← All guides
SOC 210 min read9 May 2026

SOC 2 Compliance for SaaS: The Founder's Complete Guide

SOC 2 is the de-facto security certification for enterprise SaaS sales. Here's what it actually involves, how long it takes, what it costs, and which trust service criteria matter for your product.

What SOC 2 actually is

SOC 2 (Service Organization Control 2) is an audit framework developed by the American Institute of Certified Public Accountants (AICPA). A SOC 2 report is the output of an independent CPA firm examining whether your service organisation has designed and operated controls that meet the AICPA's Trust Service Criteria (TSC).

It is not a regulation. It is not a law. It is not a one-off certificate that lasts forever. It's a CPA-issued attestation report that your buyers' procurement and security teams use to decide whether to trust you with their data.

For B2B SaaS, SOC 2 has effectively become the entry ticket to enterprise sales. If you're chasing deals with banks, healthcare companies, or any Fortune 1000, expect SOC 2 to come up on the first security questionnaire.

The five Trust Service Criteria (TSC)

  1. Security — the only mandatory criterion. Sometimes called the "common criteria". Covers protection against unauthorised access (logical and physical), system monitoring, and incident handling.
  2. Availability — system uptime and operational performance per SLAs. Relevant if customers have uptime expectations beyond best-effort.
  3. Confidentiality — protection of information designated as confidential (NDAs, customer data, business secrets). Almost always included for B2B SaaS.
  4. Processing Integrity — system processing is complete, valid, accurate, timely, and authorised. Relevant for fintech, healthtech, and anything where output correctness is the product.
  5. Privacy — collection, use, retention, disclosure, and disposal of personal information per the entity's privacy notice. Often skipped because GDPR/CCPA already cover similar ground; include if you have a strong privacy story to tell.

For most early-stage SaaS, the right scope is Security + Availability + Confidentiality. Add Processing Integrity if customers' regulators demand it. Skip Privacy unless you're selling into healthcare or government.

SOC 2 Type I vs Type II

Two flavours, and they are very different products.

  • Type I — a point-in-time audit. The auditor checks that your controls are designed appropriately as of a specific date. Faster to obtain (often 4–6 weeks once controls are in place), cheaper, and useful as a stepping stone. But: most enterprise buyers don't accept Type I. They want Type II.
  • Type II — the real thing. The auditor checks that your controls operated effectively over a period of time — typically 6 to 12 months. This is what enterprise buyers actually want to see.

Strategy: get a Type I to unblock immediate deals if you absolutely need something on paper today, then immediately start the Type II observation window. Or, if you have 6–9 months of runway and patience, skip Type I and go straight to Type II.

When you actually need SOC 2

Practical thresholds:

  • You're losing or stalling deals worth more than ~$10k ACV because procurement asks for a SOC 2 report.
  • You're selling into regulated industries — fintech, healthtech, govtech, ed-tech in the US, defence, insurance — where SOC 2 Type II is often a hard requirement.
  • Your buyer is enterprise (1,000+ employees) and has a third-party risk management (TPRM) program.
  • You're raising a Series A or later and security maturity becomes a board-level question.

If you're a $5k ACV SaaS selling to small businesses, SOC 2 is overkill. A clear security page, a vendor security questionnaire response template, and a privacy policy will get you most of the way.

What auditors actually look for

SOC 2 doesn't prescribe specific technologies or vendors. It assesses whether your controls satisfy the TSC. In practice, that means two big buckets of evidence:

Written policies (you author these)

  • Information Security Policy
  • Access Control Policy
  • Incident Response Plan
  • Change Management Policy
  • Vendor / Third-Party Risk Management Policy
  • Risk Assessment Policy
  • Data Classification and Handling Policy
  • Acceptable Use Policy (yes, the AUP)
  • Business Continuity / Disaster Recovery Plan
  • Backup Policy
  • Encryption Policy

Operational evidence (you produce these continuously)

  • Access logs and quarterly access reviews
  • Onboarding / offboarding records (with revocation evidence)
  • Security awareness training completion records (everyone, annually)
  • Vulnerability scan reports (monthly or quarterly)
  • Penetration test results (annually)
  • Incident tickets and post-mortems
  • Change tickets with reviewer approvals
  • Backup test results
  • Vendor reviews / sub-processor SOC 2 reports
  • Risk register with mitigations

For Type II, every one of these needs to exist and be operational over the entire observation window. Auditors sample — they pick X random employees, Y random changes, Z random incidents — and check the evidence.

