[jaspanglia]

Most early-stage founders don’t start with full SOC2 immediately. You can begin with strong security practices, transparent documentation, privacy policy, backups, access controls, and third-party audits before going for certification.

[sochix]

What kind of documents should I show customers to make them trust me that I follow best security practices? They trust Soc2 Type2, what else could work?

[zrobotics]

If they don't have a strict requirement on SOC2, then either PCI compliance or NSA CISA are more easily done without needing tons of money.

Edit: PCI would only apply if you are processing customer funds Iirc, it's been a few years since I went through one but thereay be some caveats for that to apply.