Comment by jaspanglia
6 hours ago
Most early-stage founders don’t start with full SOC2 immediately. You can begin with strong security practices, transparent documentation, privacy policy, backups, access controls, and third-party audits before going for certification.
What kind of documents should I show customers to make them trust me that I follow best security practices? They trust Soc2 Type2, what else could work?
If they don't have a strict requirement on SOC2, then either PCI compliance or NSA CISA are more easily done without needing tons of money.
Edit: PCI would only apply if you are processing customer funds Iirc, it's been a few years since I went through one but thereay be some caveats for that to apply.