Yeah, this is super important. No short answer here, it's just about doing the work and getting it right.
We're working with Oneleet for our SOC2 stuff (which we all know is largely theater) but also pretty thorough pentesting. I can email you their findings.
The reality is we're one of those companies that need to get this stuff right.
> Question: Will the free tier SSO have uptime guarantees, since it'll be a single point of failure for all your customers? For startups that decide they'd like it hosted for them, but need an SLA, do you expect to be able to provide that at a price doable by startups?
Our plan is to work out agreements on a case-by-case basis. It'd depend on exactly what you need. We take guarantees pretty seriously, so we're careful about what we promise.
We're not a services business. We don't want to make money off of "premium support". There is a modest price tag if you want an SLA.
> (Will a cloud provider pick up those customers using your software?)
Would you mind rephrasing?
https://en.wikipedia.org/wiki/Elasticsearch#Licensing_change...
SOC2 is only theatre if you (a) you already have good practice, and (b) can demonstrate that you have good practice. If your practice isn't good enough (like the whole notion of security controls is a foreign concept), and sure there's a lot of boilerplate to work through -- but the whole point of a SOC2 Type 2 report is that you only have to demonstrate once to the auditor, rather than to each customer each time.
Having to get internal security sign-off for a non-audited SaaS vendor -- really, life's just too short for that most of the time, and if there's choice of two more or less equivalent providers we go with the certified one every time.