The recommendation for something like vanta or drata are spot on, and they have some somewhat cheaper competitors. So at cheap end say 5-10k for compliance management sw then 7-10k for auditor, and try to bargain a bit. Also maybe another 5-10k/yr on security related sw.
FWIW doesn't make sense to me for most 1-person SaaS: if you had 30k+ sitting around just for compliance, and presumably 5-10x for other stuff, why not just hire a 2nd person? Small team can make sense if explicitly targeting a.niche regulated space tho. Otherwise wait till beyond a 2 pizza team.
Note: I think it's an indictment of sw ecosystem that an earnest & diligent 1 person SaaS can't easily pass SOC2 style standards, or something equiv for the scale. SSO, RBAC, SIEM, IDS, default policies, etc -- like a SOC2-level heroku kit. Drata & Vanta are cool, but should shift further left.
FWIW doesn't make sense to me for most 1-person SaaS: if you had 30k+ sitting around just for compliance, and presumably 5-10x for other stuff, why not just hire a 2nd person? Small team can make sense if explicitly targeting a.niche regulated space tho. Otherwise wait till beyond a 2 pizza team.
Note: I think it's an indictment of sw ecosystem that an earnest & diligent 1 person SaaS can't easily pass SOC2 style standards, or something equiv for the scale. SSO, RBAC, SIEM, IDS, default policies, etc -- like a SOC2-level heroku kit. Drata & Vanta are cool, but should shift further left.