SOC 2
SOC 2 (Service Organization Control 2)
SaaS and cloud-hosted services selling into enterprise. Not legally required — required by your customers in their procurement process.
An enterprise prospect asks for the report during procurement and the deal stalls until you can produce one. Compounding when the report has gaps.
Continuous-controls evidence across security, availability, processing integrity, confidentiality, and privacy. Annual audit; evidence collected continuously.
Brings legal, customer security review, and the GRC lead into deals that previously involved only the technical buyer.
The earliest serious compliance trigger for a SaaS company. Sold as "your enterprise customers will not buy from you without this." The market is mature; the buyer is comparing automation depth, not asking whether they need it.