Comment by zrobotics

Do they? Every time I've been asked about SOC compliance, it turned out the underlying reason was either insurance or a requirement the customer had from their downstream customer. Neither of those cases would be negotiable, the customer's insurance company only cares about a checkbox that "All vendors are SOC2 compliant and relevant documentation is on file".

That said, actually being SOC compliant isn't that hard aside from the paperwork aspect. Any competent firm should already be doing all the things required, it's the bare minimum for security. There really shouldn't be any code or process changes needed, if there are you are woefully inadequate from a security standpoint. SOC2 is below the bare minimum for actual security, but it's the standard firms have settled on.

That said, actually getting a valid SOC2 audit completed is expensive and for a solo dev you can expect at least a month of lost time. I wouldn't pay out-of-pocket for an audit, but if you're in a space where customers are asking it can be a selling point. One strategy would be to negotiate reduced terms with a potential client to use their auditing firm and have them split costs on the audit. This would need to be a very hot sales lead, since it's a big ask, but it might be worth exploring. They likely already have an established relationship with an auditor, and having a referral will cut the price down.

SOC is just a box ticking exercise and doesn't improve security at all. Or at least it shouldn't, if you don't already meet their requirements you need to either shut down your side hustle or completely revamp your processes. That said, the box-ticking is extremely tedious and involves reams of paperwork. It would be doable as a solo entrepreneur, I worked through the process in a company of 6 employees, but it's not fun or productive.