alt Hacker NewsI am a solo entrepreneur. Don't.
I learned that my business is unable to pass pretty much ANY certification or corporate IT security audit. Many of the questions simply do not apply to my business ("do you have documented procedures for revoking employee access") and the default answer is NO. Get even a single NO and you're done.
I gave up and these days actively discourage enterprises from even trying to sign up — these kinds of discussions can take a lot of your time and the expected value is negative, because sooner or later those kinds of questionnaires will be required (quite often the engineer talking to you doesn't even know this).
SOC2 falls into that category: you are unlikely to pass, and even if you do, enterprise customers will pull out their own questionnaires out of, well, let's just call it their store backrooms, and you will fail those. Waste of time.
Replies
Same. For my business, the enterprises that want to use my software wouldn't actually be worth the hassle as their usage is not more than my normal business customers (SMB). Just more work and costs on my end.
Early on, I had a potential enterprise account (well known online store) that wanted everything that enterprises wanted in addition to multiple meetings (with all the stakeholders) for a $50/month account (my mistake for not getting that information upfront).
Another time, a large Canadian media company wanted me to agree to an uncapped liability provision. Respectfully turned them down.
All in all, I lost some prestige business but if I took them on, it wouldn't move my profit levels much.
> Get even a single NO and you're done.
Why do you think that's true? SOC2 isn't pass/fail, you receive a report on your business. You can have gaping security holes and be SOC2 "certified." It's just that your SOC2 audit will reflect that.