We are building a Sales and Marketing startup. We need to connect to CRM and other data sources. So we need SOC2 compliancy. But it looks like SOC2 is very expensive like $10K to 25K for Type-1. Are there any cheaper ways to get this done?
<a href="https://fly.io/blog/soc2-the-screenshots-will-continue-until-security-improves/">https://fly.io/blog/soc2-the-screenshots-will-continue-until...</a> is probably what I'd recommend as the best reference for your situation.<p>That said, I'd suggest that ~20k isn't nuts for an auditor to walk you through the process bits, and is likely the cheap part. You're almost certainly going to lose more money in IC hours that your staff spend dealing with your first round of evidence collection than the 20k.
Do you really need SOC2 compliance? If a customer problem is big enough and underserved, could you start serving customers without it? Or is it a way of potential customers telling you "no" while being nice about it?
SOC2 is a process, i.e. become compliant then get an audit.<p>So become compliant and put the label on your website. Don't get an audit.<p>With any customers when asked always mention that you have followed all the procedures and are waiting for an audit.
Great question. I'd be also interested in good auditor firms. That's really what SOC is - sign off by auditors on criteria. SOC-1 is for an initial snapshot, SOC-2 for a 1 year interval or so, proving the controls work.
I worked at a sales and marketing startup where we connected to many CRM instances. We never bothered getting a SOC2. The CEO was always able to talk around it.
There are quite a few services that will do the glue between CRM systems and your systems. This will probably let you work around this requirement. But I would question as others have if this is really a hard requirement.
how does "Get your engineering SOC2 compliant early" jive with "Do things that don't scale"? Isn't cleaning up your engineering act an act of premature optimization?