← Back to Blog
SOC 2 Basics

What is SOC 2? A Founder's Complete Guide

SOC 2 compliance has become the de facto trust signal for B2B SaaS. Here's what it actually means, what it costs, and whether you need it now.

C
Clovra Team
Mar 13, 2026 · 8 min read

If you're selling to mid-market or enterprise customers, you've almost certainly encountered the question: 'Are you SOC 2 compliant?' It appears in security questionnaires, procurement checklists, and deal blockers. And yet, most early-stage founders have only a vague idea of what SOC 2 actually means.

What SOC 2 Actually Is

SOC 2 (System and Organization Controls 2) is a voluntary auditing framework developed by the AICPA — the American Institute of Certified Public Accountants. It defines criteria for managing customer data based on five Trust Services Criteria (TSC): Security, Availability, Processing Integrity, Confidentiality, and Privacy.

The Security criterion is mandatory. The other four are optional — you choose which ones to include based on your product and what your customers care about. Most early-stage SaaS companies start with Security only.

SOC 2 is not a certification issued by a government body or standards organization. It's an audit conducted by an independent CPA firm. The output is a report — not a badge or a license.

Type 1 vs Type 2

There are two flavors of SOC 2 reports that serve very different purposes:

  • Type 1: A point-in-time assessment. The auditor verifies that your security controls exist and are designed appropriately as of a specific date. Faster and cheaper — typically 2–4 months to achieve.
  • Type 2: A period-in-time assessment covering at minimum 6 months of operations. The auditor verifies that your controls actually worked consistently over that period. This is what enterprise buyers typically require.

The strategic path for most startups: get Type 1 first to unblock deals, then roll directly into the Type 2 observation period. Your auditor will usually allow this — ask before you start.

The Trust Services Criteria

The Security criterion (also called 'Common Criteria') covers 33 controls across 9 categories. These touch everything from logical access controls to risk management to incident response. When you see controls about MFA enforcement, branch protection, or encryption at rest — those map directly to specific Common Criteria points.

What Auditors Actually Look At

Auditors don't just look at your policies — they look at evidence that your policies are followed. This typically means:

  • Written policies (access control, incident response, change management, etc.)
  • Configuration screenshots or API exports proving controls are enabled
  • Access review logs showing you actually review who has access
  • Incident response records if any incidents occurred
  • Vendor risk assessments for your critical third-party tools

Do You Need SOC 2 Right Now?

Honest answer: it depends on your sales motion. If you're selling to SMBs or individual users, you probably don't need it yet. If you're targeting companies with 50+ employees, you'll hit the SOC 2 question in your first few enterprise deals — usually between $20K and $50K ACV.

The right time to start SOC 2 preparation is about 6 months before you expect to need it in a deal. It takes time to fix gaps, and the audit observation period for Type 2 is at least 6 months.

Start by running a gap analysis to understand where you stand. You may be closer than you think — especially if you've been following good security practices from the start.

Ready to see where you stand?

Run a free SOC 2 gap analysis with Clovra

Start free →
← Back to all articles