If you sell to enterprise customers, SOC 2 Type 2 isn’t optional. At some point, every deal stalls on the same question:

“Are you SOC 2 Type 2 compliant?”

Unfortunately, SOC 2 has a reputation for being slow, expensive, and full of busywork that doesn’t actually make your company more secure.

We recently finished our SOC 2 Type 2 certification, and it wasn't nearly as painful as we expected. Here's what we learned.

You're probably more ready than you think

Before we started, we already had the fundamentals in place: secure development processes, sensible access controls, and tools like AccessOwl, 1Password, and Kolide managing device security. We trusted our team completely.

The gap wasn't in what we were doing; it was documentation. The real work of SOC 2 is writing down what you already do in a way an auditor can verify.

Write policies for your company, not someone else's

The biggest mistake we see other startups make is trying to retrofit their company into a template that was written for a much bigger organisation. You end up with bloated policies full of controls that don't match how you actually work.

We flipped this approach. We documented what we were already doing, clearly and in plain language.

Our rule was simple: if a policy didn't help someone do their job or improve security, we cut it. The result was policies that actually reflect how we operate, not some idealised version of a company we're not.

Treat your auditor like a partner, not a checkbox

When we started talking with our audit partner Oneleet, we spent time understanding what evidence they actually needed and why. What was flexible? What was non-negotiable? What was the intent behind each control?

This turned the audit from a paperwork marathon into a conversation. By understanding why requirements existed, we avoided building unnecessary processes.

Instead, we only implemented controls that were sensible, sustainable, and aligned with how we already worked. If you don’t understand the intent behind a control, ask. Clarity up front prevents months of unnecessary work.

Don't invent busywork for compliance

SOC 2 quietly tempts you into inventing work.

Our golden rule was no new processes unless they clearly improved security or solved a real operational gap.

SOC 2 should expose where your existing systems are insufficient, not create artificial work. If you find yourself inventing processes solely to satisfy an audit requirement, stop and ask why.

People only follow processes that make sense. A library of compliance documents that nobody remembers exists doesn't make you secure. It just makes you compliant on paper.

We kept our controls realistic, and as a result, people actually follow them.

The unexpected upside

The audit forced us to articulate our security posture clearly.

We ended up with sharper onboarding documentation, cleaner internal processes, clearer responsibilities, and better evidence trails for things we already did instinctively.

This paid off in two concrete ways:

1. Our growth team can now handle even the most demanding vendor onboarding processes on their own. They have everything they need to answer security questions quickly and confidently.

2. New team members ramp up faster because the "tribal knowledge" is finally written down. What used to live in Slack messages and people's heads is now documented and accessible.

The result: SOC 2 made how we work easier to explain

For teams that already run a tight ship, SOC 2 can feel unnecessary. For us, it became a forcing function to formalise what mattered, cut what didn’t, and build something that scales with the company.

If you're going through this process now, our advice is simple: start with what you're already doing, keep it simple, and don't let anyone convince you that compliance requires complexity.

And if you’d like to dive deeper into our security measures, visit our Trust Page.