Hey all!
Have any of you with a (small) bootstrapped company, went through a SSAE 16 or SOC 2 certification process?
One of our customer requires us to be certified annually as part of their vendor process.
I would like to understand how the process is like for a small company like ours. And how much I’ll need to charge my client to remain profitable 
Thanks!
I wouldn’t do it. You’re looking at at least US$12k/year (and potentially a whooooooole lot more, especially in the first year) going to the auditors, plus the “operational drag” of having to have all the policies, and then prove you followed the policies, and then prove that you can prove that you followed the policies… and so on. That US$12k is for absolute bargain-basement, useless-as-wheels-on-a-tree auditor, that’ll do more harm than good. I hate to think what an actually useful auditor would charge.
If your product is actually valuable, I’ll bet that your client will be able to make an exception for you in their procurement process. It’s been my experience that when big companies say, “oh you need to have SOC2/ISO27001/WunderCert2.0”, and you reply, “well, we don’t, and we’re not going to get it”, whatever senior executive lusts for your product will overrule procurement or IT Security or whoever is pushing for it, and you’ll get in without needing it. “No” is a very powerful word.
Also, don’t believe anyone who says that if you’ve got SOC2, you’ll be able to avoid filling out those dire and useless security questionnaires, either. That was one of the touted benefits of getting SOC2 for a place I know of. Before SOC2, the conversation went:
“Are you SOC2 compliant?”
“No.”
“OK, well fill out our security questionnaire then.”
(Sound of head banging on desk for several hours)
After we got SOC2, the conversation now goes:
“Are you SOC2 compliant?”
“Yes! Here is our paperwork about that.”
“Great, now fill out our security questionnaire.”
(Sound of head banging on desk for several hours)
Another touted benefit of SOC2 is that it would encourage the company to tighten up their security, get important policies in place, etc etc. It didn’t. All the actually useful security stuff was already being done, and in a couple of places the auditors had to be educated about how what was being done was better than what they were telling the company they had to do. The rest was just pointless busy work to tick a box.
You have far, far better things to be doing with your time and money, as a small company, than to chase SOC2 compliance. If the customer walks away as a result, consider yourself lucky. Strictly mandating SOC2 compliance from vendors is highly correlated with the mandating organisation being a complete waste of oxygen. The customer that convinced the company I mentioned above to get SOC2 compliant was a massive pain to work with, and then eventually cancelled the contract before the project even went live. I’d say “bullet dodged”, but management decided to stick with maintaining SOC2, in a spectacular demonstration of the power of the sunk cost fallacy. So I guess it’s half a bullet dodged?
Hi @mpalmer,
Many thanks for taking the time to tell your experience and write such a detailed answer.
I’ve replied to my client with a price range that is consistent with your assessment (a bit higher actually).
But I’d totally agree with your general point of view that the best strategy might actually be to find a way around not being certified. It just doesn’t make sense for small companies
I’ll keep you & the forum posted about the outcome!
Thought I would provide some update after my original message.
It’s been a long process with procurement but after 3 months, the client (procurement team and business unit alike) agreed to wave SSAE 16 and SOC2 certification requirements.
I think it helped we’ve shown good faith and gave them a free subscription while we were negotiating the custom T&Cs.