undefined | Better HN

0 pointsthelittleone1y ago0 comments

Including the recent trend of access to SOC2 reports requiring an "Enterprise" tier subscription.

0 comments

11 comments · 4 top-level

In fact I like the change. This allows them to make almost everything free of charge to individual/small companies, but could fund it from revenue of larger organization, who generally don't have problem paying.

ensignavenger1y ago

I don't mind them requiring a paid tier to get the detailed compliance level reports, but requiring the most uber expensive "call us" plan is probably too much for many smaller companies that might still benefit from easier SOC2 complaince.

lsaferite1y ago

And what of small companies that need things like SOC2 reports from vendors?

If you want to work with large companies, being SOC certified makes it easier. Part of that is ensuring your vendors are also compliant with good standards and that's best done with SOC reports.

YetAnotherNick1y ago

Getting SOC 2 compliance alone takes ~10k USD apart from vendor reports. Yes they may be small with employee count, but when I said small I just meant someone running something for small set of users for free or close to free. Not someone working with other enterprises.

1 more reply

julesvr1y ago· 2 in thread

I have the same problem at the moment with Supabase. We're a startup trying to get ISO 27001 certified and need to upload Supabase's SOC2 report to Vanta, but we can't because we're on the Pro tier and they don't give access to that, even after emailing them. It's ridiculous.

_pdp_1y ago

It is even more ridiculous because it costs them nothing to issue an extra copy of this pdf report. They need to certify anyway because their enterprise customers will demand it.

christinac1y ago

(I work at/started Vanta. Email support@vanta.com and they should be able to give you guidance and help out. If that doesn't work, email me -- christina at vanta)

FireBeyond1y ago· 2 in thread

Or worse, "SSO" as an Enterprise feature. You're a 2-3 person startup, you set up GSuite, you want to set things up right, oh, "$Call us" for a tier with SSO. Nope, I guess disparate users for now. Not the worst in the world to be clear, but an entirely arbitrary gate, in my experience.

d0gsg0w00f1y ago

Yeah, the SSO gates are common and borderline criminal. "The only way you can use our software is insecurely"

thelittleoneOP1y ago

I have long held that view also, although the post below about the cost of supporting SSO was interesting. Unlike withholding SOC2 reports which cost nothing to incremental to give to your lowest tier, SSO may increase the cost of support. I wonder how it would go offering SSO as an addon to entry level tiers that covers the incremental support cost.

https://news.ycombinator.com/item?id=41304228

This SSO cost post is also interesting:

https://news.ycombinator.com/item?id=40752518

eknkc1y ago

We got a SOC2 cert in our bootstrapped small saas company. Then we hid the report behind Enterprise subscriptions because it takes too much time, effort and money to obtain and maintain it.

We did not get certified because we wanted it, we did because the enterprise scale customers forced us to. Due to their internal bureaucracy.

j / k navigate · click thread line to collapse