Field notes

Working notes on SOC 2, for founders and operators.

Plain-English coverage of policies, audits, and what auditors actually look for. Written by the people shipping the kits.

Reading time · 10 min · Budget & pricing

How much does SOC 2 cost for a startup in 2026? A line-by-line breakdown

The real 2026 price of a first-time SOC 2 for a seed-stage SaaS — policies, auditor fees, compliance tooling, penetration testing, and the engineering hours nobody puts in the quote. What's fixed, what's negotiable, and where most founders overspend by 3x.

Read →

Reading time · 8 min · Startup SOC 2

SOC 2 policies for pre-seed startups: what you actually need, what you can skip

A five-person startup doesn't need the same policy structure as a 500-person bank. Here's what a lean, auditor-ready policy kit looks like when you're still finding product-market fit — including the things you legitimately can skip, and the five things you can't.

Read →

Reading time · 10 min · Templates & examples

Access control policy for SOC 2: a working template (with example language)

The Access Control Policy is the single most-tested policy in a SOC 2 audit. Here's a working template with example language, aligned to Common Criteria CC6, plus the four mistakes that turn it into an audit finding.

Read →

Reading time · 9 min · Audit readiness

What auditors actually look for in a SOC 2 policy

The difference between a policy that passes and a policy that fails isn't length — it's truthfulness, evidence, and consistency. Here's what experienced SOC 2 auditors actually check when they review your documents.

Read →