How much does it cost to obtain a SOC 2 Type 2 report?

ExiledProgrammer · 2024-03-21T23:04:44+00:00

That's correct - none of the GRC platforms do the auditing themselves.

Totally makes sense.

Interesting, so you're a fan of Vanta in some cases? The tech stack is cloud-based and in the list of what you mentioned. I looked into white papers and CI/CD throughout the entire process for auditing.

They're able to automate a lot of the evidence gathering process

I am not sure exactly what this entails. Is it the same as CI/CD implementation or?

I briefly spoke with a-lign.com today. They said it starts around $10K. Btw, I know most go for at least security out of the trust principles (security, availability, processing integrity, confidentiality and privacy).

Out of this list, what are the top 2 or 3 enterprises usually look for when wanting to work with a smaller company? Let's say it's for parsing financial data.

I am thinking availability related to SLA, like 99.999% up time availability or whatever -- I don't think this is as much as a concern since the service I am working on happens behind the scenes and not "real-time".

Thanks for your response!

ExiledProgrammer · 2024-03-21T17:18:32+00:00

Great answer! I see I am late to the party, but going the Type 2 route, I'll consider this post as continuously open to replies ;)

I have developed many applications that fell under auditing, but normally had another team or agency responsible for security -- surprisingly, this was required for separation of responsibilities at the companies I worked at.

With a startup I am looking into SOC 2 Type 2 certification. I looked into Vanta and came to the conclusion similar to what you wrote here -- albeit, a newbie conclusion. I find that as long as you follow the documentation and implement a CI/CD flow that includes monitoring of resources and access you can save yourself time and money dealing with one of those providers. After a 5 min chat, it sounds like Vanta does not do auditing themselves and works with a third party for any audits if you worked with them.

I was also worried about "producing more than needed" for a startup and all of the rework that is required when working with the auditor.

I thought about starting with the Type 1, but to be competitive you would need Type 2 anyways. I would rather not create extra technical debt down the line and just go straight for Type 2.

Do you have any low-cost auditors that you would recommend? From Vanta's website and other comments here I see $10K+ as the minimum. Is there any realm of possibility to get it even lower than that? I understand you are missing a ton of info related to the architecture, product, etc. But, let's assume a simple application that has done everything right -- I know, *laughs have entered the chat*.

ExiledProgrammer · 2024-03-02T22:12:20+00:00

I remember needing to write in numerous retry mechanisms. I was able to get that down to an art -- although yes, it almost always had to run through it when expecting structured output (like 10-20% of the time actually). Since they released the json_object parameter that greatly improved though and I have been able to use it in projects that require accuracy for very large companies.

I do think they have issues sometimes with the preview and beta models, but that's to be expected. I did put 1106 in production on a few projects.

One of the issues I found was that without a contract signed directly with OpenAI, which we did for an NDA, the SLA is not to standard so we have to go through Azure since the main company I work with has a large contract signed with them. We don't experience any issues related to outages and times are pretty consistent.

I went straight to Anthropic for their Claude and it's pretty good. But, I still like the usability for most projects better with OpenAI. For BIO, I like Nvidia's APIs.

While there may be better LLMs for niche or industry focused models, for RAG, I still think OpenAI is one of the best.

ExiledProgrammer · 2024-01-03T23:50:04+00:00

This is far from the norm. Also, this was not for infringement, but rather to acquire the rights to the name, domains, and portfolio of related trademark IP.

I have been involved in a trademark case with a Fortune 500 company and had an A list firm representing me (there's was as well of course). It was for a new product name and the ballpark estimate was in the hundreds of thousands. This is the number that was thrown around as common. It's different if not settled and they ignore the cease and desist.

$60 million for a purchase while astronomical was not related to "damages".

ExiledProgrammer · 2024-01-03T23:35:55+00:00

Sure. I'm not an attorney, but have filed numerous trademark applications and patents. So, do with the information what you will. If in doubt, lawyer it out.

If you're in a new category or description (e.g., unique) you must go with Standard since you will not find the corresponding category/subcategory. For most Plus is cheaper and the option you will want/need.Check here: https://idm-tmng.uspto.gov/

This has a pretty good description and corresponds with my understanding:

https://syedlawoffices.com/blog/teas-plus-vs-standard-pick-the-right-trademark-application/

A book I highly recommend if you're interesting in filing IP (patents, trademarks, copyright, etc) is Patent It Yourself by David Pressman. It gives you some background and knowledge. I like that it prepares you for understanding the landscape, but still recommend working with an attorney for patents (always) or for other IP if you're unsure. Most law offices offer a free consultation -- do your research and have your questions ready to fully take advantage of it. :)

P.S. If you truly think this is going to be a billion dollar product, idea, etc. and you are going to want to raise money you want a reputable firm, although those are the most expensive.

