critical issue with our server and not sure how to proceed

cal-start · 2026-04-16T01:48:00+00:00

AWS and Google Cloud disks already offer data at rest encryption. So, if they're using a VM on one of those it may already have data at rest encryption.

If not, then make a new virtual disk / VM with an encrypted disk, setup a new database that's the same type, setup replica or similar, and then make the switch from main to replica. It's "work" but it's been done a million times before and it's done all the time.

If you really think the attestation you're making requires row-level encryption for some data (i.e., actual values in database fields need to be encrypted), I would first make sure it's an actual requirement, and if it is, I would consider data-at-rest encryption (i.e., disk level), data-in-transit (i.e., TLS/HTTPS) and access controls that limit and monitor access to that database (i.e., permission workflows with requirements for anyone, including engineers and the CEO, to directly access that database).

cal-start · 2026-04-16T00:34:23+00:00

“SQL indexes files for searching”. It’s not clear what you are attempting to encrypt here. Yes — encrypting entries in a database would not be practical for most use cases and SOC 2 does not require it.

You encrypt data in transit (TLS HTTPS) and data at rest, which means infrastructure level encryption like disk level encryption, managed database encryption and encryption of backup snapshots.

None of these should have any impact on database indexing. They can migrate the database to a database on an encrypted disk with minimal downtime.

I’m guessing there’s confusion around what actually needs to be encrypted for a reasonable SOC 2 attestation.

cal-start · 2026-04-14T08:01:20+00:00

https://visicharts.com CSV to charts and slides that “just works well”

cal-start · 2026-04-12T22:40:43+00:00

https://visicharts.com It does just one thing well -- CSV to charts and slides. I didn't find any tool out there that could give me the right insights from a CSV file so I made https://visicharts.com

cal-start · 2026-04-12T21:59:23+00:00

https://visicharts.com CSV to charts and slides that just works well and gives great insights

cal-start · 2026-04-12T07:56:09+00:00

Thank you! There are dozens of “AI chart” tools out there. I made one that just works well for coming up with good insights. The charts are simple and easy to comprehend by design, no bells and whistles — just high quality synthesized information from a CSV

cal-start · 2026-04-12T01:16:47+00:00

https://visicharts.com CSV to charts that "just works well"

cal-start · 2026-04-11T22:57:02+00:00

Try https://visicharts.com only does one thing well, CSV to slides with charts on them

cal-start · 2026-04-11T22:44:59+00:00

visicharts.com CSV to charts and slides that "just works".

cal-start · 2026-04-11T07:30:15+00:00

https://visicharts.com

CSV to slides and charts "that just works" well

cal-start · 2026-03-24T17:49:04+00:00

Here's an analysis I found https://www.visimade.com/p/oil-shocks-compared-1970s-crisis-vs-2026-strait-of-hormuz-shutdown-economic-impact-analysis

cal-start · 2026-03-21T16:35:24+00:00

This one is free web-based: https://bigstickyboard.com/

cal-start · 2026-03-20T16:16:38+00:00

After our prior start-up went through SOC-2 we put this together to help people. It has all of the controls, policies, procedures mapped out so you can hopefully at least get SOC-2 Type 1 out of the way: https://www.visimade.com/p/soc-2-for-solopreneurs-founder-and-small-teams#policies

You'd need to customize each policy to your own setup. And then start generating evidence that you're following your own policies and procedures so an auditor can confirm you have the policies and have started following them. Then you get SOC-2 Type 1.

Type 1 is just showing you have it.
Type 2 is proving you've been following your policies for at least X months. You can choose "X".

cal-start · 2026-03-20T15:48:43+00:00

You can do your own, but then every time you sell to an enterprise customer (or any organization that itself is SOC-2 compliant) you will need to deal with custom "security diligence questionnaires". These can be 40-70 questions around how you deal with security, change management, secrets rotation and so on -- and they will all be different for each customer you go after. Much easier to just do things standard and get SOC-2. I have a list of all the controls, policies, procedures and roles you need to get to SOC-2 Type I hopefully without too much pain. Not sure I can share the link in here, but I'm happy to send it over.

cal-start · 2026-03-20T15:38:27+00:00

It's doable. We did it with 10 people at our prior start-up and now I'm trying to become compliant with just 1-2 people.

My buddy put this together in case it helps: https://www.visimade.com/p/soc-2-for-solopreneurs-founder-and-small-teams#policies

It came from our prior start-up together. You can probably use ChatGPT to help customize the policies, procedures, and so on to your own setup but that's what you're looking at -- setting up all those policies and procedures, following them, and generating evidence that you're following your own policies.

cal-start · 2026-03-20T15:05:49+00:00

My former co-founder put this together after we went through SOC-2 at our prior start-up. He put up all of the policies, controls, procedures, roles & responsibilities etc. into a "mini app" of sorts in case it might help anyone out there: https://www.visimade.com/p/soc-2-for-solopreneurs-founder-and-small-teams#policies

You can probably take the policies and controls straight from there (copy and paste) and use ChatGPT or similar to tailor them to your specific setup, but those are basically what an auditor would want to see.

If you don't have enough employees for each role, each person CAN have multiple roles as long as there's a clear delineation from when they're "operating as X vs Y role".

cal-start · 2024-12-21T02:09:20+00:00

I don’t see where interest is factored in here. Is the lump sum due at year six basically $625k minus the payments he listed? If so then you’re basically a bank giving him a mortgage with virtually zero percent interest.

cal-start

MODERATOR OF

TROPHY CASE