Back
Share

5 reasons to do your SOC 2 early as a fintech startup

Do soc2 early as startup

At Alloy, we had a decision to make relatively early on, when we were just 5 people on a very tight budget: whether or not to invest in a SOC2 process. The SOC2 reports are designed to establish a company’s design and operating effectiveness of their non-financial controls as they relate to security, availability, processing integrity, confidentiality and privacy of a system. (For more information, see SSAE-16’s website).

We knew it would cost a ton of money and eat up valuable engineering resources. Our CTO had to be willing to live and breathe compliance standards for a few months. We bit the bullet and learned a lot in the process about why doing it early makes sense:

1. Banks (and other compliance-heavy institutions) will work with you.

When you’re a young company (with young founders and employees, to boot), credibility is everything. For fintech startups, credibility can come in many forms. Client logos, investors or board members, and founder experience all play a part, but trust and credibility around your product is king. Banks are notoriously difficult for startups to work with. Culturally, they’re worlds apart. They operate slowly and with layers of hierarchy and committees, and they go to sleep at night riddled by regulator-induced anxiety. So when banks engage with early-stage startups, there’s often a clash of people, technology stacks, processes, timelines, and cultures (suits vs. hoodies!). Think of working with banks as a process of trying to remove (or mitigate) barriers. You can assuage them in a variety of ways, but having your SOC2 done is key. You will stand out relative to other startups they meet, and you’ll be knowledgeable about all the seemingly nit-picky things they’ll ask you about.

2. You’ll invest in some worthwhile policies and procedures.

Once you’ve done your SOC2, you’ll also have all sorts of policies and procedures ready to go. These may feel silly to you when you’re small and nimble, but these are the sorts of things that risk and compliance departments spend their time thinking about. (And rightly so — too many hacks and data breaches to name here, but you get the idea!) With a SOC2, you’ll have policies and procedures for things you wouldn’t have thought about otherwise but are actually helpful. For us at Alloy, that included things like putting together a performance review system and a smooth process around contracting with clients.

3. The sales cycle shortens.

You won’t get stuck in long back-and-forths over your security. Instead, the focus can be on the value you’ll bring them. Many of the policies and procedures you built for the SOC2 will be in one neat little packet, and you’ve saved yourselves days of emails, phone calls, and document creation as a result. In other words, you can focus your sale on the value proposition you’re delivering.

4. It’s easier when you’re earlier/smaller.

You’re all in the same room and without the pesky burden of different offices and departments. When you need questions asked or changes made, it can happen quickly and easily (at that beloved startup pace!). And you don’t have to change your entrenched systems or ways of doing things. There’s no undoing, just building from scratch.

5. The tools available now make it simpler & less expensive.

Tools like AWS and SSO make it easier. Adhering to data security standards is easier when your data center controls can be standardized and implemented. There’s no need to reinvent the wheel. Ten years ago, building compliant infrastructure yourselves would have been a huge headache. And shoutout to services like VGS, StrongDM, and Vanta who make data security/compliance and related audits simple for startups.

Oh, and there’s one more bonus: By the end of the SOC2 process, you’ll get to have your very own paper shredder up and running!

Related articles

6 min read
Fintech in the age of the influencer

By Charley Ma on Oct 13, 2021

Alloy's GM of Fintech, Charley Ma, takes a deep dive into one of the newest (and fastest-growing) categories of small businesses - influencers and creators. Charley outlines business pain points creators face and how innovative fintech companies are addressing those pain points.

Read more

5 min read
Community banks & fintechs: lessons from the past decade

By Alloy on Apr 20, 2020

Strengthening the infrastructure of America’s community banks, who represent 97% of US banks.

Read more

2 min read
Cutting through the noise with data

By Richard Scioli on Mar 23, 2020

Synthetic fraud? Biometrics? An abundance of jargon and buzzwords emerge when you begin to research identity validation and data in concert with the creation of a digital account opening strategy.

Read more

3 min read
KYC (and know your company) at Alloy

By Kayla Hartman on May 1, 2019

Sure, KYC typically stands for “know your customer”, not “know your company”, but that does not mean knowing your company is any less important.

Read more

Back
Recent Searches