How This Stealth Startup Achieved SOC 2 on Half a Headcount

Play video2:51

The Challenge: Sell to Enterprise Customers. Zero Tolerance for Uncertainty.

Nicholas is a second-time founder. Before his current company, he spent four years building and running a startup. Before that, he was on the early team at Midjourney. He knows what scaling looks like, and the importance of getting compliance right and quickly.

His current company—a YC-backed stealth startup selling enterprise software—is 15 months old. They have four people. And they were working with large enterprises from the start.

That meant compliance wasn't a Year 2 conversation. It was a Week 2 one.

With a four-person team, there was no room for a dedicated security function, no IT staff to babysit a checklist, and no ops team to manage evidence collection. What there was: a clear-eyed understanding that trust is infrastructure, and that it needs to be built early.

The First Try: Fast, But Not Right

Like most early-stage founders, Nicholas's first instinct was to move fast. His team signed up with an AI-first compliance platform that promised speed. For SOC 2 Type 1, it worked.

"Super early on, we wanted to check the box, and it was really easy to just pay for the box to be checked," he said. "You connect some apps, take some screenshots, and basically have what you need."

But as the company moved toward Type 2, and closer to production deployments inside enterprise customers, the cracks showed. The policies were generic. The controls weren't customizable. And as the company got deeper into the data their customers were trusting them with, generic stopped being acceptable.

"We started sitting down and looking at the policies we were agreeing to and the controls we'd have to maintain over the entire life of the company," he said.

At one point, Nicholas was seriously considering doing it all by hand.

"I'd seen a tweet where someone had canceled their compliance vendor and spent two months doing everything in-house," he said. "We care about this enough that we thought, maybe we could just do this ourselves."

Why Rippling: The Systems Were Already in Place

The thing that changed the calculus: most of the data required for a SOC 2 audit is already in one system with Rippling's payroll, HR, and IT.

"We already had all our employees in there. They'd already signed documents and done security trainings. They already had third-party access set up," he said.

Moving to Rippling Automated Compliance wasn't a migration. It was a recognition.

"We were already compliant because of the way Rippling had us configure our systems. We just had to confirm it."

That’s because Rippling included the first party products and security controls necessary for SOC 2.

Where a traditional GRC tool would have required integrating 20 to 30 third-party systems, Rippling needed 3 or 4. The foundational data—devices, documents, access controls, employee records—was already living in the platform.

"I imagine that a lot of what the Rippling product is and how we've used it is no different than the 18 spreadsheets and automations we would've had to build out in-house," he said. "Except we got consistent, well-maintained infrastructure—built by somebody else—deeply integrated into our systems out of the box."

The Differentiator: Context and Action in One Place

Most compliance tools are reporting tools. They surface gaps. What they can't do is close them—not without bouncing between two or three other vendors, each with their own processes and owners.

Rippling does both. And that distinction became visceral the moment Nicholas's co-founder's laptop flagged a firewall violation mid-audit prep.

"His laptop had never been set up for MDM and the firewall had never been turned on," Nicholas said. "What normally would have been an email where he'd have to go manually fix it was someone on our team going into Rippling, seeing it on a dashboard, clicking a button to enroll the correct IT policy—and his laptop restarted with the firewall on. Suddenly we were back in compliance."

He paused. "If you had asked me three months ago what I'd be most excited about, I don't think my answer would've been that someone's laptop restarted because of a firewall issue. But that's probably one of my highlights."

The experience captured the core of what makes Rippling different.

On a traditional GRC platform, the same issue would have required a screenshot, a ticket, a manual remediation in a separate MDM tool, and another screenshot to close the finding. On Rippling: one click to the fix.

The Results: SOC 2 in a Few Weeks, from Half a Person

On a four-person team, Nicholas dedicated one engineer to the compliance buildout at roughly half-time. In a few focused weeks, they had a clean foundation for a SOC 2 Type 2 audit.

