I will add a few more things to this:

- Document your data and security and share that with customers instead. You can say "We don't have SOC2 at the moment but here is all our security and data policy". It works 99% of the time for me.

- Very few companies truly have policy to reject a vendor if they don't have SOC2. Those are usually large enterprise or companies in sensitive areas such as Finance/Healthcare etc. Even then, SOC2 can be waived if you can demonstrate everything else.

Disclaimer: I run a bootstrapped SAAS with low 7 figures in ARR and even though we have ISO27001, we don't have SOC2 yet. However, we take our security/data etc very seriously and have tons of documentation and best practices that we always shafre with a customer who asks. Honestly, we will get SOC2 at some point just for the checklist as I don't really care too much about them otherwise.

*Plenty of successful firms don't have SOC2s. If you're losing sales where SOC2 is a factor, you didn't have those sales to begin with.*

We do have ISO27k1 and we had "customer/prospect for more" and they have a person that requires us to be "DORA compliant" it is just an excuse I know because we don't fall under DORA (they might be clueless about how it works that's other explanation). They do fall under DORA so they need to make sure they check their suppliers basically have ISO27k1 and are following what we wrote in ISO27k1 documentation.

We got away with not having ISO27k1 for years (filling in forms and proving we are doing good to people that care, I did have to go and talk with CISOs so they trust me I care about stuff) but not since 2025 in Europe, I firmly believe if we wouldn't do ISO27k1 last year, people would just stop talking to us based on feedback I got from business people (excluding pure "let's make an excuse" I wrote about above).

This said - I am not arguing against what tptacek wrote as he is way more experienced than I am, just stating my experience which also is a decade in SaaS. I am working for company that has between 20 and 30 employees so it also makes sense to be ISO27k certified. We deliver b2b to big companies.

Plus, even when you have SOC2 (+pen test, +ISO 27001), you'll still have to fill out questionnaires!

Even though I agree SOC2 in practice is of dubious security value, I do think you can lose out on sales if you don't have it. I recently had to choose among a bevy of headless CRM options for a client, and they were adamant that whatever platform we used _had_ to be SOC2 compliant. This narrowed the field significantly and ultimately we went with Strapi solely because of this requirement. I see this come up all the time.

Tools like Vanta (and I'm sure others, Drata maybe, I haven't used them) make SOC2 compliance pretty "easy" in the sense that it's often a mechanical process that doesn't require too much thought. At least for me, it usually involves being in a Slack channel with an auditor, and they're advising you on all the things to do (they want you to "win"/pass, although there is no real pass fail), and then you just need to check the boxes in Vanta.

> in lieu of filling out security questionnaires.

Isn't that no longer an issue in AI era?

Superwhisper got SOC2 around the same month they hired their first employee

I would guess they did it for due diligence compliance, not to enhance their security practices. It’s a b2b checkbox.

As someone who had to cobble together a soc2 program - this is mostly true. At a large enough firm, soc2 is useful as a base level of operations integrity which lots of small firms lack.

If you have not reached that level as a firm, a good and recent pen test does the trick.

+1 and to add to that…this is the correct answer for basically any kind of “enterprise” requirement from a customer as a solo-founder

Don’t make anything harder on yourself before you have to and then at the point that you have to (like needing an authority to operate certificate for a classified network) you’ll have the resources to be able to get what you need