[bootstrpppin]

This'll be unpopular, but if you want to keep it super lean and avoid being asked for compliance certs like SOC2/ISO, you could consider building it as an installable app on top of a platform your customers already trust

ie. a Salesforce App.

That way, they already use/trust the environment where the storage/processing of their sensitive data is taking place, akin to an old school 'on prem' solution (but without as much headache for you)

Worth thinking about

[ISO27Auditor]

IMO just get ISO 27001 to demonstrate that you are managing the sensitive information properly, and you will also improve your client confidence.

I work as ISO 27001 auditor, and help companies get ISO 27001 certified in no time (1-2 months), with a budget from 5k - 8k in total (external support and certification included). The goal it to keep it simple, save costs, and in the end get the company certified.

[codingdave]

"Oh, wow, I had no idea it was that affordable, we should talk..." is the response you are hoping for, correct? Self-promotion is not prohibited, but it goes better if you engage with the discussions here beyond just your own marketing.

Anyhoo, I don't think thousands of dollars for certification makes sense for a solo dev who is kicking an idea around.

[vdvsvwvwvwvwv]

The helps only if your extendee is providing a PaaS for you and makes guarantees. Last time I made a slack extension, for example, I had to egress and ingress client data.