Scrolls
6 min read
On this page

When Compliance Matters

Compliance is not a day-one concern. But it is also not a never concern. The question is not whether you will need SOC2, GDPR, or HIPAA. The question is when, and the answer depends entirely on who your customers are and what data you handle.

Get the timing wrong in either direction and you pay a real price. Too early: you spend months on compliance frameworks when you should be finding product-market fit. Too late: you lose a six-figure enterprise deal because you cannot pass their security review.

This chapter is about reading the signals and preparing at the right pace.

The Compliance Timeline

Compliance needs follow a predictable pattern tied to your startup's stage and customer base.

Stage: Pre-PMF (0-100 users)
Customers: individuals, small teams, beta testers
Requirements: basic security hygiene (HTTPS, hashed passwords, env vars)
Compliance work: none
Time to spend: zero

Stage: Post-PMF (100-1000 users)
Customers: SMBs, some mid-market
Requirements: privacy policy, terms of service, GDPR basics if EU users
Compliance work: light
Time to spend: a few days

Stage: Growth (1000+ users, enterprise interest)
Customers: mid-market, first enterprise inquiries
Requirements: SOC2 Type I, security questionnaires, DPA
Compliance work: moderate
Time to spend: 2-4 months of part-time effort

Stage: Enterprise sales
Customers: large organizations, regulated industries
Requirements: SOC2 Type II, HIPAA (if health), GDPR full compliance
Compliance work: significant
Time to spend: dedicated effort, possibly hire or contract

Pre-PMF: Do The Minimum

Before product-market fit, your only compliance obligation is basic security hygiene and legal basics. Nothing more.

The security floor is covered in the minimum viable security chapter: HTTPS, hashed passwords, parameterized queries, secrets not in code. This is not compliance work. This is just not being negligent.

The legal basics are:

Pre-PMF legal checklist:
- Privacy policy (what data you collect and why)
- Terms of service (limitation of liability)
- Cookie consent banner (if you have EU users)
- .gitignore for sensitive files
- Data deletion capability (manual is fine)

You can generate a basic privacy policy and terms of service using free tools or templates. Termly, Iubenda, and similar services offer free tiers. These are not perfect, but they are better than nothing and can be replaced with lawyer-reviewed versions later.

Basecamp ran for years with minimal compliance infrastructure. They focused on building a product people wanted. The compliance came later, when customers demanded it.

The GDPR Question

If you have any users in the European Union, GDPR applies to you. This is true even if your company is not based in the EU. The good news is that GDPR compliance at the startup stage is mostly about common-sense data handling.

GDPR basics for startups:
- Tell users what data you collect (privacy policy)
- Only collect data you actually need
- Let users export their data
- Let users delete their data (right to be forgotten)
- Get consent before collecting non-essential data
- Have a lawful basis for processing (usually consent or legitimate interest)
- If you use cookies for tracking, show a consent banner
- If you transfer data outside the EU, use standard contractual clauses

At the early stage, GDPR compliance means: have a privacy policy, do not collect data you do not need, and be able to delete a user's data if they ask. You can handle deletion requests manually. You do not need an automated system.

The enforcement reality is that regulators focus on large companies and egregious violations. A ten-person startup that makes a good-faith effort at GDPR compliance and handles a data deletion request in 48 hours instead of 30 days is not going to be fined.

But do not ignore GDPR entirely. The principles are good engineering practice regardless of regulation: minimize data collection, be transparent about data use, and respect user choices.

The SOC2 Inflection Point

SOC2 is the compliance framework that most B2B SaaS startups encounter first. It is not a legal requirement. It is a sales requirement.

The moment you hear "can you send us your SOC2 report?" from a prospect, you have hit the inflection point. This typically happens when:

SOC2 triggers:
- Enterprise prospect asks for security questionnaire
- Prospect's procurement team requires compliance documentation
- You are selling to finance, healthcare, or government
- Deal sizes cross $50K-$100K annual contract value
- Prospect wants to store sensitive data in your product

SOC2 has two types:

SOC2 Type I:
- Point-in-time assessment
- "Your security controls exist today"
- Takes 1-3 months to achieve
- Costs $15K-$50K with a compliance platform
- Good enough for most initial enterprise sales

SOC2 Type II:
- Assessment over a period (usually 6-12 months)
- "Your security controls worked consistently over time"
- Takes 6-12 months after Type I
- Costs $20K-$75K annually
- Required by larger enterprises and regulated industries

Vanta, Drata, and Secureframe are compliance automation platforms that dramatically reduce the effort required for SOC2. They integrate with your cloud provider, source control, and HR tools to automatically collect evidence. What used to take a dedicated compliance hire now takes an engineer spending a few hours per week.

Stripe achieved SOC2 compliance as they started selling to larger businesses. It was a strategic investment in unlocking a customer segment, not a checkbox exercise.

HIPAA: Health Data Changes Everything

If your product touches health data, the timeline accelerates dramatically. HIPAA is not optional and the penalties are severe.

HIPAA applies if you handle:
- Patient health records
- Medical billing information
- Health insurance data
- Any individually identifiable health information
- Data from healthcare providers, plans, or clearinghouses

HIPAA requires a Business Associate Agreement (BAA) with every vendor that touches health data. Not all cloud providers and services offer BAAs.

