Tony Dinh - Get SOC 2 certified as an indie hacker
Get SOC 2 certified as an indie hackerAll the details about the process and the cost of getting SOC 2Hi everyone! It’s Tony again with another update. Recently, I just got the SOC 2 certified! This is a huge milestone for my products, especially TypingMind. In this newsletter issue, I’d like to share everything about getting SOC 2 certified as an indie hacker (or a very small team). SOC 2 is not that hardJust a few months ago, this is how I imagined SOC 2 would be like: it’s something so big and “enterprisey” and completely out of reach for indie hackers because it’s either very expensive or very complicated. However, after getting my SOC 2 Type I certification, my view on SOC 2 completely changed. Let’s get into the details. What is SOC 2For those who don’t know, SOC 2 is a certificate that shows that your company has good policies and processes regarding data security and privacy. SOC 2 certificates are issued by credited auditors. You would hire one of these auditors to examine your company policies/processes/setup to determine whether your company follows best industry practices regarding security. There is SOC 2 Type I and Type II. Type I certify that your company meets the standards at a specific point in time. Type II means that your company meets the standards continuously over a long period of time (usually 6 - 12 months). Currently, TypingMind is SOC 2 Type I certified, I’m in progress to get Type II certified too. Why I want SOC 2Companies often ask if you have this certificate before making a purchase, and if you don’t, they’ll ask you to fill in a list of 50+ security questionnaires. I’ve been through this security questionnaire process a few times with my previous products, DevUtils.com and Black Magic. It’s boring. When I started offering the Enterprise version of TypingMind, these questionnaires started to pop up much more frequently. Plus, I’m now targeting a lot more enterprise customers, which means they care a lot more about SOC 2 and security in general, so getting SOC 2 certified would help me increase trust and close more deals. The costI thought it would cost me at least $30K/year to get certified and was mentally prepared for this cost, but in the end, it only cost me less than $10K. Half of the cost is paid to a consulting service so they help me prepare all the documents and guide me how to get certified. The other half is paid to the auditor as a fee. Other than the cost of money, there is also time. It took me, in total, about 10 days of work to get everything in place for compliance. I’m a team of 5 people, with only 2 fulltime employees, so a lot of the steps are pretty easy. For a team with more people, it will probably cost more time/money. The overall processI started looking into getting SOC 2 by asking on Twitter and from founder friends who have done it before. Thanks to them, I’ve learned that getting SOC 2 certified used to be a complicated and time consuming process with a lot of back and forth, but now with consulting and automation services, it has become very manageable. One can get certified even with a team of only 2 people and less than $10K. The whole process can be summarized into the following steps:
Here are the costs:
Using a consulting and automation serviceI imagined getting SOC 2 would involve spending a lot of time getting back and forth with the auditor, having to write a lot of documents, and implementing so may changes to my current infra and process. But no, it’s not that bad. These days, people use consulting and automation services to get SOC 2 certified. Or at least that’s what friends and people on Twitter told me. I was recommended two services that would help me understand and get SOC 2 certified. They are:
What they do is that they’ll help you:
Basically, they help a lot, with a reasonable price. Like I shared earlier, my total cost was less than $10K including the auditor’s fee. How it’s actually doneSo I connected with one of the two service above. We got on a call to understand my current team and infra setup. The actual requirements of SOC 2 are quite boring. I’m sure if you are a decent developer with a decent workflow, you’ve already satisfied most of it. Things like:
Some of the requirements are a bit too much for a usual small team, but introducing them is not a big deal, and I was totally cool with it. For example:
I didn’t have much difficulty setting up my infra and processes to meet all the requirements of SOC 2. It took me around 10 days on and off to get everything checked. Everytime I hit a road block, I contacted the consulting service, they would help me via email or video call. Very helpful. In total, it took me about 2 months since I started contacting the consulting service to the day I got my certificate. Things that are easier than I thoughtI thought in order to get SOC 2 certified, I must implement SSO for all of my employees. I used Okta when I was an employee, it was good and secure and everything, but it’s very expensive (very very expensive!). I later learned that getting everyone on SSO is not a requirement, as long as we have a way to control people’s access to critical resources and have a documented process on how to deal with cases when, for example, an employee’s device is hacked. So I didn’t have to ask everyone to use SSO everywhere. It was a huge save! The second thing I found easier than I thought is the requirement to install a “spyware” on your employee devices. I later learned that as long as you can provide a sufficient evident that the employee’s devices are secured, you don’t need to ask them to install that “spyware”. The “spyware” is a piece of software that runs in the background of your OS and constantly checks if your device is secure as per SOC 2 standards (things like: harddrive encrypting is enabled, lock screen is enabled, installed some sort of antivirus/antimalware software, etc.) What I did was to give my employees two options: 1 – to install the software and let it collect the required data, or 2 – collect