For the first SOC2, I don't hold this against a startup (I appreciate they are going through the efforts this early). Would want to see it become 6 month/1 year as the program matures. A vendor like this is low risk (aggregator of "public" information, limited data sharing, etc).

I have all sorts of issues with Vanta/Drata "compliance as a service" tools, but adequate for something like this, at this point in time.