Vendors that offer BAAs:
- AWS: yes (enterprise support or specific services)
- Google Cloud: yes
- Azure: yes
- Heroku: no
- Vercel: no
- Supabase: yes (pro plan)
- Auth0: yes (enterprise plan)

If you are building in healthcare, factor HIPAA compliance into your architecture from the start. Retrofitting HIPAA onto an existing system is painful and expensive. This is the one area where early compliance investment pays off.

Oscar Health built HIPAA compliance into their infrastructure from day one. It was non-negotiable given their industry. If you are in health tech, treat HIPAA the same way.

Security Questionnaires

Before you have SOC2, enterprise prospects will send you security questionnaires. These are spreadsheets with 50 to 300 questions about your security practices.

Common security questionnaire topics:
- Data encryption (at rest and in transit)
- Access control and authentication
- Employee security training
- Incident response plan
- Business continuity and disaster recovery
- Vendor management
- Data retention and deletion
- Penetration testing results
- Vulnerability management
- Physical security (if applicable)

The first time you receive a security questionnaire, it will take days to complete. Create a master document with your answers and reuse it. Most questionnaires ask the same questions in different formats.

Be honest. If you do not have a formal incident response plan, say that you have documented procedures for handling security incidents. If you do not have annual penetration testing, say that you perform regular security assessments. Do not lie. Enterprise customers will verify, and losing a deal for dishonesty is worse than losing it for immaturity.

Preparing Without a Security Team

Most startups cannot afford a dedicated security hire until they are well past Series A. Here is how to build compliance readiness without one.

DIY compliance preparation:
1. Use a compliance platform (Vanta, Drata, Secureframe)
   - Automates evidence collection
   - Provides policy templates
   - Guides you through the process
   - Costs $5K-$15K/year, cheaper than a hire

2. Adopt standard policies
   - Acceptable use policy
   - Data classification policy
   - Incident response plan
   - Access control policy
   - Change management policy
   Templates are available from compliance platforms

3. Technical controls
   - Enable audit logging in your cloud provider
   - Use SSO for internal tools
   - Enable MFA for all team members
   - Encrypt data at rest (most cloud DBs do this by default)
   - Set up automated vulnerability scanning

4. Process controls
   - Code review for all changes (even informal)
   - Onboarding/offboarding checklist
   - Quarterly access reviews (who has access to what)
   - Security awareness for the team (does not need formal training)

Notion prepared for SOC2 without a security team by using Vanta and assigning compliance tasks to engineers on rotation. It was not anyone's full-time job, but it was everyone's part-time responsibility.

The Cost-Benefit Calculation

Compliance is an investment. Like all investments, it should have a return.

When compliance ROI is positive:
- Enterprise deal requires SOC2 -> deal value exceeds compliance cost
- GDPR compliance prevents a fine -> fine would exceed compliance cost
- HIPAA compliance enables health market -> market size justifies cost
- Security posture prevents breach -> breach cost exceeds compliance cost

When compliance ROI is negative:
- No enterprise customers asking for it
- Consumer product with no regulated data
- Pre-PMF with no revenue
- Compliance work delays product development that would generate revenue

Do not pursue compliance because it feels responsible. Pursue it because it unlocks revenue or prevents specific, quantifiable risk. If neither condition is true, spend that time building product.

Common Pitfalls

SOC2 before PMF. Getting SOC2 costs money and engineering time. If you do not have product-market fit, you do not have enterprise customers. If you do not have enterprise customers, nobody is asking for SOC2. Focus on finding PMF first.

Treating compliance as a one-time project. SOC2 Type II is an ongoing audit. GDPR compliance is continuous. HIPAA requires annual risk assessments. Compliance is a capability you build, not a box you check.

Ignoring compliance signals from prospects. When three enterprise prospects in a row ask for your SOC2 report, that is a signal. Start the process. The deals you lose while getting compliant are real revenue you are leaving on the table.

Over-investing in compliance tooling. You do not need every compliance platform feature. Start with the basics: policy templates, evidence collection, and audit preparation. Add advanced features as your needs grow.

Assuming your cloud provider makes you compliant. AWS being SOC2 compliant does not make your application SOC2 compliant. You are responsible for your application, your processes, and your access controls. The cloud provider handles the infrastructure layer.

Key Takeaways

  • Compliance needs follow a predictable timeline: basic security at launch, GDPR awareness with EU users, SOC2 when enterprise customers ask for it.
  • Pre-PMF, spend zero time on formal compliance. Post-PMF with enterprise interest, invest strategically.
  • SOC2 Type I is a sales unlock. Get it when enterprise deals justify the cost, typically $50K+ ACV prospects.
  • HIPAA is the exception. If you handle health data, build compliance in from day one.
  • Compliance platforms like Vanta and Drata reduce the effort from full-time hire to part-time engineer task.
  • Be honest in security questionnaires. Immaturity is forgivable. Dishonesty is not.
  • Compliance is an investment with measurable ROI. Treat it that way, not as a moral obligation.