SOC 2 preparation for early-stage SaaS: the cheap version

Most pre-audit SOC 2 panic projects happen because someone built without compliance in mind for 18 months, then a series-A customer asked, and the team scrambled. The cheap version is to make a few architectural choices at seed stage that turn the eventual audit into a 90-day exercise instead of a $50k panic.

This post is what Tracelight did — and didn't do — to be SOC 2-ready before formal audit. Steal what's useful.

What we did at seed

**Tenant isolation in the database, not in app code.** Every workspace-scoped table has Row-Level Security policies enforced by Postgres. App-layer workspace-id filtering is defense in depth, not the only line. The audit "demonstrate tenant isolation" question becomes a SQL transcript instead of an architecture diagram.

**Audit log baked into the schema from day 1.** Every report viewer, every download, every admin action insert-only against an audit_log table with RLS that prevents app-layer deletion. The audit "demonstrate access controls" question becomes a query against audit_log instead of a Grafana dashboard.

**Encryption at rest + in transit, by default.** Postgres at-rest encryption from the start. TLS 1.3 termination at the edge. AES-256-GCM application-layer encryption for long-lived secrets (Slack OAuth tokens, etc.). Auditor question "encryption at rest" → here's the architecture diagram + cipher configs.

**Strict security headers from day 1.** HSTS, CSP, X-Frame-Options DENY, Permissions-Policy. Not added during pre-audit panic; baked into the framework config. Auditor question "browser-side protections" → here's next.config.ts + the actual response headers.

**Dependency scanning + CI gates from day 1.** GitHub Dependabot + npm audit gates on PRs. The pre-audit "demonstrate vulnerability management" question becomes a CI log instead of a manual report.

**Zero shared infrastructure with customers.** Tracelight does not allow customer workloads to run inside our infra. Reduces audit scope significantly — we're a SaaS, not a PaaS, which is a much smaller blast radius.

What we didn't do at seed

**No SOC 2 Type I rush.** Type I (controls existed at a point in time) is cheap and fast but provides limited value. We're going directly to Type II (controls operated effectively over 6-12 months) when audit timing is right. Type I would have been money + time for marginal payoff.

**No expensive GRC tool subscription.** Vanta + Drata + Secureframe are excellent for the audit prep phase but cost $20-40k/year. At seed stage, we use spreadsheets + GitHub Issues + the audit log already in our schema. We'll buy GRC tooling 90 days before the audit start.

**No external CISO retainer at seed.** We do quarterly security architecture review with an outside advisor (fractional, not full-time CISO). Cheaper, scoped correctly for stage.

**No SOC 2 type 1 evidence collection theater.** Many seed startups produce policy documents + screenshots of dashboards to "be ready" for SOC 2. Most of it gets thrown away during actual audit prep because it doesn't match what auditors want. We're holding off on document production until 90 days pre-audit.

What's expensive if you wait

These are the items that cost real money to retrofit:

**Tenant isolation as RLS not app-layer.** Migrating from app-layer-only filtering to RLS post-hoc requires schema audits + tests + risk acceptance for every dependent query. Doing it at seed is free; doing it at series A is a sprint.

**Audit log retroactive backfill.** You can't audit-log events that already happened. Starting from day 1 makes the "we have 12 months of evidence" claim trivial.

**Secrets-at-rest encryption with proper key separation.** Adding AES-256-GCM with a separate key once you have production secrets is a careful migration. At seed, it's three lines of code.

Realistic timeline

Seed → 18 months → SOC 2 Type II in production with no panic = achievable if you make the choices above at seed. Tracelight's plan: Type II audit window starts late 2026, completes mid-2027.

If you're a seed-stage SaaS doing investigative or regulated work and you want to compare notes, email security@trytracelight.com. We have a slack channel for early-stage founders going through this.