Our SOC 2 Type II Journey

In January 2025, we decided to pursue SOC 2 Type II certification. We were a twelve-person company with six months of revenue. Here is what happened.

Why we did it early

Enterprise buyers ask for SOC 2 before they ask for a demo. We were losing deals not because of our product but because of a compliance checkbox we could not fill. Three prospects in the same month told us they could not evaluate Agentkit without it.

We decided to get it done before it became a bottleneck rather than after.

The timeline

Month 1 — gap assessment. We hired a compliance consultant to audit our existing practices. The gap was smaller than expected because we had been following reasonable security practices from the start: encrypted data at rest and in transit, role-based access, infrastructure-as-code, centralized logging.

The biggest gaps were documentation. We had the controls but had not written them down as formal policies.

Month 2–3 — policy writing and tooling. We wrote 14 policies covering access control, incident response, change management, vendor management, data retention, and more. We deployed Vanta to automate evidence collection.

Month 4–8 — observation period. SOC 2 Type II requires a minimum observation window where auditors verify that your controls are actually operating, not just documented. We chose a six-month window.

During this period, we treated every policy as production code. Every access change was logged. Every incident, no matter how minor, was documented. Every vendor was reviewed.

Month 9 — audit. The auditor reviewed our evidence, interviewed team members, and tested controls. We received our report with zero exceptions.

What it cost

Total cost was approximately $45,000. Roughly $15,000 for the compliance consultant, $12,000 for Vanta annually, and $18,000 for the audit firm. For a seed-stage company, this is significant. For the deals it unlocked, it paid for itself in the first quarter.

What surprised us

The hardest part was not technical. It was cultural. Getting a twelve-person team to consistently follow documentation procedures — logging every access change, writing post-mortems for every incident, reviewing vendors quarterly — requires discipline that feels bureaucratic until you internalize why it matters.

The easiest part was the technical controls. Modern infrastructure makes most of the technical requirements straightforward. Encrypt everything, log everything, restrict access, automate deployments.

Advice for early-stage companies

Start now. Not because you need the certification today, but because the practices it enforces are good practices regardless. The incremental cost of doing it early is far lower than the cost of retrofitting compliance onto a team of fifty.