/03/12/the-soc-starting.html.

The right way to think about SOC2 is that it's a ~$15k outlay that will come up when a major customer proposes a P.O. that justifies it, and little else.


SOC2’s cost is primarily just the branding and audit.

Most of the controls are easy ti meet if you follow any sort of best practices.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: