[rozumbrada]

Not possible in case your clients are not stupid. Any company with SOC2 and <5 people is a red flag.

You might find auditors that would go along but any reasonable client will check your SOC2 report and quality of your auditors.

SOC2 requires tons of paperwork and management and separation of duties with also mandatory roles in your company - never feasible in a one man show.

[panflute]

I've seen a small company do a SOC2 where the "CEO" seems to be the only actual employee..

Its a lot of paperwork but it is supposed to scale for company size so you could dismiss with a lot of the separation if the CEO accepts risks and perhaps relies on a fair amount of external systems that are already certified and has some contractors for specific tasks etc.

[sochix]

So that means that solo-entrepreneurs can't sell apps to big enterprises due to SOC2 limitation? I think that it is not fair

[jaccola]

It’s a disadvantage for sure but not usually a blocker.

They often have security questionnaires you can complete instead. Or, as part of signing with them, you can promise to get SOC2 by x date (which will hopefully be easier with the funds from an enterprise contract).

I’d recommend looking online at some example security questionnaires or the types of things soc2 covers and writing an internal security doc for yourself so you know your position on everything and don’t have to scramble when it comes to it.

[sochix]

Thank you for your comment!

[Freak_NL]

You can. It just means that the customer has to do the proper analyses and risk evaluation for their own SOC2 (or ISO 27001 or whatever) certification.

Just focus on providing a good value application and be frank about what you do, why you can't get certification for something like that, but that you can answer any questions they might have for their own certification process.

If the potential customer makes 'has SOC2' a requirement, than that is not a customer for you, in the same way that 'has more than 20 employees' rules you out.

[crote]

Like it or not, having a bus factor of 1 is a pretty big risk. You are a giant single-point-of-failure, which means that operations-wise you are a far riskier option to your customers than a significantly larger competitor.

[tptacek]

Big enterprise SOC2 gates are generally not real. In the limit, if you have a real deal with a real economic buyer who is actually sold on your product, you can do a conditional PO on your Type I (your Type I is automatic and can issue in a matter of weeks), but that really feels like more of a 2018 concern at this point; it's been awhile since I talked to anyone who truly had to SOC2 to close a sale.

It's important to really understand how unserious SOC2 is.

[pseudohadamard]

As the other respondent says, it's tricky but not impossible. We're a small custom shop, too small to have all the roles required, all of our software is open-source (Github/Codeberg), and we neither store nor process any customer data or PII. Almost every single item that SOC2 and similar are supposed to cover are a bad miss - https://www.youtube.com/watch?v=Utxu7pI8CeU. Not only do most things not apply to us but some are completely nonsensical, such as what physical and IT security measures we apply to keep our code confidential.

At the moment things look a bit uncertain, we're both going to run into more and more situations like this but also hopefully lawmakers will eventually realise that this stuff just doesn't work for OSS code and orgs.

[badgersnake]

It isn’t fair, but few rackets are.