Frequently Asked Questions
What is SOC 2 compliance and why do SaaS companies need it?
SOC 2 is a security audit framework developed by the AICPA. Enterprise customers require it before signing contracts. Getting certified removes procurement blockers, shortens your sales cycle, and proves your security controls are operating effectively.
How long does it take to get SOC 2 certified?
Most SaaS startups reach SOC 2 Type I readiness in 60 to 90 days with the right guidance. Type II requires an additional 3 to 12 month observation period. A fractional compliance officer eliminates trial and error and accelerates the timeline significantly.
What is the difference between SOC 2 Type I and Type II?
Type I certifies your security controls are properly designed at a point in time. Type II certifies those controls operated effectively over a period of time, typically 6 to 12 months. Most enterprise customers require Type II.
Does my SaaS startup need HIPAA compliance?
If your product stores, transmits, or processes any Protected Health Information for healthcare organizations, HIPAA compliance is legally required. This applies to EHRs, health apps, telehealth platforms, billing systems, and any tool used by covered entities.
What does a fractional compliance officer do?
A fractional compliance officer provides the expertise of a full-time Chief Compliance Officer on a part-time or project basis. At TCS, that means building your GRC program, writing your policies, gathering your evidence, and guiding your audit without the cost of a full-time hire.
How much does SOC 2 compliance cost with TCS?
TCS engagements start with the Compliance Snapshot, a 10-hour readiness assessment. From there, you can engage for a full SOC 2 roadmap, policy build-out, or ongoing fractional support. All services are priced at a fixed rate so you know your investment before you begin.
What is ISO 42001 and does my company need it?
ISO 42001 is the international standard for an AI Management System, published in December 2023. If your company builds, deploys, or uses AI features that enterprise customers and investors review, ISO 42001 is what they want to see. TCS adds ISO 42001 to its framework expertise alongside SOC 2, ISO 27001, HIPAA, and CMMC.
I am a subcontractor on a DoD contract. Does CMMC Level 2 apply to me?
Yes. CMMC Level 2 is now a flow-down requirement to subcontractors of DoD primes. The 110 controls of NIST 800-171 apply to subcontractors who store, process, or transmit Controlled Unclassified Information. TCS runs a 90-day path from current state to assessment-ready, built for small businesses without an internal compliance team.
Should I use Vanta or Drata?
Both platforms work for most compliance programs. The right choice depends on your stack, team size, integrations, and how your auditor expects to see evidence. TCS holds active partner status with both Vanta and Drata, which means we recommend the platform that fits your environment, not the one we are aligned with. Most independent consultants partner with one or neither.
What is The Reverse Compliance Runway?
The Reverse Compliance Runway is the TCS methodology for compliance engagements. Every engagement starts at the audit date and works backward. We define the finish line, then map exactly what has to happen to get there, then do it. The principal who builds your program is the same person who walks you through the assessment at the end.
How much does compliance with TCS cost?
The Compliance Snapshot is fixed-scope at 10 hours and a published rate. Bundled engagements like the Reverse Compliance Runway include defined scope and a bundled rate. The Embedded Principal monthly retainer has three tiers based on your team size and program complexity. All engagement rates are published in the proposal so you see the price before you commit.