the data by yourself with screenshots, it would be about 6-10 screenshots showing various config and settings of the device to prove to the auditor that it’s secured as per standard. And with that, I didn’t have to force my employees to install anything. Things that are harder than I thoughtThere is a requirement to make sure that your system can be recovered in case of a disaster (disaster recovery), which is not quite hard, but very time consuming. They basically ask you to rebuild your entire infra in another data center (or another AWS region) and verify everything works normally, then provide the evidences (screenshots) to them. I’ve never done this before. I’ve always think that I built and setup everything from scratch, I won’t have a problem doing it again. But actually spending the time doing it is still very beneficial. I found some unnecessary environment variables and some unused components that I later removed. So in TypingMind I have two data center (US and EU), which means I had to do it twice, each time for a region (did I mentioned time consuming?). Do I actually benefit from getting SOC 2?Yes. The first thing is that I’m working with some resellers who help me sell TypingMind to other markets. Some of them are selling to clients who are very strict about security. So I’ve been dealing with security questionnaire for quite a while. Having a SOC 2 certificate simplifies things a lot for my resellers and me. Second, I’m in the sales process with some enterprise customers, and most of them want to see my SOC 2. Now I can show them, so I hope this helps me close more deals. And the last thing, SOC 2 certificate is given at the company level. It means that every product that I build from now on will automatically have the SOC 2 label on it as long as I continue to sastify all the SOC 2 requirements. This includes my previous products like DevUtils. This is a peace of mind. So overall, I think I’ve already benefited from it. Is it worth the ~$10K/year? Not sure yet, but I hope it will in the long run. Do you need SOC 2?So now you know what I know about SOC 2. Do you need it? Maybe. I think you can consider getting it if:
That’s allBefore getting SOC 2, I struggled a lot to understand the big picture of the process and spent a lot of time reading so many random articles addressing different aspects of the process, but I couldn’t find a good overview article. So that’s why I decided to write this. I hope this post has been helpful. I’ll see you again in next month’s issue, where I’ll share my regular indie hacking updates! Until next time! |
Older messages
April 2024 updates, new product!
Monday, May 20, 2024
Traveled to Bali and Sydney, some updates on Typing Mind, and a new product. ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
Another 6-figure exit, and the future
Tuesday, March 19, 2024
I sold Xnapper, here is a quick update about the acquisition details ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
$500K milestone – my reflections after 1 year of building Typing Mind
Monday, February 26, 2024
Also in this issue: one-off purchase vs. subscription, selling Xnapper, and other updates from me in Feb 2024 ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
2023 Recap
Tuesday, December 26, 2023
I turn 30, built a new app, and other updates in December 2023
Why I run Black Friday deals (things I learned)
Tuesday, November 21, 2023
I also curated 300+ Black Friday deals for you
You Might Also Like
⏳ 72 hours left—your best chance to start your dream business
Friday, December 27, 2024
Time is running out to grab our best-ever deal—start building your business today! fdrlogo Hey Friend , This is it. The final 72 hours to claim the BEST HOLIDAY DEAL Foundr has ever offered. For the
🚨 Announcing: The inaugural “What’s in your stack?” survey
Thursday, December 26, 2024
Tracking the most commonly used (and beloved) tools in tech ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
91 new Shopify apps for you 🌟
Thursday, December 26, 2024
New Shopify apps hand-picked for you 🙌 Week 51 Dec 16, 2024 - Dec 23, 2024 New Shopify apps hand-picked for you 🙌 What's New at Shopify? 🌱 Charge Tax on Shipping Proportionally in Canada with
SaaSHub Weekly - Dec 26
Thursday, December 26, 2024
SaaSHub Weekly - Dec 26 Featured and useful products Tickkl logo Tickkl Tickkl is a free time tracking software #Productivity #Time Tracking #Developer Tools Athena News API logo Athena News API
Secrets to Growing and Monetizing Your YouTube Channel 🎥
Thursday, December 26, 2024
If you're serious about growing your YouTube channel, this week's edition is packed with tips ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏
Do this ONE thing in 2025
Thursday, December 26, 2024
Read time: 52 sec. A bunch of you have been DMing me about your New Year's resolutions. Very cool, but… Some of you have WAY too many goals. Don't get me wrong—I've been there. Back in 2018
💋 Start your 2025 success story now with Gretta’s blueprint
Thursday, December 26, 2024
Don't wait for the new year—transform your life NOW with our biggest deal ever. fdrlogo Hey Friend , Thinking of owning an online business instead of working a boring 9-5? Now's your chance
Boring Strategy, Remote Nomad Jobs, GenFuse AI, Mochi Video AI, Notepad Online, and more
Wednesday, December 25, 2024
a powerful tool that transforms your ideas into a video BetaList BetaList Weekly Mochi Video AI a powerful tool that transforms your ideas into a video Remote Nomad Jobs 100% remote jobs for digital
💥 Make 2025 The Best Year of Your Life - CreatorBoom
Wednesday, December 25, 2024
Six Figure Local Newsletter, How Eddie Shleyner Built Very Good Copy, 10 Newsletter Success Stories Generating $1.1M in MRR, 4 Boring Websites That Make over $35k Per Month, 6 Things to Do if Your
🚀 This holiday, learn from the best & transform 2025
Wednesday, December 25, 2024
These experts have built $100M+ businesses—now they're here to help you do the same. fdrlogo Hey Friend , What do 30000+ Foundr students know that you don't? They know the difference between