Tips on Getting SOC2 Type 2 Compliance

Tips on Getting SOC2 Type 2 Compliance

SOC2 type 2 compliance is becoming increasingly important signal for SaaS companies that they follow best practices in protecting user data. SOC2 is an auditing process that evaluates a wide range of security and privacy-related controls, and Type 2 certification is especially rigorous, requiring a company to demonstrate that it has maintained those controls over a period of time. This certification assures clients that their data is being handled securely and that the company takes security and data protection seriously.

We recently received our SOC2 type 2 compliance at Unthread, and we wanted to provide some tips to other SaaS companies who were in a similar position.

Why is SOC2 Important?

According to a recent survey, nearly 80% of enterprise companies require their vendors to be SOC2 certified. This is in part because data breaches have become more common and companies are now assuming a stricter approach to evaluating potential business partners.

If you're a SaaS company selling to the enterprise, SOC2 can save you countless hours of filling out vendor security questionnaire forms, and can be seen as a competitive advantage over a non-compliant competitor.

How Much Time and Money Should I Expect?

This depends on the platform and the auditor that you choose, but in general:

  • Cost: Between $6k and $20k total
  • Time: Between 3 and 6 months

Step 1: Choose a Platform

Assuming that you don't already have the 17 policies and dozens of security controls in place and monitored, a software platform can help to generate these for you. There are dozens of platforms out there that will offer this:

💡
Tip: prices for these services are all negotiable, and you should plan to leverage your quotes with one service against another to get a better deal

Step 2: Choose an Auditor

While the platform can generate policies and help you monitor your compliance, and auditor will verify that your policies are correct and that your systems are staying compliant throughout an observation window.

The platform that you pick will likely have preferred auditors to choose from, with varying cost and reputation associated with each.

We recommend going with a more established auditor that will make the process smooth and work closely with you through the process. At Unthread, we worked with Prescient Assurance, an industry-leading auditor, and we found them to be extremely helpful throughout the process. Prescient later became a happy Unthread customer as well :)

💡
Tip: auditing is typically a separate cost from the platform. We recommend negotiating an "all-in" price with your platform vendor that includes auditing so you're not surprised by additional costs down the road.

Step 3: Generate Documentation

The platform of choice will help you generate the necessary documentation and policies required by the SOC2 framework. They will generate templates that you can fill in with the information that matches your company. Plan for about 20 to 40 hours of work to complete these.

Step 4: Start the Observation Window

SOC2 Type 2 compliance requires at least 3 months of monitoring by an auditor to ensure that you not only are compliant at a point in time, but that you maintain compliance with your policies throughout this period.

💡
Tip: work with your auditor to get this observation window started as early as possible. Once it begins, there is no way to speed it up.

Step 5: Brag About Your Compliance!

Once you have completed the audit and achieved compliance, now is the time to broadcast this to your customers. We recommend featuring this on a dedicated security-focused page on your website (here's an example), adding the SOC2 logo to your footer, and sending an announcement email to your existing and prospective customers.

As an additional step, you can write up a blog post like this walking through your experience and providing tips to other SaaS companies looking to get their own compliance!

If you'd like to hear more about Unthread's experience achieving SOC2 type 2 compliance, reach out to us at [email protected]!