The five policies you need before you start

If you're at week zero and want to look serious, start by writing these five — even just one-pagers:

  1. Information Security Policy — the master document. State your security principles, scope, roles, and that you align to a recognised framework (CIS Controls v8 is a great anchor).
  2. Access Control Policy — least privilege, MFA everywhere, SSO for team access, quarterly access reviews, joiner/leaver process.
  3. Incident Response Plan — what counts as an incident, severity levels, who's on call, communication plan, post-mortem template.
  4. Change Management Policy — PR review requirement, deployment process, who can deploy to production, rollback procedure.
  5. Vendor Management Policy — how you assess sub-processors, what evidence you require (SOC 2, ISO 27001, security questionnaire), review cadence.

These five satisfy a surprising number of customer security questionnaires on their own.

Realistic timeline

Honest timeline for a small SaaS team:

  • Month 0–1: Pick a compliance platform (Vanta, Drata, Secureframe, Sprinto, Tugboat Logic). Scope your audit. Choose your auditor.
  • Month 1–3: Implement controls. Write policies, deploy MFA across all systems, set up SSO, configure logging, start vulnerability scanning, run a pen test.
  • Month 3–4: Type I audit (optional). 4–6 weeks fieldwork. Report issued.
  • Month 4–12: Type II observation window (3 to 12 months — 6 months is a good first target).
  • Month 12–13: Type II audit fieldwork. Report issued 4–8 weeks after fieldwork ends.

So: a SOC 2 Type II report in your hand about a year from a cold start, or 6–7 months if you go for the shortest possible observation window (90 days, sometimes accepted as a "bridge" period).

Realistic cost

  • Compliance platform (Vanta, Drata, etc.): $7k–$25k/year. Almost mandatory for a small team — manual evidence collection burns weeks.
  • Auditor (CPA firm): $15k–$50k for a Type II audit. Boutique firms (Prescient Assurance, Johanson Group, Insight Assurance, A-LIGN, Schellman) are cheaper than Big Four.
  • Penetration test: $5k–$20k annually.
  • Readiness consultant (optional): $5k–$20k if you want hand-holding through implementation.
  • Internal time: budget for 0.25–0.5 FTE during implementation, then ~0.1 FTE ongoing.

All-in for the first year: somewhere between $25k and $80k for a small team. Renewals are cheaper because the controls are already in place.

SOC 2 vs ISO 27001 vs GDPR

These are complementary, not substitutes:

  • SOC 2 — US-flavoured, audit-driven, customer-facing. Strong with US enterprise buyers.
  • ISO 27001 — international standard. Strong with European and Asian enterprise buyers. Certification rather than attestation.
  • GDPR — EU privacy regulation. Mandatory if you handle EU personal data. Different scope (privacy of individuals vs. customer security promises).

Many fast-growing SaaS go SOC 2 first (US market), then add ISO 27001 (European expansion), with GDPR running underneath both.

Quick wins that move the needle

If you can only do five things this quarter:

  1. MFA on everything — admin consoles, code repos, cloud providers, business apps. No exceptions, no "trusted IPs only".
  2. SSO for the team — Google Workspace, Okta, or similar, federated to every business app.
  3. Encrypted backups — daily, off-site, tested restore at least once per quarter.
  4. Quarterly access reviews — manager confirms each team member's access list, document it.
  5. Annual penetration test — use a known boutique (Cure53, Trail of Bits, NCC Group, Bishop Fox, smaller specialists). The report itself is reusable evidence.

You can be at "SOC 2-ready" in a quarter with these five plus the five core policies above.

Bottom line

SOC 2 is not a magic certificate. It is a structured way to prove to enterprise customers that your security program is real and operating. The frameworks and platforms exist; the audit market is mature; the price is meaningful but predictable. Most early-stage SaaS that take security seriously can get a Type II in 9–12 months with one part-time security owner and a compliance platform.

The riskier move is shipping enterprise contracts without it and discovering, six months in, that your largest deal is blocked on a security review you can't pass.

Action steps: shore up the foundation now — generate or refresh your Privacy Policy, Terms of Service, and Acceptable Use Policy. They're three of the lightest-weight "policies" SOC 2 auditors will look for, and they double as customer-facing documents.

ComplyKit's SOC 2 policy template generator is on the roadmap.

More guides