[jwr]

I am a solo entrepreneur. Don't.

I learned that my business is unable to pass pretty much ANY certification or corporate IT security audit. Many of the questions simply do not apply to my business ("do you have documented procedures for revoking employee access") and the default answer is NO. Get even a single NO and you're done.

I gave up and these days actively discourage enterprises from even trying to sign up — these kinds of discussions can take a lot of your time and the expected value is negative, because sooner or later those kinds of questionnaires will be required (quite often the engineer talking to you doesn't even know this).

SOC2 falls into that category: you are unlikely to pass, and even if you do, enterprise customers will pull out their own questionnaires out of, well, let's just call it their store backrooms, and you will fail those. Waste of time.

[tortilla]

Same. For my business, the enterprises that want to use my software wouldn't actually be worth the hassle as their usage is not more than my normal business customers (SMB). Just more work and costs on my end.

Early on, I had a potential enterprise account (well known online store) that wanted everything that enterprises wanted in addition to multiple meetings (with all the stakeholders) for a $50/month account (my mistake for not getting that information upfront).

Another time, a large Canadian media company wanted me to agree to an uncapped liability provision. Respectfully turned them down.

All in all, I lost some prestige business but if I took them on, it wouldn't move my profit levels much.

[ErrantX]

Your getting that interest because it looks like a steal. Ultimately those businesses couldn't care less about $50/m (except to chance it) but they want - or even need - the enterprise terms.

They will pay $50 for your product... And probably $950 for the terms.

(Not saying that would have been the right thing for you but my advice to folks who find themselves in this position is always 20x or 40x the price - if that is enough to make it worth your bother, then go for it. Good chance theyll pay)

[tortilla]

My plans start at $50. Top out at $10k a month.

[ErrantX]

Obviously I know nothing about your product, so completely uninformed!

But as an enterprise buyer $50/m and $10K/m is the same bucket in terms of cost. No one will blink until around 100K, depending on what it is.

(The point I am making is; as an enterprise buyer I absolutely know how annoying it is for me to turn up and go "this random regulation, we're interpreting it in this highly specific and unique way, and we want it asap". Hence willingness to pay down that inconvenience)

[ozim]

If you are solo entrepreneur second that - no enterprise will rely on application built by a single person.

I don't know how people are approached but company I work for - we basically were laughed out of the room when we had 10 employees with our SaaS solution.

Something like passing 20 employees and 5 years on the market and no one is laughing at us.

[ergocoder]

> do you have documented procedures for revoking employee access

The answer should be "yes". And here you just drafted one.

That's the point of going through SOC2. You make policies that you don't have and execute the policies for some amount of time to pass SOC2.

[Nelkins]

> Get even a single NO and you're done.

Why do you think that's true? SOC2 isn't pass/fail, you receive a report on your business. You can have gaping security holes and be SOC2 "certified." It's just that your SOC2 audit will reflect that.

[tptacek]

It won't even be that. You're not going to have any gaps in your Type I if your auditor is at all competent; your Type I documents what you were doing, aspirationally, at the time of your audit.

[koliber]

You can have an offboarding doc even if you don’t have employees. It will apply in the future once/if you do. It will be silly and useless now, but you can check it off as a YES.

[codegeek]

I know a solo founder who got SOC2 certified. He is literally the only person running the product/company and is SOC2 certified. I found that hilarious to be honest. But he is trying to play the "win enterprise deals" game but not sure how that helps when you are literally 1 person.