We can help you grow your business
You've found a big market gap and are rapidly building the next SaaS unicorn. You've convinced big name investors of your smarts, and raised a sizeable seed round. Now, your engineers are cracking away at it and you're pitching to your first marquee customers. It's full steam ahead, and things look bullish.
Then, you hit a speed bump.
Your first big prospect drops you a mail saying, "we're really excited about trying out your product. But by the way, are you guys SOC II compliant?"
As it turns out, you're not. 😮
If you find yourself in a situation like this, this guide is for you. Here's how to achieve SOC 2 Type II compliance fast, like we did, by following these 5 steps.
SOC 2 covers 5 trust service criteria: security, availability, processing integrity, confidentiality, and privacy. The current maturity of your startup and the demands of your specific software category should inform which you want to pursue compliance for. Besides security (which is a must-have), you get to choose which other criteria you want to include in your assessment.
Security is the most important criteria to fulfil, as it serves as the foundation for everything else. Early-stage startups should prioritise this. In addition, you should ask your potential customers if they require any other trust service criteria that may be critical in your category. For example, processing integrity will be crucial if you are building a SaaS product in Fintech.
Availability may be an important criteria your customers have concerns about uptime, including Service Level Agreements (SLAs). This might be especially important for infrastructural products such as databases.
Confidentiality is usually important if you find yourself storing customer data that is covered by a Non-Disclosure Agreement (NDA). This might be especially true for startups touching on government data.
Similarly, Privacy is usually important for companies storing personal identifiable information (e.g., employment, health care data). If data privacy is an important trust standard for your startup, you might also be working towards GDPR compliance. While there are some similarities between GDPR and SOC II, there are also key differences. It’s important to understand the full scope of GDPR compliance and what’s needed to fulfill those.
After deciding on the criteria that you want to prioritize, the next step is to decide on an observational period. There are two layers to the SOC 2 process: Type I, which evaluates your security systems at a single point in time, and the more stringent Type II, which checks for compliance continuously over a longer period.
How long this timeframe should be is a matter to align with your auditors, but we strongly suggest 6 months — enough time to be confident that your security measures are robust and reliable, but not too long as to delay roll out. Remember, SOC 2 Type II compliance need to be renewed every 12 months, and your monitoring continues even after initial audit, so there's no reason to prolong your first audit period unnecessarily.
Compliance platforms help you project manage and automate the range of processes required to achieve SOC 2, and picking one that best fits your needs is important in making sure everything goes smoothly downstream.
You should know that any of these tools will technically work in helping you achieve SOC 2 compliance, but some will make it easier than others to do so. While the usual range of considerations such as pricing, quality of support and ease of use are factors you should have in mind, probably the most important criteria to evaluate these platforms against is how extensive their automation capabilities are.
Automating the security monitoring and reporting process is especially important when pursuing SOC 2 Type II compliance because manually gathering and uploading the evidence of security compliance SOC 2 requires can be extremely time consuming over a 6 month period. A good compliance platform plugs-in seamlessly into your security tech stack to automatically and continuously gather monitoring information so you and your auditors can effortlessly see the security status of your data systems.
For this reason, you want to choose a compliance platform which has the appropriate integrations into the tools in your current security tech stack. We'll cover considerations around selecting security tools in Step 3. But the best compliance platforms should integrate into a wide range of tools so your automated SOC 2 monitoring and reporting continues, even if you change the specific security tools you use.
We spent some time comparing different platforms, and decided on Drata. Here are some reasons why we thought they worked best for us, and would for most early-stage startups:
Some thoughts on other alternatives we were considering:
For a more in-depth coverage of SOC 2 providers and their pros and cons, check out this post by our friends from Nira.
Once you've picked your compliance platform, simply follow the guidance provided within its app to implement all the necessary data security policies and protocols required for SOC 2 compliance.
The next step in your SOC 2 process is to select an auditor. Any licensed CPA firm that specializes in information security can do the job, and you'll probably get a few recommendations by asking around or from your compliance platform provider. We had a great, seamless experience working with the Johanson Group.