• 3 third-party integrations required vs. an estimated 20–30 on a traditional GRC tool

• ~20–30 hours saved on integration setup alone—roughly a full week of engineering time

• 0.5 FTE over a few weeks to achieve SOC 2 readiness, not a dedicated hire or a specialized team

• Enterprise security reviews went from 20 questions down to 2

On auditor quality: unlike past experiences where the auditing firm was a black box, Nicholas's team was in direct communication with their independent auditor months before the audit window closed.

"We've had multiple calls with them, walked through the entire process, everyone's been in communication," he said. "We've had a very hands-on experience where we know what's going on and we know these people—versus platforms where you never talk to your auditor, which is a little crazy."

Trusted, independent third-parties handled the penetration test, with the same collaborative, communicative experience throughout.

The Deal Room: 20 Questions to 2

For a four-person startup selling to enterprises that are often thousands of times its size, SOC 2 isn't a legal formality. It's leverage.

"As a team of four, being able to punch above our weight is super important," Nicholas said. "We get to act and feel confident like we are a much bigger company than we actually are."

Prospects can now access their SOC 2 report and review policies, which starts the selling before the first meeting even happens.

"It is now not a conversation of someone asking us a ton of questions," he said. "They're reviewing a review that's already happened. That's what can turn a very long process into a very quick one, or a list of 20 questions into a list of like two."

And when the conversation does happen, the founder can speak to it directly.

"We can go to our customers and say, 'We've really thought about this. It matters to us, and that's why it's one of the first things we did as a company.' If you talk to anyone on the team, they can tell you how we think about all of these things. That puts us in a really great place."

Built to Scale: The Same Compliance Overhead at 4 People as at 300

The firewall fix was a demo. The real payoff is in the employee lifecycle.

When a new hire joins, Rippling automatically queues three days of tasks: review the employee handbook, sign the acceptable use policy, complete required documents. All monitored, all tracked, all evidence auto-collected.

When someone moves from departments or teams, access required for roles is automatically revoked—and necessary access to apps and groups is provisioned. No checklist. No email thread. No manual screenshots.

"Instead of having a ton of checklists laying around where we just need to go make sure we're checking boxes, we've said: 'We've set this up in Rippling. Now we know it's going to happen,'" Nicholas said.

Today, that's four devices. In a year, it might be 50. In two years, 300. Nicholas isn't worried about the math.

"The goal is that our team never spends more resources on compliance than we currently do," he said. "I can imagine a world where we're 300 people and maybe one or two people are still thinking about this—instead of a whole team. That will continue to scale very differently than if we were on a different platform."

As for the engineer who drove the buildout at half-time?

"He's going to go back to hanging out with customers and writing more code, which is great. And I feel very confident that we could not open the Automated Compliance tab in Rippling for the next 12 months and pass it onto next year. Everything is set up. As long as we continue doing what we're doing, it just works."

The Bigger Picture: Trust Is a Product

Nicholas thinks about compliance the way he thinks about hospitality—a word he uses deliberately.

"A big underlying mantra for us is just being hospitable," he said. "Do you know someone, and do you apply that knowledge consistently? The trust aspect is: do we even trust ourselves to deal with the data our customers give us and be responsible for the outcomes they expect?"

In a world where software companies are being given access to more data, more frequently, with fewer humans in the loop, that question matters more than ever.

"We touch some of the most important data our customers have," he said. "You wouldn't go to a restaurant where someone is unsure about cooking. You wouldn't give all your company data to a company who's unsure if they're going to be secure about it. So we have to be sure ourselves first—and then make it easy to prove."

He's quick to point out that SOC 2 alone doesn't create trust. The systems underneath it do.

"The fact that we have an audit that's complete isn't actually the exciting part to me," he said. "It's more the fact that we have systems in place that are going to scale and be consistent over the next one, three, five years. The audit is great. But the fact that we know—and trust ourselves—is what's super exciting."