SOC 2 readiness without a fortune, the controls that actually matter early

What SOC 2 is, and is not

SOC 2 is an audit framework, not a regulation. A licensed CPA firm reviews your operating controls against five trust services criteria. Security is required. Availability, processing integrity, confidentiality, and privacy are optional. Most early-stage SaaS pursues SOC 2 Security only. The audit produces a Type I report, which says the controls existed at a point in time, or a Type II report, which says they operated effectively across a window, usually six to twelve months.

SOC 2 is not what makes you secure. It is what lets a customer's procurement team approve you. The work to be secure is real and underneath. The audit is the evidence.

The eleven controls we implement on day one

One. A documented information security policy. One page is enough. It states the principles, the scope, and who owns it. We use the same template across every Dina Holdings venture.

Two. Access management policy. Who gets access to what, how access is requested, granted, reviewed, and revoked. The implementation can be as simple as Clerk plus a quarterly access review document.

Three. Onboarding and offboarding checklist. Every person who joins gets the same five-line checklist of accounts to provision. Every person who leaves gets the same five-line checklist of accounts to revoke within 24 hours.

Four. Encryption in transit and at rest. TLS everywhere, no exceptions. Database encryption at rest, which is on by default with Supabase. Document storage encrypted at rest, which is on by default with Supabase Storage.

Five. Backups with documented retention and tested restore. We back up daily, retain thirty days, and run a restore drill quarterly. The drill report is the artifact an auditor reads.

Six. Logging across application, infrastructure, and access. The logs do not need to be aggregated into a SIEM at this stage. They need to exist, be retained for a known period, and be retrievable.

Seven. Incident response plan with a named owner and a defined notification window. We commit to notifying affected customers within 72 hours of confirmed incidents.

Eight. Vendor risk management. A spreadsheet listing every sub-processor with the data category they touch, the contract type, and the renewal date.

Nine. Change management. We use pull requests with at least one reviewer for any production change. Every change has a description and a rollback note.

Ten. Vulnerability management. Dependabot or equivalent on every repository. Patches applied on a documented cadence with criticality-based SLAs.

Eleven. Acceptable use policy and security training. Annual training, fifteen minutes, with a recorded acknowledgement from every team member.

What we defer until Series A

Penetration testing by an external firm. We run scoped internal testing and a Bug Bounty placeholder. Expensive external pentests come when the customer asks.

Continuous compliance monitoring software. The Drata, Vanta, and Secureframe products are excellent and underused at fifteen-thousand-dollar price points. We adopt them when the venture has paying customers covering the line item.

A formal Risk Assessment with quantified probability tables. We do a qualitative assessment quarterly. The quantified version comes when an auditor demands it.

SOC 2 Type II itself. Type I is enough to win procurement at most early customers. Type II becomes worth the cost when one customer's contract value covers the audit.

Be ready first, audited second.

The control library we share across ventures

Because we operate four ventures from one holding, every control above is implemented once at the Pixel Labs Studio level and inherited by every venture. The information security policy is one document, edited centrally. The access review process is one template. The change management standard is one shared workflow. New ventures launch with the full control library on day one.

If you operate a single venture, the same library is implementable in a working week. We share our internal templates on request, and one of the things Dina Holdings advisory clients receive is the full library as a starter pack.

What this looks like to a customer

A procurement team that asks about your security posture is reading three things. Whether you have a security overview page on your website. Whether you can produce a one-page summary on request. Whether you have a path to SOC 2 when the deal is large enough to justify it. We publish a security overview on every venture, ship the summary on request, and time the SOC 2 to the first customer big enough to need it.

What this looks like to an auditor

The auditor wants to see policies that match practice. The policies are simple, the practices are simple, and they match. The auditor wants to see evidence collected continuously, not retroactively. We collect evidence as we go and store it in a folder structure the auditor can navigate without a guided tour.

The first dollar of SOC 2 spend

The first dollar to spend is not on software, not on consultants, and not on the auditor. It is on writing down the eleven policies above. If your venture has those, the rest is mechanical and a thousand dollars of consulting can carry you to a Type I report. If your venture does not have them, no amount of software will compensate.

The Dina Compliance Stack is the internal control library used by every Dina Holdings venture. It is licensable to operators as a starter pack. See the product page.