Pinpoint Engineering

The TL;DR from my session on AI and EngOps at AIDe...

This morning I had the opportunity to chat with software engineers and data scientists at the AI Dev World Conference on a topic I just happen to be v...

A Startup's Journey to SOC 2 Certification

Pinpoint began looking into getting our  SOC 2 certification just over a year ago and now we are 99% complete with our first audit! . Getting our SOC 2 was fundamentally important for us for a few reasons. 

  • We handle sensitive customer data. This is the standard in security, which is something we take seriously. 
  • It would help speed up our sales cycle, so we would no longer need to answer the 100+ question security questionnaires which notoriously drag out the sales cycle and can be resource-intensive.   
  • It is a really strong foundation to build a company on.  It is not just about your technical operations, but also how you recruit, onboard employees, and ensure everyone has what they need to be successful.  

The process required to get your SOC 2 certification is complex. The big question is, for a small company with only two resources working part-time on the project, how could we possibly do this?  Allow me to walk through my own trial and error of learning more about what the process takes and how I evaluated a “right-size fit” approach and found a company to work with. 

First, Google “SOC 2 For Startups.”

I remember like it was yesterday. I started by googling something to the effect of “SOC 2 for startups,” and immediately found a ton of articles related to the struggles startups go through trying to become SOC 2 compliant. However, as you can imagine, not that many companies our size were brave enough to attempt the challenge.  I began looking into what our options were to build a foundation of security, without totally taking our eye off the ball of delivering a product. My early research led me, foolishly, to believe “This isn’t too bad. I can do this myself!”. I found several resources online that seemed to be able to help, but everything I could find was really geared toward larger businesses and overly complex policy documents.  

Scratch that. Ask a friend. 

So it was time to find plan B.  I joined a Slack channel provided by a company strongdm, who along with their own product, also publishes an open-source framework, Comply, to help you get started on the SOC2 journey. I think this is a great tool, but was immediately overwhelmed by how many policies and processes that existed to prepare Pinpoint for a place where we were ready for an audit.  

This left me scratching my head a bit, because I was sure this was not something we wanted to take lightly.  It could certainly be a stain on the company if we did something so complex the wrong way. Additionally, if we pulled in all of our limited resources to do it full on, it had the potential to bring productivity to a screeching halt.  At this point, I did what I often do—asked someone for help! While I was in the Comply Slack channel, I simply asked, “Anyone know of someone who can help us become SOC 2 compliant?” One of the co-founders of strongdm reached out to me with a couple of contacts he had who just may be able to help. I spoke with them and a large security firm to get my bearings on what our best approach would be to become compliant and achieve certification.  As you can imagine, the security firm had a really big vision for SOC 2 and brought four people to our first meeting and a budget quote that shocked me as well. Not an approach that was fit for a startup either.

Identifying a Right-Size Partner 

Next, I spoke with Martin Cozzi from Marana who specializes in helping companies prepare for SOC-2 and HIPAA compliance. After our first conversation, we realized this was a partner who could help us not only achieve our certification but also knew how to help startups with a framework that didn’t overwhelm the team.  This immediately brought clarity where others had brought complexity. He broke things down into 4 phases.  

  • Phase I (Pre-Compliance): Evaluation of our current processes and identifying gaps.  
  • Phase II (Compliance): Collaboratively preparing our control writing, mapping and audit ultimately getting us to SOC 2 Type I.  
  • Phase III (Risk Assessment):  Evaluating all of our assets as a company and what risks they pose and the priority they should be addressed. .  
  • Phase IV (Post-Compliance): Martin rides shotgun with us through the SOC 2 Type II monitoring period and our audit.   

This approach really left me feeling like together, we could take this on successfully.  As I sit here on the cusp of receiving our SOC 2 Type 1 report, I am ever grateful to the partner Martin has been to us and how well prepared we were for our first audit which we passed with flying colors!

In the coming months, I’ll be sharing more about our journey but I’m happy to say SOC 2 has been a great foundation to build our company on. I’m really glad we took the plunge, with help of course, and Pinpoint is looking forward to finishing that last 1% of the project.

Related Post:

How I learned to stop worrying and love automating data science

Automating data science is hard, and we do a lot of it.

How we built our new Agent — a full-featured Go SDK

As part of our latest release, our Agent underwent a complete transformation in order to simplify the installation of in...

Data Scientist Spotlight: Evan Lutins

Meet Evan. He’s one of our Data Scientists and an honorary developer here at Pinpoint. He’s currently a member of Team N...

Subscribe to the Pinpoint Engineering Blog

cat developer