[_fat_santa]

Reading about SOC2 compliance, as a solo founder it would be impossible for me to get SOC2 compliance because there is just one of me right? Every time I read the requirements it's always: this person for X, this person for Y, this person for Z, which makes it seem like if you don't have a full team working on a project, it's impossible to get SOC2 compliance because there aren't enough people.

[PeterisP]

Yes, it's not practical, and by design. In effect, this is simply acknowledging the reality that if they want to ensure a certain process, then someone has to bear the overhead of monitoring and control; so if a company wants to buy some sensitive service from a solo founder or a smallish company then they have to take responsibility themselves, and they can only delegate this duty to vendors only if the vendor actually has certified capability to do this high-overhead process.

It has some parallels to earlier initiatives like PCI DSS for payment cards which effectively said "If you can't do this list of requirements, then you'll have to delegate the sensitive stuff to someone who can", ensuring that every mom&pop pizza shop doesn't have a full list of their customers credit card numbers unencrypted on a publicly exposed database. It doesn't prevent all breaches, of course, but it did make them fewer.

[bearjaws]

It depends on the risk tolerance of your customer, but you would likely fail.

The reason being: What happens if you get struck by a bus? Your business dies overnight (or until the hosting bill doesn't get paid) and now your customers are screwed.

Many of the controls are about what happens when staff depart, both planned and unplanned? What is the power structure in the org? How do you prevent employees from damaging your business operations?

Resilience is important to any enterprise, and many audits now evaluate how hardened your business is.

Maybe a morbid startup idea of "I'll ensure business continuity if you die so you can pass SOC2" lol

[nonameiguess]

This is, unfortunately, a legitimate reason not to make solo suppliers a part of your supply chain. Inability to implement things like mandatory vacations and separation of duties does mean only you need to be compromised to become a threat vector, and that is easier than compromising multiple people. It doesn't mean you can't run a solo business, but you should focus on selling to organizations that are not likely to become the target of a supply chain attack.

[erikpukinskis]

I wonder if you can hire a law firm or a consultancy to help with this. They would have people on staff who can be legally designated as your point-of-contact for a given role?