Attention all startup founders. Don't Google or ChatGPT your security questions - Ask Bryan Onel. Even if you're not ready to move on compliance or using another vendor. He just cares about security and making sure you understand it.
I'm getting a quite a few questions from founders about whether to do SOC 2 type 1 or type 2. This is what I tell them: Type 1 - If you are in a hurry and a potential customer demands SOC 2 compliance (type 1 only), you should be able to get it done with 40-60 hours of work and close that deal asap. - Easier lift because it doesn’t require an observation period. Type 2 - Most companies prefer a type 2 report as it demonstrates a more robust compliance program. - If you primarily target enterprise customers or companies operating in more regulated industries, such as fintech or healthtech (HIPAA should also be considered for healthtech) - If your customers have larger security teams, they will often require type 2 because they want to ensure that what you've implemented is consistently adhered to over time. If you're unsure, don't hesitate to reach out. We're happy to help you figure out which is most suitable. A safe option might be to opt for a type 2 and If a customer requires a type 1, just have an audit performed within your observation period (all controls should already be passing), and achieving type 1 compliance should be no problem.
