My customer asked for SOC 2 and I don't have one. How do I respond?
Don't stall. Reply the same day with: (1) honest status — you're pre-SOC-2, starting now, (2) what you have today (external scan, DPA, security.txt), (3) a written commitment date for the report. Most mid-market buyers accept a specific commitment letter. Large-enterprise CISOs often won't — your signal to move on or fast-track.
The honest-now / specific-later email almost always beats the stalling email. Template:
--- Subject: Re: SOC 2 request
[Name],
Short version: we're pre-SOC-2 today, and here's our plan.
**Where we are now:** - [X] Third-party external security scan completed [date] - [X] DPA available for signature - [X] /.well-known/security.txt published - [X] Incident response runbook + notification commitment in writing (72h) - [X] All data encrypted at rest (Supabase default) and in transit (TLS 1.3) - [X] Tenant isolation enforced at the database layer via Row-Level-Security
**What we're doing next:** - Starting SOC 2 Type 1 prep [this quarter] with [Vanta / Drata / etc.] - Type 1 report by [specific date, 8-10 weeks out] - Type 2 report by [specific date, 12 months out]
Happy to send you any of the above artifacts under NDA today, and to put the SOC 2 commitment in writing as an amendment to the order form. Would either work for your process? ---
**Why this works:** procurement teams need something to show their CISO. 'They committed in writing with a date' is a defensible answer. 'They said they're working on it' is not.
**When this fails:** some enterprise CISOs have a hard requirement for a current SOC 2 Type 2 report before they'll even start diligence. No amount of alternate artifacts substitutes. If this is your buyer, you either need a faster compliance path or a different buyer.
Securie's free scan (launching this year) will give you the external-scan artifact to reference in the email, emailed within a week of early access opening rather than the weeks a traditional pentest takes.