Get SOC 2 certified as an indie hacker
All the details about the process and the cost of getting SOC 2
Hi everyone! It’s Tony again with another update.
Recently, I just got the SOC 2 certified! This is a huge milestone for my products, especially TypingMind.
In this newsletter issue, I’d like to share everything about getting SOC 2 certified as an indie hacker (or a very small team).
SOC 2 is not that hard
Just a few months ago, this is how I imagined SOC 2 would be like: it’s something so big and “enterprisey” and completely out of reach for indie hackers because it’s either very expensive or very complicated.
However, after getting my SOC 2 Type I certification, my view on SOC 2 completely changed. Let’s get into the details.
What is SOC 2
For those who don’t know, SOC 2 is a certificate that shows that your company has good policies and processes regarding data security and privacy.
SOC 2 certificates are issued by credited auditors. You would hire one of these auditors to examine your company policies/processes/setup to determine whether your company follows best industry practices regarding security.
There is SOC 2 Type I and Type II. Type I certify that your company meets the standards at a specific point in time. Type II means that your company meets the standards continuously over a long period of time (usually 6 - 12 months).
Currently, TypingMind is SOC 2 Type I certified, I’m in progress to get Type II certified too.
Why I want SOC 2
Companies often ask if you have this certificate before making a purchase, and if you don’t, they’ll ask you to fill in a list of 50+ security questionnaires.
I’ve been through this security questionnaire process a few times with my previous products, DevUtils.com and Black Magic. It’s boring.
When I started offering the Enterprise version of TypingMind, these questionnaires started to pop up much more frequently.
Plus, I’m now targeting a lot more enterprise customers, which means they care a lot more about SOC 2 and security in general, so getting SOC 2 certified would help me increase trust and close more deals.
The cost
I thought it would cost me at least $30K/year to get certified and was mentally prepared for this cost, but in the end, it only cost me less than $10K.
Half of the cost is paid to a consulting service so they help me prepare all the documents and guide me how to get certified. The other half is paid to the auditor as a fee.
Other than the cost of money, there is also time. It took me, in total, about 10 days of work to get everything in place for compliance.
I’m a team of 5 people, with only 2 fulltime employees, so a lot of the steps are pretty easy. For a team with more people, it will probably cost more time/money.
The overall process
I started looking into getting SOC 2 by asking on Twitter and from founder friends who have done it before.
Thanks to them, I’ve learned that getting SOC 2 certified used to be a complicated and time consuming process with a lot of back and forth, but now with consulting and automation services, it has become very manageable.
One can get certified even with a team of only 2 people and less than $10K.
The whole process can be summarized into the following steps:
Learn about the SOC 2 requirements
Implement policies and changes in your company’s system to satisfy the SOC 2 requirements. Things like “your database must have a backup”, “your employees’ computer must have encryption enabled”, etc.
Preparing documents to prove that your company has implemented the changes and followed the policies.
Involve an auditor and represent the documents to the auditor.
Once the auditor has reviewed and approved the documents, you’ll get the SOC 2 Type I certificate.
Continue to monitor your system and policies to make sure your company satisfies all of the requirements for a long period, and make sure that at no point in time do you fail any requirement. After 3 or 6 months, you’ll get SOC 2 Type II certified.
Here are the costs:
Your time: you’ll need to set up the system and policies. Depends on how good you are and your current situation, this can be months or weeks or days.
Fee: you’ll need to pay for the auditor every time they are involved. If you just need to get Type I, you’ll pay them once. If you need Type II and continuously keep that Type II certified status, you’ll need to pay them every time they perform an audit, so this can be a recurring fee.
Using a consulting and automation service
I imagined getting SOC 2 would involve spending a lot of time getting back and forth with the auditor, having to write a lot of documents, and implementing so may changes to my current infra and process.
But no, it’s not that bad.
These days, people use consulting and automation services to get SOC 2 certified. Or at least that’s what friends and people on Twitter told me.
I was recommended two services that would help me understand and get SOC 2 certified. They are:
Vanta: a company from the US, quite expensive but reputable.
Sprinto: a company from India, cheaper, but a new player in the market.
What they do is that they’ll help you:
Understand what is needed to get SOC 2 certified for your specific situation via video calls.
They have a system to connect to your services and automatically detect if something does not satisfy the SOC 2 requirements. For example, you can connect your AWS/GitHub account to their system, then they’ll notify you if your database doesn’t have a backup or your main branch isn’t protected, etc. Also they’ll provide a nice dashboard with detailed report of every config and tasks you should do to sastify SOC 2 requirements.
They help you collect the data and create all the documents, policies, and prepare the final documents in a nice way that will be represented to the auditors.
They will also connect you to auditors who will perform the audit (introduce via email).
They provide a separate dashboard for the auditor so that it takes less time for the auditor to go through the documents and the evidences.
