Tony Dinh - Get SOC 2 certified as an indie hacker
Get SOC 2 certified as an indie hackerAll the details about the process and the cost of getting SOC 2Hi everyone! It’s Tony again with another update. Recently, I just got the SOC 2 certified! This is a huge milestone for my products, especially TypingMind. In this newsletter issue, I’d like to share everything about getting SOC 2 certified as an indie hacker (or a very small team). SOC 2 is not that hardJust a few months ago, this is how I imagined SOC 2 would be like: it’s something so big and “enterprisey” and completely out of reach for indie hackers because it’s either very expensive or very complicated. However, after getting my SOC 2 Type I certification, my view on SOC 2 completely changed. Let’s get into the details. What is SOC 2For those who don’t know, SOC 2 is a certificate that shows that your company has good policies and processes regarding data security and privacy. SOC 2 certificates are issued by credited auditors. You would hire one of these auditors to examine your company policies/processes/setup to determine whether your company follows best industry practices regarding security. There is SOC 2 Type I and Type II. Type I certify that your company meets the standards at a specific point in time. Type II means that your company meets the standards continuously over a long period of time (usually 6 - 12 months). Currently, TypingMind is SOC 2 Type I certified, I’m in progress to get Type II certified too. Why I want SOC 2Companies often ask if you have this certificate before making a purchase, and if you don’t, they’ll ask you to fill in a list of 50+ security questionnaires. I’ve been through this security questionnaire process a few times with my previous products, DevUtils.com and Black Magic. It’s boring. When I started offering the Enterprise version of TypingMind, these questionnaires started to pop up much more frequently. Plus, I’m now targeting a lot more enterprise customers, which means they care a lot more about SOC 2 and security in general, so getting SOC 2 certified would help me increase trust and close more deals. The costI thought it would cost me at least $30K/year to get certified and was mentally prepared for this cost, but in the end, it only cost me less than $10K. Half of the cost is paid to a consulting service so they help me prepare all the documents and guide me how to get certified. The other half is paid to the auditor as a fee. Other than the cost of money, there is also time. It took me, in total, about 10 days of work to get everything in place for compliance. I’m a team of 5 people, with only 2 fulltime employees, so a lot of the steps are pretty easy. For a team with more people, it will probably cost more time/money. The overall processI started looking into getting SOC 2 by asking on Twitter and from founder friends who have done it before. Thanks to them, I’ve learned that getting SOC 2 certified used to be a complicated and time consuming process with a lot of back and forth, but now with consulting and automation services, it has become very manageable. One can get certified even with a team of only 2 people and less than $10K. The whole process can be summarized into the following steps:
Here are the costs:
Using a consulting and automation serviceI imagined getting SOC 2 would involve spending a lot of time getting back and forth with the auditor, having to write a lot of documents, and implementing so may changes to my current infra and process. But no, it’s not that bad. These days, people use consulting and automation services to get SOC 2 certified. Or at least that’s what friends and people on Twitter told me. I was recommended two services that would help me understand and get SOC 2 certified. They are:
What they do is that they’ll help you:
Basically, they help a lot, with a reasonable price. Like I shared earlier, my total cost was less than $10K including the auditor’s fee. How it’s actually doneSo I connected with one of the two service above. We got on a call to understand my current team and infra setup. The actual requirements of SOC 2 are quite boring. I’m sure if you are a decent developer with a decent workflow, you’ve already satisfied most of it. Things like:
Some of the requirements are a bit too much for a usual small team, but introducing them is not a big deal, and I was totally cool with it. For example:
I didn’t have much difficulty setting up my infra and processes to meet all the requirements of SOC 2. It took me around 10 days on and off to get everything checked. Everytime I hit a road block, I contacted the consulting service, they would help me via email or video call. Very helpful. In total, it took me about 2 months since I started contacting the consulting service to the day I got my certificate. Things that are easier than I thoughtI thought in order to get SOC 2 certified, I must implement SSO for all of my employees. I used Okta when I was an employee, it was good and secure and everything, but it’s very expensive (very very expensive!). I later learned that getting everyone on SSO is not a requirement, as long as we have a way to control people’s access to critical resources and have a documented process on how to deal with cases when, for example, an employee’s device is hacked. So I didn’t have to ask everyone to use SSO everywhere. It was a huge save! The second thing I found easier than I thought is the requirement to install a “spyware” on your employee devices. I later learned that as long as you can provide a sufficient evident that the employee’s devices are secured, you don’t need to ask them to install that “spyware”. The “spyware” is a piece of software that runs in the background of your OS and constantly checks if your device