I'm not an expert on this, but I'd start with a soc2 type 2. soc2 served us well in the US. Some of Europe prefers 27001, but we sold into the EU with just a soc2 in the beginning.
a soc2 is also a choose-your-own-adventure cert: you describe your processes (within constraints imposed by the goals you must achieve per the soc2 principles), and then you get audited on following your process.
a soc2 is also a choose-your-own-adventure cert: you describe your processes (within constraints imposed by the goals you must achieve per the soc2 principles), and then you get audited on following your process.