SOC 2 Plan
A two-founder B2B SaaS path to a Type II report. About 10 months, about $50k cash. Two tracks: set up the company, build the product.
~10 mo
To first Type II
~$50k
Cash, year 1
~5 h/wk
Ongoing eng tax
The short version
- Pick a compliance platform (Oneleet, Drata, or Secureframe).
- Pick an auditor (Prescient or Johanson) — book 3 months ahead.
- Adopt the platform’s ~17 policy templates. Edit for ~15 min each.
- Close the technical gaps the platform flags.
- Run a 6-month Type II observation window.
- Auditor fieldwork → signed report. Refresh annually.
Set up the company
Do once
- Name one founder the security owner (document it).
- Both sign NDAs, run background checks, enroll laptops in MDM.
- Adopt the platform’s policy templates (~4 hours total).
- Complete onboarding security training (~90 min each).
- Write the incident-response runbook (edit the template).
- List your SaaS vendors, collect their SOC 2 reports + DPAs.
Do recurring
- Quarterly — access review, vendor check, policy exceptions.
- Annually — risk assessment, fraud risk assessment (separately required), policy re-acknowledgement, training refresh, DR tabletop, external pen test.
Two founders, what you don’t need: no board, no HR department, no security committee, no dedicated compliance hire. Document separation-of-duties as a compensating control: every PR reviewed by the other founder, CI enforces the rest.
Build the product
- SSO + hardware MFA for both founders (Google Workspace + YubiKey).
- RBAC, no standing production write access, JIT elevation.
- Secrets in a vault (1Password / Doppler). Never in source.
- Audit log every action: actor, target, UTC time, outcome, correlation id. WORM retention: 1 year hot, 7 cold.
- Alert on auth failures, privilege escalation, bulk export, IAM changes.
- Encrypt everything: TLS 1.2+ in transit, AES-256 at rest, cloud KMS with annual key rotation.
- Branch protection + PR review: the other founder approves (author ≠ approver). CI blocking on tests, SAST, SCA, secret scan.
- Separate accounts for dev / staging / prod. 100% infra in Terraform. Deploy via CI identity, not humans.
- Backups: daily + continuous WAL, cross-region. Quarterly restore test (evidenced). Annual DR failover.
- Patch SLA: critical 7 d · high 30 d · medium 90 d.
- MDM on laptops: disk encryption, 5-min screen lock, EDR, critical OS patches ≤ 7 d.
- Data tiers: Public / Internal / Confidential / Restricted. Secure deletion via cryptographic erasure.
What to buy
| Compliance platform | Oneleet / Drata / Secureframe | $5–15k/yr |
| Auditor (Type II) | Prescient / Johanson | $18–35k |
| Pen test (annual) | Small-scope web + API | $8–15k |
| MDM + EDR + password manager | Kandji + SentinelOne + 1Password | $0.5–1.5k |
| Legal review | DPA + SCCs | $2–5k |
Year 1 budget
| Platform | $5–15k |
| Auditor | $18–35k |
| Pen test | $8–15k |
| Tooling + legal + checks | $3–7k |
| Cash total | $33–67k |
SOC 2 is an AICPA attestation (SSAE 18 / AT-C 205); criteria per TSP 100 (2017, rev. 2022). 2025–2026 market pricing.