[Nelkins]

> Get even a single NO and you're done.

Why do you think that's true? SOC2 isn't pass/fail, you receive a report on your business. You can have gaping security holes and be SOC2 "certified." It's just that your SOC2 audit will reflect that.

[tptacek]

It won't even be that. You're not going to have any gaps in your Type I if your auditor is at all competent; your Type I documents what you were doing, aspirationally, at the time of your audit.