Tips on Getting SOC2 Type 2 Compliance
SOC2 type 2 compliance is becoming increasingly important signal for SaaS companies that they follow best practices in protecting user data. SOC2 is an auditing process that evaluates a wide range of security and privacy-related controls, and Type 2 certification is especially rigorous, requiring a company to demonstrate that it has maintained those controls over a period of time. This certification assures clients that their data is being handled securely and that the company takes security and data protection seriously.
We recently received our SOC2 type 2 compliance at Unthread, and we wanted to provide some tips to other SaaS companies who were in a similar position.
Why is SOC2 Important?
According to a recent survey, nearly 80% of enterprise companies require their vendors to be SOC2 certified. This is in part because data breaches have become more common and companies are now assuming a stricter approach to evaluating potential business partners.
If you're a SaaS company selling to the enterprise, SOC2 can save you countless hours of filling out vendor security questionnaire forms, and can be seen as a competitive advantage over a non-compliant competitor.
How Much Time and Money Should I Expect?
This depends on the platform and the auditor that you choose, but in general:
- Cost: Between $6k and $20k total
- Time: Between 3 and 6 months
Step 1: Choose a Platform
Assuming that you don't already have the 17 policies and dozens of security controls in place and monitored, a software platform can help to generate these for you. There are dozens of platforms out there that will offer this:
- Vanta
- SecureFrame
- Drata
- Thoropass
- Dozens and dozens of others
Step 2: Choose an Auditor
While the platform can generate policies and help you monitor your compliance, and auditor will verify that your policies are correct and that your systems are staying compliant throughout an observation window.
The platform that you pick will likely have preferred auditors to choose from, with varying cost and reputation associated with each.
We recommend going with a more established auditor that will make the process smooth and work closely with you through the process. At Unthread, we worked with Prescient Assurance, an industry-leading auditor, and we found them to be extremely helpful throughout the process. Prescient later became a happy Unthread customer as well :)
Step 3: Generate Documentation
The platform of choice will help you generate the necessary documentation and policies required by the SOC2 framework. They will generate templates that you can fill in with the information that matches your company. Plan for about 20 to 40 hours of work to complete these.
Step 4: Start the Observation Window
SOC2 Type 2 compliance requires at least 3 months of monitoring by an auditor to ensure that you not only are compliant at a point in time, but that you maintain compliance with your policies throughout this period.
Step 5: Brag About Your Compliance!
Once you have completed the audit and achieved compliance, now is the time to broadcast this to your customers. We recommend featuring this on a dedicated security-focused page on your website (here's an example), adding the SOC2 logo to your footer, and sending an announcement email to your existing and prospective customers.
As an additional step, you can write up a blog post like this walking through your experience and providing tips to other SaaS companies looking to get their own compliance!
If you'd like to hear more about Unthread's experience achieving SOC2 type 2 compliance, reach out to us at [email protected]!