SOC 2 is an industry standard where an external party evaluates your company and where you are doing things the right way.
Like most compliance checks, it can be expensive, and invasive.
In general, if this comes up, it's part of a checklist of items that a customer needs to confirm in order to work with you.
The hack here is you don't want to have this de-rail your customer's ability to engage with you, but you don't necessarily need to pay or go through the full process in order to close the sale.
Here are some tips from Alchemist Alums / Mentors:
We've had many successful companies close significant (e.g. 8 figure software sales) without completing SOC 2 Compliance.
If possible, prioritize customers not requiring this.
For those that do, the general protocol to handle is:
1. Say that you are in process for getting SOC 2 Compliance. (The truth is you are ALWAYS in process for getting compliance. Even after you get compliance, you will be in process for getting compliance renewed).
2. Ask to set up a separate meeting between your customer's risk team and your risk team (your risk team may be you). But separate that issue out as a separate issue so it doesn't de-rail the business negotiation with the business lead.
3. Drive the business negotiation forward.
When have the risk meeting, you can speak to how you are in process, and have your ducks in row for SOC 2 compliance. You can represent a risk protocol you are following in house in advance of official recognition of compliance (you can find protocols onlline / via chat GPT) and show that you follow certain protocols in house.
In parallel, you can engage a 3rd party for compliance. You can generally negotiate these rates down significantly. One of our alums found a vendor (Tugboat) that they negotiated down to $3k for a compliance check (from the originally quoted $10k).
(for further questions, reach out to Alchemist Partner Hans Reisgies)