Question 1

What is SOC 2?

Accepted Answer

SOC 2 is an audit report (not a certification) issued by a licensed CPA firm validating your security controls. It's widely adopted in North America, particularly within the SaaS industry, and helps build trust with enterprise customers by demonstrating your commitment to data security and privacy.

Question 2

How long does SOC 2 take?

Accepted Answer

SOC 2 Type 2 takes 4.5-6 months total from kickoff to final report. This includes 6-8 weeks for implementation and a mandatory 3-month observation period set by AICPA standards that cannot be compressed. Your time investment is approximately 15-20 hours total.

Question 3

How much does SOC 2 cost?

Accepted Answer

SOC 2 costs approximately €10,000-15,000 all-in for Year 1, including the compliance platform, audit fees, penetration testing, and security tools. This investment typically pays for itself with one enterprise deal worth €50,000-200,000+ ARR.

Question 4

What's the difference between SOC 2 Type 1 and Type 2?

Accepted Answer

Type 1 is a single-day audit that only proves controls exist, while Type 2 requires a 3-month observation period that validates controls work consistently over time. Enterprise customers expect Type 2 - Type 1 is rarely accepted as real compliance. We recommend skipping Type 1 and going straight to Type 2.

Question 5

What are the SOC 2 Trust Services Criteria?

Accepted Answer

SOC 2 evaluates organizations against five Trust Services Criteria: Security (required), Availability (for SLAs), Privacy (for PII), Processing Integrity (for financial transactions), and Confidentiality (for trade secrets). Most SaaS companies need Security + Availability.

Question 6

Who needs SOC 2?

Accepted Answer

SaaS companies selling to enterprises, especially those with 500+ employees, typically need SOC 2. Start now if enterprise customers are requesting it, you're losing deals to compliant competitors, or security questionnaires consume 5+ hours per prospect.

Question 7

Can I speed up the SOC 2 timeline?

Accepted Answer

You can accelerate the implementation phase from 8 weeks to 6 weeks, but the 3-month observation period is mandated by AICPA standards and cannot be shortened. Plan to start 5 months before you need the report.

Question 8

Does SOC 2 eliminate security questionnaires?

Accepted Answer

No, you'll still receive security questionnaires, but your report proves your answers aren't just marketing claims. Expect a 50-70% reduction in effort, not 100% elimination. A third-party auditor has validated your security controls.

Question 9

Does my cloud provider's SOC 2 cover my company?

Accepted Answer

No. AWS, GCP, or Azure SOC 2 reports cover their infrastructure, not your application. You still need your own SOC 2 report that demonstrates your security controls on top of their infrastructure.

Question 10

How long is a SOC 2 report valid?

Accepted Answer

Technically forever, but practically 12 months. Customers expect an annual report, and after 12 months your report is considered stale. You'll need to renew annually to maintain credibility.

Question 11

What is ISO 27001?

Accepted Answer

ISO 27001 is an international certification for information security management (ISMS), issued by accredited certification bodies. Unlike SOC 2 (which is a report), ISO 27001 gives you an actual certificate you can display. It's more documentation-focused and generic than SOC 2.

Question 12

How long does ISO 27001 certification take?

Accepted Answer

ISO 27001 takes 3-4 months, faster than SOC 2 because there's no mandatory observation period. This includes 4-6 weeks for implementation, 1 week for internal audit, and 2-3 weeks for Stage 1 and Stage 2 audits.

Question 13

How much does ISO 27001 cost?

Accepted Answer

ISO 27001 costs €10,000-12,000 all-in for Year 1, including the compliance platform, 30-35 policies, internal audit, external certification audit, and dedicated support. Note: penetration testing is not required for ISO 27001.

Question 14

What's the difference between ISO 27001 and SOC 2?

Accepted Answer

ISO 27001 is designed for any organization and focuses on processes and documentation, while SOC 2 is designed for SaaS/cloud services and focuses on technical controls. ISO 27001 produces a certificate valid for 3 years; SOC 2 produces an annual audit report.

Question 15

When should I choose ISO 27001 over SOC 2?

Accepted Answer

Choose ISO 27001 when you have public sector clients (government often requires it), French/EU enterprises where ISO has marketing value, highly regulated industries like banks or insurance, or HDS requirements. SOC 2 is generally better for SaaS companies with tech-savvy buyers.

Question 16

How long is ISO 27001 certification valid?

Accepted Answer

ISO 27001 follows a 3-year cycle: Initial certification in Year 1, surveillance audits in Years 2-3, and full recertification in Year 4. Years 2-3 are lighter (3-5 hours vs 15 hours initial effort).