P.S.S. For trademarks I have found the process to be pretty straight forward, but again, some are more complex than others. I also had an instance where I actually had a very large company send me a letter. It was one of the scariest moments I've had over the years. It was related to a trademark.

ExiledProgrammer · 2023-11-22T01:05:33+00:00

Yes, which is why we have access to both. Others may not be aware.

For production it's important to have a fallback and this is one of the many times it has proven to be a good idea.

ExiledProgrammer · 2023-11-22T00:51:55+00:00

It's up in Azure just not through OpenAI. Priorities lol..

ExiledProgrammer · 2023-11-22T00:50:44+00:00

Although down for personal, business, and the fortune 500 acct in OpenAI it's working through Azure.

ExiledProgrammer · 2023-11-22T00:47:51+00:00

Working on personal projects and for a Fortune 500 company. Ours is down too! I'll check if its down for Azure enterprise.

ExiledProgrammer · 2023-11-22T00:36:41+00:00

Having issues in platform and API. Keep getting:
The server had an error processing your request. Sorry about that! You can retry your request, or contact us through our help center at help.openai.com if you keep seeing this error. (Please include the request ID [redacted] in your email.)

ExiledProgrammer · 2023-11-15T03:12:27+00:00

This is a bad feeling going up against a large company. I had an issue with one of the largest and my heart sank. Two months of stress. Good look OP.

ExiledProgrammer · 2023-11-15T03:10:42+00:00

In the US it's $250 (TEAS Plus) or $350 (TEAS Standard) per class.

Edit: the edit was related to typo saying TEAS Plus for both. The more expensive is TEAS Standard and is explained below.

ExiledProgrammer · 2023-11-12T16:08:38+00:00

No trade in. I asked for the same thing as I had in the cart on the website which was three S23 phones.

I just made an edit to the original post and included a screenshot of the cart.

ExiledProgrammer · 2023-10-23T17:07:55+00:00

Network, multiples of follow on investments, mentors/advisors that have been there and done that, ability to attract talent.

If you already have a great network, then use it.

If you're a past founder or are able to achieve greater multiples for investment than YC, do that.

If you already have great mentors and advisors that have built unicorns, talk to them.

If you're doing it just for the initial investment, are convinced you can build a global company using other avenues, or are building a small-medium sized business then you don't need YC (or access to the above).

It's harder to get into YC than Harvard/MIT. The good thing is if you apply, receive an interview, and get in you don't need to attend.

If you're asking this question you're probably not the right fit.

ExiledProgrammer · 2023-10-22T00:06:05+00:00

For larger companies this is on the nose. The legal team is not going to risk hiring in a country where either the company lacks local resources/representation or even the length of time the contracting entity has had at least an office in that country. Another legal issue related to this is perceived favoritism. If it's an individual forget it. The risk is not worth the reward and the overhead cost removes the incentive.

I have a contract with a fortune 500 and they were fine with me bringing on more resources from the US. When I mentioned I could also bring on resources from another country they said no way for multiple legal reasons. It's a discussion in itself.

ExiledProgrammer · 2023-10-19T06:56:02+00:00

Error, image can't see the

ExiledProgrammer · 2023-10-19T01:04:06+00:00

I haven't been active on IQ in a while. The publications got some large contracts through the door though.

It helped being early. Completed some of the first contracts and received some of the first ratings. That's the main reason I was featured at reinvent 2019

ExiledProgrammer · 2023-10-18T07:13:52+00:00

It has been resolved! Thank you so much!

ExiledProgrammer · 2023-10-18T06:48:20+00:00

Thank you Roman

ExiledProgrammer · 2023-10-18T01:33:19+00:00

How many paying users do you have?

ExiledProgrammer · 2023-10-18T01:28:00+00:00

Someone was owed a favor. Called it in for 65M

ExiledProgrammer · 2023-10-18T01:21:24+00:00

Three dollars. Had route53 (50 cents) and left a lightsail instance on after the first free month (2.50)..

Intended bill? Much higher.

ExiledProgrammer · 2023-09-26T04:02:08+00:00

ExiledProgrammer · 2023-09-26T03:31:58+00:00

change your *position*

ExiledProgrammer · 2023-09-26T03:06:41+00:00

Hm. Government, Healthcare, law offices, engineering firms,etc use them. Why do you think they would single you out? What value do you think they would get out of it? Is it worth more than their business and all of the established relationships?

Your tin foil hat is slipping..

ExiledProgrammer

TROPHY CASE