If you have a shortlist of auditors and are wondering how to choose between them, note that most will have similar accreditations e.g. registered with the Public Company Accounting Oversight Board. Such labels should be seen as standard must-haves, rather than a compelling reason to choose one over another.
Instead, the more important question you should be asking potential auditors is: have they audited software companies at a similar stage and in a similar industry to you? This is critical because an auditor who already understands your situation will be able to provide specific guidance, and save you time spent explaining technical details about your product and category.
As your compliance platform will tell you, you may be missing some key security tools that you need to achieve SOC 2 compliance. While the types of tools and features you will need will differ depending on the maturity of your company and your specific industry, we will cover the general must-haves here, and explain how we chose between options.
Note that for each type of tool, most options will do the job as far as SOC 2 compliance is concerned. You should choose based on:
Additionally, cloud providers like AWS or Heroku typically have built-in native security tools which you may want to consider. We rarely chose to go with these because 3rd party apps were generally more cost-efficient for our early-stage needs — but they might work well for you if your product is more mature.
Here are the tools we went with, and why:
After you've followed the detailed guidance on your compliance platform, and filled out the missing layers of your security tech stack, your final task is to write a security system description that you will be required to submit to your auditors.
Unfortunately, there isn't a generic template for this, given how much this differs by the specific nature of your product category.
However, that doesn't mean that you need to figure out how to write this up from scratch. Instead, we suggest referring to what companies similar to yours have done. For example, we looked at two other companies — Segment and Census, as reference when writing our own, because of some architectural similarities we saw between their products and ours.
How do you get security system descriptions from other companies to refer to? Many companies (including ours) will provide their SOC 2 compliance reports upon request, under relevant NDAs, and if you are not a direct competitor. These reports can be extremely helpful in helping you figure out your own approach to specific security protocols for your own product. Additionally, they provide useful examples of how you should craft the structure and language of your own report.
With that, you're basically done. Submit your security system description to your auditors, give them access to your compliance platform, and leave things running for the observational period you've decided on. If you've done all the above, you'll achieve SOC 2 Type I compliance immediately and Type II compliance in 6 months time.
You can now confidently reply your prospective customer: "Yup, we're SOC 2 Type II compliant. Let us know if you'd like to see the report," and close out that big deal.
Who knew SOC 2 compliance could be that easy? 😎
Eager for more tips on how to get complicated things done fast at your SaaS startup? Be sure to sign up to below to receive the latest guides and inspiration from our Product-Led Sales blog. We'll also be sending to subscribers additional SOC 2 content in the future, such as comparisons between providers and our recommended security stack.
A comprehensive guide to becoming SOC 2 Type II compliant. Especially great for startups who need to figure it out quickly, like we did!
A detailed how-to guide on defining PQLs for your PLG revenue teams
Everything you need to know about PQLs - what they are, why you should care, and how to use them in your Product-Led revenue teams
We're proud to announce that HeadsUp has achieved SOC 2 Type II compliance in record time.
There are so many tools available today that can help you achieve your PLG go-to-market goals. Where do you start?
Product Qualified Leads (PQLs) convert at higher rates and result in more engaged customers. Every PLG company should learn to love them.
Your PLG company is growing on its own, but you know that the time will come to layer on sales. But when's the right time?
We've compiled a list of great articles and podcasts on product-led growth, and how go-to-market teams adapt to complement the product in PLG companies.
Is your sales team not working as effectively as it can be? Here are 4 signs you need the right tool to empower your product-led sales team.
With no incumbents in the PLG sales tooling space, many companies are considering building a tool internally. Advice on doing so, however, is scant. In this article, we lay out a DIY approach for PLG CRM.
Recently, there's been a lot of buzz about how product-led growth (PLG) is changing sales tooling. The PLG CRM could be the next be thing.
Sam Maynard, one of our Founding Software Engineers, details his journey to HeadsUp!
HeadsUp achieves SOC 2 compliance, a leading standard for companies, in record time, underscoring our commitment the privacy and security of your data.