Basically, they help a lot, with a reasonable price. Like I shared earlier, my total cost was less than $10K including the auditor’s fee.
How it’s actually done
So I connected with one of the two service above. We got on a call to understand my current team and infra setup.
The actual requirements of SOC 2 are quite boring. I’m sure if you are a decent developer with a decent workflow, you’ve already satisfied most of it. Things like:
You must use a source control system like Git.
Don’t commit directly to “main” but use a branch/PR.
Have a database backup and verify that the backup is actually working.
Verify and don’t install shady npm packages.
Assess the risk of all the vendors you are using (like AWS, Vercel, Mailgun, Slack…)
Have access control to critical resources (don’t give root access to your employee if not necessary)
…
Some of the requirements are a bit too much for a usual small team, but introducing them is not a big deal, and I was totally cool with it. For example:
All your employees must go through security & privacy training (it’s like an online course) every 6 or 12 months.
Must conduct a background check for every new employee.
Conduct a pen-testing for your system using a trusted pen testing service (cost money)
…
I didn’t have much difficulty setting up my infra and processes to meet all the requirements of SOC 2. It took me around 10 days on and off to get everything checked.
Everytime I hit a road block, I contacted the consulting service, they would help me via email or video call. Very helpful.
In total, it took me about 2 months since I started contacting the consulting service to the day I got my certificate.
Things that are easier than I thought
I thought in order to get SOC 2 certified, I must implement SSO for all of my employees. I used Okta when I was an employee, it was good and secure and everything, but it’s very expensive (very very expensive!).
I later learned that getting everyone on SSO is not a requirement, as long as we have a way to control people’s access to critical resources and have a documented process on how to deal with cases when, for example, an employee’s device is hacked.
So I didn’t have to ask everyone to use SSO everywhere. It was a huge save!
The second thing I found easier than I thought is the requirement to install a “spyware” on your employee devices.
I later learned that as long as you can provide a sufficient evident that the employee’s devices are secured, you don’t need to ask them to install that “spyware”.
The “spyware” is a piece of software that runs in the background of your OS and constantly checks if your device is secure as per SOC 2 standards (things like: harddrive encrypting is enabled, lock screen is enabled, installed some sort of antivirus/antimalware software, etc.)
What I did was to give my employees two options: 1 – to install the software and let it collect the required data, or 2 – collect the data by yourself with screenshots, it would be about 6-10 screenshots showing various config and settings of the device to prove to the auditor that it’s secured as per standard.
And with that, I didn’t have to force my employees to install anything.
Things that are harder than I thought
There is a requirement to make sure that your system can be recovered in case of a disaster (disaster recovery), which is not quite hard, but very time consuming.
They basically ask you to rebuild your entire infra in another data center (or another AWS region) and verify everything works normally, then provide the evidences (screenshots) to them.
I’ve never done this before. I’ve always think that I built and setup everything from scratch, I won’t have a problem doing it again. But actually spending the time doing it is still very beneficial. I found some unnecessary environment variables and some unused components that I later removed.
So in TypingMind I have two data center (US and EU), which means I had to do it twice, each time for a region (did I mentioned time consuming?).
Do I actually benefit from getting SOC 2?
Yes.
The first thing is that I’m working with some resellers who help me sell TypingMind to other markets.
Some of them are selling to clients who are very strict about security. So I’ve been dealing with security questionnaire for quite a while.
Having a SOC 2 certificate simplifies things a lot for my resellers and me.
Second, I’m in the sales process with some enterprise customers, and most of them want to see my SOC 2. Now I can show them, so I hope this helps me close more deals.
And the last thing, SOC 2 certificate is given at the company level. It means that every product that I build from now on will automatically have the SOC 2 label on it as long as I continue to sastify all the SOC 2 requirements. This includes my previous products like DevUtils. This is a peace of mind.
So overall, I think I’ve already benefited from it. Is it worth the ~$10K/year? Not sure yet, but I hope it will in the long run.
Do you need SOC 2?
So now you know what I know about SOC 2.
Do you need it? Maybe.
I think you can consider getting it if:
You frequently have enterprise customers asking for it.
Your product is in the B2B market, and you want to make the deal-closing process smoother.
~$10K/year + 2 weeks of work for you is an acceptable cost. (it is probably higher if your company is bigger)
That’s all
Before getting SOC 2, I struggled a lot to understand the big picture of the process and spent a lot of time reading so many random articles addressing different aspects of the process, but I couldn’t find a good overview article.
So that’s why I decided to write this. I hope this post has been helpful.
I’ll see you again in next month’s issue, where I’ll share my regular indie hacking updates!
Until next time!
Do you mind to share which CPA firm you worked with?
@Tony would you be open to publishing the documents you’ve put together?
I realize there might be some sensitive info in there, but if it’s not too much effort to black out, myself (and I’m sure others) would really appreciate it!