Frequently Asked Questions

We specialize in SOC 2 (Type I & Type II), ISO 27001, and GDPR compliance. We also offer HIPAA, PCI-DSS, and custom compliance frameworks for specific industry needs.

For US-based B2B SaaS startups, we typically recommend starting with SOC 2 Type II—it's the most commonly requested by enterprise buyers. If you're selling in Europe, consider ISO 27001 + GDPR. We'll help you determine the best path during your free consultation.

Ideally, start 3-6 months before you need the certificate. If you're losing deals or have a specific deadline (investor requirement, enterprise contract), contact us immediately—we've delivered certifications in as little as 60 days.

Yes! Our Starter package is designed for early-stage startups. We can help you build a compliance foundation that scales as you grow, starting at just $5K.

No hidden fees. Our pricing includes everything on our side. The only additional cost is the auditor's fee (for SOC 2/ISO 27001), which is paid directly to the auditing firm. This typically ranges from $10-20K depending on company size and complexity.

We require 50% upfront to begin work, and 50% upon completion of readiness assessment (before the actual audit). This aligns our incentives and ensures we're both committed to success.

Yes, for our Professional and Enterprise packages, we can arrange monthly payment plans. Contact us to discuss options that work for your budget.

With a 98% first-time pass rate, this is rare. However, if you don't pass, we'll remediate any issues and support you through a re-audit at no additional consulting cost. We only succeed when you succeed.

Typical timelines: SOC 2 Type I (4-6 weeks), SOC 2 Type II (3-4 months), ISO 27001 (4-5 months), GDPR (6-8 weeks). We've fast-tracked certifications in as little as 60 days when needed.

We minimize your team's involvement. Typically, you'll need 2-4 hours per week from a point person (usually CTO or engineering lead). We handle the heavy lifting—documentation, evidence collection, and auditor coordination.

Yes! We have relationships with startup-friendly auditors who understand SaaS businesses. We'll recommend auditors based on your timeline, budget, and specific needs, but you make the final decision.

We're tool-agnostic and can work with what you have. We commonly integrate with Vanta, Drata, Secureframe, or can use our own evidence collection tools. We'll recommend what makes sense for your setup.

Yes! Major cloud providers have their own compliance certifications that we can inherit. This means fewer controls you need to implement. Our team is deeply familiar with all major cloud platforms.

Yes, in our Professional and Enterprise packages. Our pen tests include web application testing, API security assessment, and infrastructure testing. We provide a detailed report with remediation guidance.

That's what we're here for! We'll identify vulnerabilities during our assessment and help you remediate them before the audit. This is normal—almost every startup has gaps. What matters is addressing them properly.

Not necessarily. Many of our clients don't have dedicated security staff—that's why they hire us. We can serve as your virtual CISO during the engagement and help you determine when you need to hire internally.

SOC 2 reports cover a specific period (Type II) and need annual renewal. ISO 27001 certificates are valid for 3 years with annual surveillance audits. GDPR compliance is ongoing. We offer Year-over-Year packages to handle renewals.

All packages include post-certification support (3-12 months depending on tier). This includes answering security questionnaires, maintaining policies, and preparing for annual renewals. Our Enterprise clients get continuous monitoring.

Yes! Once you're certified, we help you leverage your certification to quickly respond to customer security questionnaires. Most enterprise questionnaires can be completed by referencing your SOC 2 report.

Absolutely! Our Year-over-Year service handles all aspects of maintaining your compliance—quarterly reviews, evidence collection, policy updates, and annual audit coordination. It's typically 40-60% less than initial certification.