#482 – What’s SOC2 take?
Friday Ship #482 | March 13th, 2026
This week we received our SOC2 Type II certification.
SOC2 Type II is often considered “table stakes” for delivering a SaaS service. Somewhat ironically Parabol jumped into the deep end of the security pool first and prioritized developing security controls to meet the U.S. Department of Defense’s Impact Level 4 and Impact Level 5 standards (largely through the pursuit of NIST-800 controls). Even though our product was largely going to be compliant for SOC2, it still took a year to achieve our final certification.
Despite ads promising “SOC2 in weeks!” there isn’t a lot of real information on what it actually takes to achieve a certification. We extracted information from our own tasks and communications in order to detail our own time line.
March 2025
- Initial setup: Configured Vanta integrations (Slack, HubSpot, Ramp, Remote), addressed Snyk and Deel integration issues
- Policy framework: Began reviewing and drafting initial policies starting with Risk Management
April 2025
- Control assignment: Assigned all SOC-2 controls and tests to owners, created GitHub project for tracking
- Integration fixes: Resolved Google Workspace integration issues, cleaned up AWS resources, began vendor security assessments
May 2025
- Policy completion: Approved multiple policies (Cryptography, Data Management, Information Security, Secure Development)
- Trust Center: Launched public-facing Trust Center for external sharing of compliance progress
- Audit planning: Set audit start date to July 18th, addressed auditor requirements for performance evaluations and device monitoring
June 2025
- Final policy push: Completed remaining policies (Operations Security, Access Control) and moved to governance
- Technical preparations: Addressed technical code improvements, began implementing required security controls in GCP and GitHub
July 2025
- Policy approval: Approved final policies (Secure Development, Operations Security) and created groups for policy assignments
- Audit postponement: Moved audit start date to September 29th due to parental leave schedule
- Vanta deployment: Assigned tasks for team to install Vanta agents and approve policies
August 2025
- Team onboarding: Set up policy approval tasks and Vanta agent installation for all team members
- Vendor management: Continued vendor security reviews and documentation
September 2025
- Risk assessment: Completed risk assessment work and vendor documentation
- Final testing: Addressed personnel-related tests, vulnerabilities, and GitHub security configurations
- Audit readiness: Completed documentation review, enabled VPC flow logs, submitted Business Continuity policy
October 2025
- Audit kickoff: Received confirmation from audit partner that audit was ready to begin (Oct 8)
- Final evidence: Completed access review documentation, uploaded performance evaluations
- Observation window: Entered 3-month audit observation period (Oct 13 – Jan 13)
November 2025
- Audit observation: Lived in observation window while auditors monitored compliance
- Performance reviews: Continued completing annual performance reviews for all employees
- Documentation refinement: Reviewed audit expectations document from audit partner
December 2025
- End-of-period preparation: Approached end of audit period, received call-outs from auditors
- Evidence updates: Reviewed document guidance and uploaded recent evidence as required
- Final checks: Ensured all automated tests remained compliant throughout observation period
January 2026
- Audit period completion: Observation period ended January 14th
- Evidence review: Auditors began 4-6 week process to review, test, and organize evidence
- Expected completion: Set target date of February 27th for final report
February 2026
- Evidence remediation: Received feedback from auditors on items requiring additional evidence
- Report preparation: Auditors completed testing and began finalizing SOC-2 Type II report
March 2026
- SOC-2 achievement: Received final SOC-2 Type II report on March 13th
Metrics
A significant (12%) drop in meetings ran this week possibly attributable to breaks in teams’ regular habits for spring break. We’ll be watching these behaviors closely…
This week we…
…held a development retrospective for Shape Up Cycle 12, and began planing Shape Up Cycle 13.
…created changes based on user feedback. We fixed a bug with setting up recurring meeting series, improved our auto-grouping performance and UX/UI (which should ship soon!), and added the ability to search issues in Linear by their issue id. Please don’t stop reporting the small changes!
…tightened what can be used by free users. We’ve been having a deeper look into our usage data and noticed a trend where thousands of our users had been evading our free threshold by setting up multiple Organizations in Parabol. Of course, folks avoiding asking their bosses to purchase a piece of software is natural but we were baffled by the scale. We applied some changes this week to our product and pricing to make it clearer that we expect to be payed.
Next week we’ll
…plan Shape Up Cycle 13.
Jordan Husney
Jordan leads Parabol’s business development strategy and engineering practice. He was previously a Director at Undercurrent, where he advised C-Suite teams of Fortune 100 organizations on the future of work. Jordan has an engineering background, holding several patents in distributed systems and wireless technology. Jordan lives and works in Los Angeles, CA.