My customer asked for SOC 2 and I don't have one. How do I respond?

Updated
Short answer

Don't stall. Reply the same day with: (1) honest status — you're pre-SOC-2, starting now, (2) what you have today (external scan, DPA, security.txt), (3) a written commitment date for the report. Most mid-market buyers accept a specific commitment letter. Large-enterprise CISOs often won't — your signal to move on or fast-track.

The honest-now / specific-later email almost always beats the stalling email. Template:

--- Subject: Re: SOC 2 request

[Name],

Short version: we're pre-SOC-2 today, and here's our plan.

**Where we are now:** - [X] Third-party external security scan completed [date] - [X] DPA available for signature - [X] /.well-known/security.txt published - [X] Incident response runbook + notification commitment in writing (72h) - [X] All data encrypted at rest (Supabase default) and in transit (TLS 1.3) - [X] Tenant isolation enforced at the database layer via Row-Level-Security

**What we're doing next:** - Starting SOC 2 Type 1 prep [this quarter] with [Vanta / Drata / etc.] - Type 1 report by [specific date, 8-10 weeks out] - Type 2 report by [specific date, 12 months out]

Happy to send you any of the above artifacts under NDA today, and to put the SOC 2 commitment in writing as an amendment to the order form. Would either work for your process? ---

**Why this works:** procurement teams need something to show their CISO. 'They committed in writing with a date' is a defensible answer. 'They said they're working on it' is not.

**When this fails:** some enterprise CISOs have a hard requirement for a current SOC 2 Type 2 report before they'll even start diligence. No amount of alternate artifacts substitutes. If this is your buyer, you either need a faster compliance path or a different buyer.

Securie's free scan (launching this year) will give you the external-scan artifact to reference in the email, emailed within a week of early access opening rather than the weeks a traditional pentest takes.

People also ask