There's one phrase that we keep repeating through our external and internal communication - Security isn't an afterthought for us. And we want to walk that talk. Even before we released our pre-seed funding news and onboarded our first customer from the Alpha cohort, we were already under audit for SOC 2 Type 1 certification. Almost unheard of for a company our age and stage.
Why SOC 2?
We have companies from India, SEA, and the US - all at different stages of scale. We knew we had to put security as a top priority even on Day 0.
We had our set of queries, douAs we started to give the idea of Kula, the shape of a product, we knew it will cater to companies of all shapes and sizes, across the globe. We understood that the security concerns will crop up, and will be varied in nature. Even in our Alpha cohort, bts, fears when we first began exploring the SOC 2 compliance. We talked to ex-colleagues, our investors, several founders, and CTOs, just to get a feeler of how the process went for them, and to understand the endeavor we were to undertake.
Next Few days we spent a lot of time writing policy documents, procedures and various security controls which helped influence the product designing and development process. Soc2 in fact guided and pushed us to take the right path. Being a startup we have to balance both feature development and security and I wouldn't hesitate to say that the certification has helped Kula improve our security front.
Contrary to the popular notion, SOC 2 isn't a certification. It is indeed an attestation report that is issued by the AICPA to declare whether they agree to the privacy and security declarations by the vendor (in this case, Kula).
SOC (System and Organization Controls) is an American standard that belongs to AICPA (the American CPA association). If your target market is the US, SOC will help ensure that your product and service meets the security and availability standards of the US market.
In short, it will check a lot of boxes and jump over a lot of hoops in the evaluation process.
SOC 2 has a couple of sub-categories as well:
Type 1: policies are defined and documented, and the audit is conducted at a single point in time.
Type 2: policies are defined and documented and are then verified by a third party over a period of time (usually 9 to 12 months)
Should you go for SOC 2, this early in your company lifecycle?
Ironically, yes. Earlier the better. If you have a spread-out base of target or existing customers, it will help you ease out a lot of conversations during the sales and implementation process. Our conversations with large customers like GoJek and Wise were considerably smooth.
Being a small team meant we needed someone to choose SOC 2 time over coding time. Not an easy choice to make. Working on compliance is not fun - not by the farthest definition of the word. So we had to make the whole thing fast. We chose to partner with Drata to make the process more seamless and quick. And it did come through. Being a small team also helped. Being small meant, less process, less procrastination, and more action.
What's next for Kula?
SOC 2 is a massive achievement for us. And we will cherish it. But as we said, Security is baked into our tech culture and SOC 2 is the first of many. We measure ourselves against the highest security benchmarks in SaaS and we will make sure we strive for it continuously. Would love to continue the discussion on this and other cool things we're doing in tech @ Kula. Drop us a message on our LinkedIn or Twitter.