Question 17

Does ISO 27001 require penetration testing?

Accepted Answer

No, ISO 27001 doesn't require penetration testing - it only requires an internal audit. However, 70-80% of security questionnaires ask for pen tests regardless of certification. Most customers will ask for a pen test anyway.

Question 18

What happens if I drop ISO 27001 certification?

Accepted Answer

Unlike SOC 2 reports which simply expire, ISO certifications are tracked in public registries. If you drop ISO, it appears as 'lost certification' and clients can see you dropped it. Only start ISO 27001 if you're committed to maintaining it long-term.

Question 19

What is GDPR?

Accepted Answer

GDPR (General Data Protection Regulation) is the EU's comprehensive data protection law effective since May 25, 2018. It governs how organizations process personal data of EU residents, regardless of where the company is located. Maximum fines are €20 million or 4% of global annual revenue.

Question 20

Does GDPR apply to my company if I'm not in Europe?

Accepted Answer

Yes, if you collect data from EU residents (even through a website), GDPR applies regardless of your company location. GDPR has global reach - it's based on whose data you process, not where your company is headquartered.

Question 21

What is personal data under GDPR?

Accepted Answer

Personal data is any information that can identify a living individual, directly or indirectly. This includes names, email addresses, IP addresses, cookie IDs, location data, financial data, behavioral data, and biometric data. Even pseudonymized data qualifies if it can be traced back to an individual.

Question 22

What's the difference between a data controller and processor?

Accepted Answer

A Data Controller determines why and how data is processed (that's you if you collect customer data). A Data Processor processes data on behalf of a controller (like your CRM provider). Controllers are responsible for compliance; processors must follow controller instructions and have a DPA.

Question 23

What are data subject rights under GDPR?

Accepted Answer

GDPR grants 8 rights: Right to be Informed, Right of Access (DSAR), Right to Rectification, Right to Erasure ('right to be forgotten'), Right to Restrict Processing, Right to Data Portability, Right to Object, and Rights Related to Automated Decision-Making.

Question 24

How long do I have to respond to a data subject request?

Accepted Answer

You must respond within 30 days for standard requests. Complex requests can be extended to 90 days, but you must notify the requester within the first 30 days. The first request must be free; you can charge for excessive or repetitive requests.

Question 25

Is consent always required under GDPR?

Accepted Answer

No, consent is one of six legal bases for processing data. Others include contractual necessity, legal obligation, vital interests, public task, and legitimate interests. Legitimate interests or contractual necessity may be more appropriate than consent for many business uses.

Question 26

What are GDPR penalties?

Accepted Answer

Maximum penalties are €20 million or 4% of global annual revenue, whichever is higher. Penalties can cripple early-stage companies. Beyond fines, GDPR compliance affects customer trust, investor expectations, and enterprise sales opportunities.

Question 27

Should I start with SOC 2 or ISO 27001?

Accepted Answer

For most SaaS companies, start with SOC 2 if you're not sure - it has stronger technical controls, includes pen testing, and is more relevant for SaaS. Add ISO 27001 when specific customers require it (70% of work is already done from SOC 2). Start with ISO 27001 only if customers specifically mandate it.

Question 28

How much overlap is there between SOC 2 and ISO 27001?

Accepted Answer

There's approximately 70% overlap between SOC 2 and ISO 27001, covering Access Control, Change Management, Incident Response, Risk Management, Vendor Management, Encryption, and Monitoring. If you complete SOC 2 first, ISO 27001 mainly requires additional documentation.

Question 29

We're a small startup - are we too small for compliance?

Accepted Answer

No. Startups with 5-10 employees regularly achieve SOC 2 and ISO 27001. Starting early is actually easier because you build security practices from day one rather than retrofitting them later. GDPR applies based on whose data you process, not your company size.

Question 30

Can I do compliance certification while fundraising?

Accepted Answer

Yes, many Series A/B companies certify while fundraising. The work is distributed (~15 hours over 6-8 weeks), not concentrated. You just need one person as point of contact who can coordinate. Some providers offer flexible payment options tied to fundraising close.

Bastion Platform

AI Compliance

All-in-One Security

Security Engineers

Tackle more frameworks without more effort.

Wall of Trust

Case Studies

By Company Size

By Industry

Blog

Learn Compliance

Developer

Company

Frequently Asked Questions

Want to dive deeper?

SOC 2

ISO 27001

GDPR

Other platforms check the box

We secure the box