SOC 2 Type II as a default, not an upcharge

Compliance is usually treated as a project: a six-month sprint, a vendor like Vanta or Drata, a panicked rush before the auditor’s on-site. We do not run our engagements that way. SOC 2 Type II readiness is wired into the first commit of every platform we build at 802.software, and the cost difference between “SOC 2-ready from day one” and “SOC 2-ready after the fact” is roughly an order of magnitude.

The reason it’s expensive after the fact

Compliance asks the platform to produce evidence: who accessed what, when, with which key, under which policy. If the platform was not built to emit that evidence, retrofitting it touches the authentication layer, the database, the background workers, the deployment pipeline, and the support tooling all at once. That’s why retroactive compliance projects routinely cost more than the original build.

What we wire in from week one

• Audit logging — append-only, tamper-evident, queryable. Every state change in the platform emits a structured event with the actor, resource, action, and request ID. The first table we create in every new schema is audit_events.
• Encryption — TLS 1.3 in transit and AES-256 at rest, with key rotation defined in code, not in a runbook. Secrets live in Vault or the cloud-native equivalent; nothing ever lands in environment files checked into the repository.
• Identity — SSO, SAML, scoped tokens with short TTLs, MFA enforced for any human with production access. Tokens for service-to-service calls are scoped to the smallest possible permission set.
• Threat model — STRIDE-based, written down in the repository, reviewed quarterly. The threat model is the single document that lets a new engineer understand the security shape of the platform without reading every file.
• Penetration testing — once a year, by a third party. Findings get filed as issues with severity, owner, and a fix deadline; the highest severity issues block the next release.

What changes about the architecture

A SOC 2-aware platform looks structurally different from a permissive one. The API surface is narrower. The blast radius of any given service is smaller. Background workers run with the least privilege they need rather than the credentials they were initially given. Database access goes through a single choke point so audit events stay consistent. None of these decisions are expensive when you make them at the start; all of them are expensive when you retrofit them onto a system in production.

What we tell prospective clients

SOC 2 Type II is not an upcharge in our engagements. HIPAA and PCI overlap with SOC 2 by 70-80% — if you’re already doing SOC 2 correctly, layering HIPAA or PCI on top is a matter of additional controls, not a separate program. We quote the platform once, with security baked in. The auditor’s feedback on a recent platform we shipped, verbatim: “cleanest evidence trail I’ve reviewed all year.”