is secure as per SOC 2 standards (things like: harddrive encrypting is enabled, lock screen is enabled, installed some sort of antivirus/antimalware software, etc.) What I did was to give my employees two options: 1 – to install the software and let it collect the required data, or 2 – collect the data by yourself with screenshots, it would be about 6-10 screenshots showing various config and settings of the device to prove to the auditor that it’s secured as per standard. And with that, I didn’t have to force my employees to install anything. Things that are harder than I thoughtThere is a requirement to make sure that your system can be recovered in case of a disaster (disaster recovery), which is not quite hard, but very time consuming. They basically ask you to rebuild your entire infra in another data center (or another AWS region) and verify everything works normally, then provide the evidences (screenshots) to them. I’ve never done this before. I’ve always think that I built and setup everything from scratch, I won’t have a problem doing it again. But actually spending the time doing it is still very beneficial. I found some unnecessary environment variables and some unused components that I later removed. So in TypingMind I have two data center (US and EU), which means I had to do it twice, each time for a region (did I mentioned time consuming?). Do I actually benefit from getting SOC 2?Yes. The first thing is that I’m working with some resellers who help me sell TypingMind to other markets. Some of them are selling to clients who are very strict about security. So I’ve been dealing with security questionnaire for quite a while. Having a SOC 2 certificate simplifies things a lot for my resellers and me. Second, I’m in the sales process with some enterprise customers, and most of them want to see my SOC 2. Now I can show them, so I hope this helps me close more deals. And the last thing, SOC 2 certificate is given at the company level. It means that every product that I build from now on will automatically have the SOC 2 label on it as long as I continue to sastify all the SOC 2 requirements. This includes my previous products like DevUtils. This is a peace of mind. So overall, I think I’ve already benefited from it. Is it worth the ~$10K/year? Not sure yet, but I hope it will in the long run. Do you need SOC 2?So now you know what I know about SOC 2. Do you need it? Maybe. I think you can consider getting it if:
That’s allBefore getting SOC 2, I struggled a lot to understand the big picture of the process and spent a lot of time reading so many random articles addressing different aspects of the process, but I couldn’t find a good overview article. So that’s why I decided to write this. I hope this post has been helpful. I’ll see you again in next month’s issue, where I’ll share my regular indie hacking updates! Until next time! |
Older messages
April 2024 updates, new product!
Monday, May 20, 2024
Traveled to Bali and Sydney, some updates on Typing Mind, and a new product. ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
Another 6-figure exit, and the future
Tuesday, March 19, 2024
I sold Xnapper, here is a quick update about the acquisition details ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
$500K milestone – my reflections after 1 year of building Typing Mind
Monday, February 26, 2024
Also in this issue: one-off purchase vs. subscription, selling Xnapper, and other updates from me in Feb 2024 ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
2023 Recap
Tuesday, December 26, 2023
I turn 30, built a new app, and other updates in December 2023
Why I run Black Friday deals (things I learned)
Tuesday, November 21, 2023
I also curated 300+ Black Friday deals for you
You Might Also Like
[VIDEO] How Adam Schwab Turned Challenges into a $450M Travel Brand
Wednesday, October 30, 2024
The incredible story of Luxury Escapes. From crushing setbacks to massive success! design-2-header-newsletter Hi there, We're excited to share the latest episode of the Foundr Podcast featuring
🗞 What's New: Finally, a definition for open source AI
Wednesday, October 30, 2024
Also: Analysis shows which cold emails work best ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
You're invited.
Wednesday, October 30, 2024
Ends tonight. ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
Marco, The Next AI Tool, Taskblaze, matty.games, Pimosa, and more
Wednesday, October 30, 2024
Gather ideas into winning features BetaList BetaList Weekly Marco All your emails, One place The Next AI Tool The best new AI tools, every day Pimosa Your all in one media toolkit FeatureFlow Gather
How to Grow and Monetize Your Email List 🚀
Wednesday, October 30, 2024
Building an engaged email list can be a game-changer, but growing it and monetizing it? ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
Founder Weekly - Issue 660
Wednesday, October 30, 2024
View this email in your browser Founder Weekly Welcome to issue 660 of Founder Weekly. Let's get straight to the links this week. General What Do You Do With an Idea? How to turn ideas into
kill those f*cking bugs
Wednesday, October 30, 2024
Read time: 45 sec. This story is wild. There's this guy named Isaac—an OG in the Starter Story Academy community. He joined a few months back to work on a side project. I hadn't heard from him,
AI Open Call Is Starting Soon
Wednesday, October 30, 2024
There is Still Time to Join!
Do you qualify for this SaaS mastermind Rob?
Wednesday, October 30, 2024
[You're invited]
When you’re pigeonholed as “great at project management”
Wednesday, October 30, 2024
Being good at project management is important. But ONLY being known for project management can limit your career. ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