If you are not at all familiar with the space, you can view SOC2 as a safety checklist for company storing important data online. The idea behind it is to push companies to implement security measures or processes to protect said data.
However, it does not make you secure. You can look at it like a restaurant health inspection—just because a restaurant passes doesn’t mean you’ll never get food poisoning. It just means they’re following the right procedures at the time of inspection.
One of the reason I'm open-sourcing it (and making it free) is the hope that, if I am able to properly tailor the experience to start-up, they implement security measures adapted to their needs early on, they actually follow them, those security measures grow with them, and when they get the SOC2 audit (later), it actually means something.
