[Nelkins]

Even though I agree SOC2 in practice is of dubious security value, I do think you can lose out on sales if you don't have it. I recently had to choose among a bevy of headless CRM options for a client, and they were adamant that whatever platform we used _had_ to be SOC2 compliant. This narrowed the field significantly and ultimately we went with Strapi solely because of this requirement. I see this come up all the time.

Tools like Vanta (and I'm sure others, Drata maybe, I haven't used them) make SOC2 compliance pretty "easy" in the sense that it's often a mechanical process that doesn't require too much thought. At least for me, it usually involves being in a Slack channel with an auditor, and they're advising you on all the things to do (they want you to "win"/pass, although there is no real pass fail), and then you just need to check the boxes in Vanta.

[tptacek]

I have an extended take on things like Drata and Vanta elsewhere in the thread. I think they're great if you know what you're doing, but dangerous if you don't: the expenses they incur are insidious, because they're not the sticker price of the software or the audit, but rather the unnecessary engineering they lead you to do.