Railway's head of operations argues that SOC 2 compliance has become a $40,000+ burden that disproportionately harms early-stage startups. The post explains how SOC 2 works, how compliance software vendors have turned it into a pyramid scheme requiring every sub-vendor to be certified, and how auditing firms have begun rubber-stamping reports. The author proposes a staged trust model — a lighter 'Trust Kit' covering system diagrams, access controls, DR plans, and incident response — as a middle ground between nothing and full SOC 2, and advocates against requiring SOC 2 from vendors with a small blast radius.
Sort: