Shipping SOC 2 Type II in eight months, without slowing down

We hit SOC 2 Type II in eight months from kickoff. Most early-stage teams either skip it until a deal forces it or get bogged down for a year. Here's the shape of how we did it without slowing product velocity.

The framing that helped

SOC 2 isn't a security standard. It's an evidence-collection standard. You can have great security and fail the audit if you can't prove it. We can have decent security and pass easily if every relevant event is logged, timestamped, and retrievable.

Reframing it that way turned 80% of the work into engineering, not policy-writing. Engineering we know how to do.

What we automated

• Access reviews — quarterly Slack DM to every manager with a CSV of their team's permissions. Reply with approvals/revocations. Webhook writes the audit trail.
• Onboarding/offboarding — a single workflow in our HRIS triggers SCIM provisioning + deprovisioning across 14 SaaS tools.
• Change management — every PR with the "prod-impact" label auto-generates an audit entry with reviewer, approval timestamp, and deploy SHA.
• Vulnerability scanning — Snyk + Trivy on every PR, fail the build on critical CVEs.

What we didn't automate

Policies. We wrote them in a weekend, used a standard template, and reviewed them once a quarter. The auditor doesn't read them line-by-line — they spot-check whether the org is doing what the policy says. Spend less time on policy prose and more time on actually doing the thing.

Vendor management is the other one. We have a Notion database with one row per vendor and a column for their SOC 2 report. The auditor wants to see that you reviewed it; they don't care if your review was four sentences in a comment thread. Don't over-engineer this.

The audit trail is just an API

Every meaningful event in QuickPly writes to a single append-only audit table. Login. Logout. Plan change. API key creation. Reply sent. Workspace deletion. The table is indexed by workspace, user, and event type. The auditor's evidence requests turned into SQL queries — "show me all access changes for user X in Q3" took 30 seconds, not 30 minutes.

The eight-month timeline

1. Month 1: kickoff, control mapping, gap analysis.
2. Months 2–3: closed the gaps. Mostly engineering work: audit table, SCIM rollout, change-management labels.
3. Months 4–6: observation period for Type II. We kept shipping product the whole time.
4. Months 7–8: fieldwork and remediation. Two minor findings, both closed within a week.

If you're a small team about to start this, the most useful thing I can tell you: don't treat SOC 2 as a project. Treat it as a forcing function for things you should have built anyway. The audit trail, the access reviews, the change-management labels — they all make the product better. The certificate is the byproduct, not the goal.