[codegeek]

I will add a few more things to this:

- Document your data and security and share that with customers instead. You can say "We don't have SOC2 at the moment but here is all our security and data policy". It works 99% of the time for me.

- Very few companies truly have policy to reject a vendor if they don't have SOC2. Those are usually large enterprise or companies in sensitive areas such as Finance/Healthcare etc. Even then, SOC2 can be waived if you can demonstrate everything else.

Disclaimer: I run a bootstrapped SAAS with low 7 figures in ARR and even though we have ISO27001, we don't have SOC2 yet. However, we take our security/data etc very seriously and have tons of documentation and best practices that we always shafre with a customer who asks. Honestly, we will get SOC2 at some point just for the checklist as I don't really care too much about them otherwise.

[spydum]

Fully agree, the only downside is without a SOC2 you will be asked to fill out an insane 200+ questionnaire. Good news is you have all these great LLM tools you can do this work for you, and just check it over.

[mikeocool]

In my industry they still ask for the questionnaire even if you have a SOC2 report!

[abrookewood]

Yeah, I get this even with SOC2 Type 2 & ISO 27001 ... the requests never stop.

[ezekg]

Just say no. Serious.

[abrookewood]

That all depends on the balance of power ...

[speleding]

I run a low 7 figures SaaS as well. This is the blurb I answer with when asked about SOC2 (yes, yes, AI generated):

"While we follow industry best practices that align closely with the requirements of SOC2 and similar frameworks, we have chosen not to pursue formal certification at this time. Maintaining multiple certifications and undergoing recurring audits across the various regions in which we operate would significantly increase our operational costs and, consequently, the price of our service."

[pseudohadamard]

An extra comment, from someone in an organisation that faced this recently, on dealing with this:

- Be outside the US. "SOC2 is an AICPA certification that is unavailable in this country".

Not sure whether that's actually 100% accurate but they stopped asking after this.

[parliament32]

> It works 99% of the time

I would add the caveat "...as long as you have no competition." If you're in a market where alternatives exist, and they have the certification, you're definitely transparently losing sales.

From the enterprise side, I can tell you vendor certification takes an order of magnitude more time/money/effort when the vendor says "we don't have cert X but here's a mountain of drivel you can paw through to try to assess risk." And not just once, but every single year during vendor reviews. It's just not worth it unless you're legitimately bringing something irreplaceable to the table -- to the point where even our executives know to google "companyname SOC2" before even engaging in a conversation.

[codegeek]

It depends on your target market. If you only sell to enterprise/large companies, you may need SOC2 sooner than later. If you sell to SMBs or startups, this advice works (I sell in this space mostly).

[secos]

| I would add the caveat "...as long as you have no competition." If you're in a market where alternatives exist, and they have the certification, you're definitely transparently losing sales. I wouldn't say that its definitive, but it creates a big challenge. And they 100% will use it against you.