The journey starts

In early April of 2023, we were finalizing our time inside of Y Combinator.

We had just over 50 paying customers and only 3 people on the team (Bu, Zeno, and myself). We were not thinking about compliance, just trying to build a product people loved and would pay for.

Even though only two prospects had asked us about SOC 2, we knew this journey was best started sooner rather than later. Resend is the second company where I've gone from zero to SOC 2. I remembered the arduous timeline:

• Start engaging with auditors and consultants (1-2 weeks)
• Optionally perform a readiness assessment (2 weeks)
• Begin making all the changes needed across the org (2-5 months)
• Optionally do a Type I audit first (1-3 months)
• Complete audit period (6-12 months)
• Review evidence with auditors and wait for the final report (1-2 months)

In the best-case scenario, we were looking at 9 months before we would have the final report, more likely 12-15 months. This wasn't a short-term growth play but the beginning of a long-term security investment.

The question wasn't "Is this important now?" but rather, "Will this be important a year from now?". We knew it definitely would be.

Choosing the type of audit

Although SOC 2 Type II is a default for most SaaS companies, many strategic standards exist, like GDPR, ISO 27001, HIPAA, FEDRAMP, and more. We chose SOC 2 because it is a well-rounded standard to build on and covers practical security measures like least-privileged access alongside organization controls like incident management.

We decided to skip SOC 2 Type I because it's not a requirement for Type II, and we wanted to save time and money. We had already been through the process, which made us more confident we could pass the Type II audit on the first run.

Many years ago, when I first went through SOC 2 at my previous company, we had to write all policies manually and used tons of spreadsheets to track everything.

The world has changed a lot since then. This time, we decided to use a compliance tool to help collect evidence automatically.

We considered Drata, Secureframe, and Vanta. In the end, we chose Vanta because the product was the clear leader in real-time monitoring with robust automation and because they were a fellow YC company, which made it easier to get started.

Engaging with an auditor

Once we had Vanta up and running, it took us some time to make the needed changes and catalog the evidence. We then engaged with an auditor to review everything and attest to the compliance of every control.

We chose Advantage Partners because they were a Vanta partner and had a track record of collaborating with many SaaS companies.

Around June 2023, we worked with them to complete a readiness check and then began the observation window shortly after.

Keeping the momentum

In November 2023, we had a mid-audit checkpoint since we were halfway through our SOC 2 Type II observation window. We have dozens of projects happening at any given time, and losing focus is easy.

Vanta makes it easy to keep compliance top of mind. They send daily and weekly reminders on Slack and email so we know what is due. This also prevented any surprises during the final audit.

This proactive approach is essential. SOC 2 is not a one-time project. It's an ongoing process that requires continuous improvement and maintenance.

SOC 2 is not a silver bullet

If you've been with us for a while, you'll know we had some incidents in January/February 2024. All of these happening during our audit period were discouraging and even made me question how meaningful SOC 2 is if it can't protect us from these kinds of events.

As the dust settled, I realized that SOC 2 is not a silver bullet for preventing any incident from ever happening. Similar to driving laws, it's there to safely guide most day-to-day operations and help prepare for how to respond if things go wrong. Having SOC 2 already implemented before these incidents gave us a foundation to respond effectively and grow efficiently from each incident.

We're learning that the most secure system is the one that is active, iterative, and improving over the one that has all the boxes checked and stays put. We love that SOC 2 encourages this way of active, engaged working.

SOC 2 is not a checkbox exercise, but rather a mechanism that helps build a security culture.

The final report

Almost 12 months after we started thinking about SOC 2, we passed our first Type II audit with zero exceptions. We couldn't be more proud of the effort of the entire team to make this happen.

This reporting period is from August 1, 2023 to February 1, 2024 and covers all users on all plans.

You can request a copy of the report via the Documents on the dashboard. If you have a questionnaire that needs filling, please contact us.

Make sure to visit the dedicated SOC 2 page and Security Center for more information on our data safety practices.