This morning I had the opportunity to chat with software engineers and data scientists at the AI Dev World Conference on a topic I just happen to be v...
Pinpoint began looking into getting our SOC 2 certification just over a year ago and now we are 99% complete with our first audit! . Getting our SOC 2 was fundamentally important for us for a few reasons.
The process required to get your SOC 2 certification is complex. The big question is, for a small company with only two resources working part-time on the project, how could we possibly do this? Allow me to walk through my own trial and error of learning more about what the process takes and how I evaluated a “right-size fit” approach and found a company to work with.
I remember like it was yesterday. I started by googling something to the effect of “SOC 2 for startups,” and immediately found a ton of articles related to the struggles startups go through trying to become SOC 2 compliant. However, as you can imagine, not that many companies our size were brave enough to attempt the challenge. I began looking into what our options were to build a foundation of security, without totally taking our eye off the ball of delivering a product. My early research led me, foolishly, to believe “This isn’t too bad. I can do this myself!”. I found several resources online that seemed to be able to help, but everything I could find was really geared toward larger businesses and overly complex policy documents.
So it was time to find plan B. I joined a Slack channel provided by a company strongdm, who along with their own product, also publishes an open-source framework, Comply, to help you get started on the SOC2 journey. I think this is a great tool, but was immediately overwhelmed by how many policies and processes that existed to prepare Pinpoint for a place where we were ready for an audit.
This left me scratching my head a bit, because I was sure this was not something we wanted to take lightly. It could certainly be a stain on the company if we did something so complex the wrong way. Additionally, if we pulled in all of our limited resources to do it full on, it had the potential to bring productivity to a screeching halt. At this point, I did what I often do—asked someone for help! While I was in the Comply Slack channel, I simply asked, “Anyone know of someone who can help us become SOC 2 compliant?” One of the co-founders of strongdm reached out to me with a couple of contacts he had who just may be able to help. I spoke with them and a large security firm to get my bearings on what our best approach would be to become compliant and achieve certification. As you can imagine, the security firm had a really big vision for SOC 2 and brought four people to our first meeting and a budget quote that shocked me as well. Not an approach that was fit for a startup either.
Next, I spoke with Martin Cozzi from Marana who specializes in helping companies prepare for SOC-2 and HIPAA compliance. After our first conversation, we realized this was a partner who could help us not only achieve our certification but also knew how to help startups with a framework that didn’t overwhelm the team. This immediately brought clarity where others had brought complexity. He broke things down into 4 phases.
This approach really left me feeling like together, we could take this on successfully. As I sit here on the cusp of receiving our SOC 2 Type 1 report, I am ever grateful to the partner Martin has been to us and how well prepared we were for our first audit which we passed with flying colors!
In the coming months, I’ll be sharing more about our journey but I’m happy to say SOC 2 has been a great foundation to build our company on. I’m really glad we took the plunge, with help of course, and Pinpoint is looking forward to finishing that last 1% of the project.
Vice President, Operations
Automating data science is hard, and we do a lot of it.
As part of our latest release, our Agent underwent a complete transformation in order to simplify the installation of in...