It’s a disadvantage for sure but not usually a blocker.
They often have security questionnaires you can complete instead. Or, as part of signing with them, you can promise to get SOC2 by x date (which will hopefully be easier with the funds from an enterprise contract).
I’d recommend looking online at some example security questionnaires or the types of things soc2 covers and writing an internal security doc for yourself so you know your position on everything and don’t have to scramble when it comes to it.
You can. It just means that the customer has to do the proper analyses and risk evaluation for their own SOC2 (or ISO 27001 or whatever) certification.
Just focus on providing a good value application and be frank about what you do, why you can't get certification for something like that, but that you can answer any questions they might have for their own certification process.
If the potential customer makes 'has SOC2' a requirement, than that is not a customer for you, in the same way that 'has more than 20 employees' rules you out.
Like it or not, having a bus factor of 1 is a pretty big risk. You are a giant single-point-of-failure, which means that operations-wise you are a far riskier option to your customers than a significantly larger competitor.
It’s a disadvantage for sure but not usually a blocker.
They often have security questionnaires you can complete instead. Or, as part of signing with them, you can promise to get SOC2 by x date (which will hopefully be easier with the funds from an enterprise contract).
I’d recommend looking online at some example security questionnaires or the types of things soc2 covers and writing an internal security doc for yourself so you know your position on everything and don’t have to scramble when it comes to it.
Thank you for your comment!
You can. It just means that the customer has to do the proper analyses and risk evaluation for their own SOC2 (or ISO 27001 or whatever) certification.
Just focus on providing a good value application and be frank about what you do, why you can't get certification for something like that, but that you can answer any questions they might have for their own certification process.
If the potential customer makes 'has SOC2' a requirement, than that is not a customer for you, in the same way that 'has more than 20 employees' rules you out.
Like it or not, having a bus factor of 1 is a pretty big risk. You are a giant single-point-of-failure, which means that operations-wise you are a far riskier option to your customers than a significantly larger competitor.
It isn’t fair, but few rackets are.