SOC 2 Guide

Can a solo founder pass SOC 2?

Yuanlun Yin, CPA · Texas & California · Y Assurance PLLC · Updated June 3, 2026
Yes, a one-person company can pass SOC 2. Security is the only required Trust Services Criterion, your scope is small, and a CPA can sign a Type I in weeks. You don't need a compliance subscription. You need an auditor who can right-size controls like segregation of duties to a team of one using documented self-review and compensating controls.

The real question isn't "can you pass" — it's "how do controls work when the team is one person"

I get this question almost every week from a founder who just got a security questionnaire from an enterprise prospect and panicked. The honest answer is yes, you can pass. The question worth asking is the one underneath it: how does a control like segregation of duties work when you are the entire company?

In five years of fieldwork I never once saw "you have too few people" written as an audit failure. What I saw was auditors who didn't know how to translate big-company control language down to a small entity, so they either invented work or wrote a finding that didn't need to exist. The Trust Services Criteria are written at the criterion level. Points of focus are illustrative, not a checklist. That distinction is the whole game for a solo founder, because almost every "you need a separate person for this" assumption is a point of focus, not a requirement.

What's actually in scope for a solo founder

Security is the only mandatory Trust Services Criterion. Availability, Confidentiality, Processing Integrity, and Privacy are optional categories you add only if your contracts or customers actually need them. For a first SOC 2 driven by one enterprise deal, that almost always means Security-only.

Your scope is also small in a way that helps you. A solo founder's system is usually a cloud account, a code repo, an identity provider, a database, and a handful of SaaS tools. Fewer systems means fewer controls to evidence and a shorter audit. This isn't a rare edge case either. Solo founders started 36.3% of all new startups in the first half of 2025, up from 23.7% in 2019, and roughly 82% of US businesses have no employees at all. Auditors who tell you SOC 2 "assumes a team" are describing a market that no longer exists.

A Security-only Type I for a one-person company is a genuinely small engagement. The work is real, but it's bounded.

How an auditor right-sizes the tricky controls

This is where a CPA earns the fee. The AICPA explicitly allows smaller, less complex organizations to meet the criteria through active owner oversight rather than formal structure. Here's how I translate the five controls founders worry about most.

ControlWhat big-company guidance assumesHow it's right-sized for a solo founder
Segregation of dutiesA "maker" and a separate "checker" so no one person can both make and approve a change.You can't split the role, so you compensate. Documented self-review on a defined cadence, plus automated detective controls (deploy alerts to a logged channel, branch protection, audit logs you actually read). The criterion is risk reduction, not headcount.
Insider threat / privileged accessA dedicated security team reviewing admin access against least privilege.You're the only admin, so the control is tooling, not people. SSO with MFA, hardware key or password manager, cloud logging on, and a written access review you perform and date yourself. One reviewer reviewing one account is a valid review when it's documented.
Background checks & HR controlsAn HR function running checks and tracking onboarding/offboarding for staff.With no employees there's nothing to check, and the auditor scopes it that way. When you bring on a contractor, the control becomes a signed agreement plus provisioning/deprovisioning steps. We document that the population is one and the process is defined.
Vendor / third-party risk managementA procurement team running a vendor risk program with annual reassessments.You lean on your subservice organizations' own attestations. Collect your cloud and key SaaS vendors' SOC 2 reports, keep a short vendor list with a documented review, and disclose carve-outs. The work is reading reports, not building a program.
Change management & code reviewA second engineer reviews every pull request before merge.Self-merge is fine if the safeguards are real and recorded. Branch protection, CI gates, automated tests, and a logged trail of what shipped and why. A detective control that surfaces every deploy can substitute for a second reviewer when it's designed and evidenced.

None of this is a loophole. Every one of these is a compensating control an experienced auditor evaluates against the actual risk, then documents in the workpapers so it survives peer review. The skill is knowing which controls genuinely need a second person (very few) and which just need a documented, repeatable practice (most of them).

Type I or Type II first? Type I, almost always

Type I tests whether your controls are designed correctly at a single point in time. Type II tests whether they operated effectively across a period, usually three to twelve months. For a solo founder who needs something to hand the enterprise prospect now, Type I is the right first move. It's faster, the fieldwork is short because there's no observation window, and it proves your controls exist and are designed right.

Type II comes next, once your controls have been running long enough to have an operating history. Most enterprise buyers accept a Type I with a committed Type II to follow. Get the design right first. Then prove it held.

You don't need a compliance subscription

Here's the part nobody selling you software wants to say plainly: the audit is the required part. The platform is optional tooling. A SOC 2 report is signed by a licensed CPA firm. Compliance platforms can't sign one. They collect evidence and draw checklists, which can be useful, but they are not the thing your customer is asking for. The signed opinion is.

Plenty of solo founders pass with a spreadsheet, their cloud console, and an auditor who knows how to scope a team of one. If a platform genuinely saves you time, use it. Just don't confuse the subscription with the requirement. The same logic applies whether you're a true company of one, a two-person team, or a seed-stage startup with three engineers. Small scope, Security-first, Type I to start. The shape of the engagement is the same.

What does this cost? Industry data puts a Type I audit roughly in the $5,000 to $20,000 range, with total first-year spend climbing to $25,000 to $50,000 once you add platforms and tooling you may not need. For your specific number, use the pricing calculator on chiarohq.com or book a call.

“In five years of fieldwork I never once saw "you have too few people" written as an audit failure — the criteria measure whether your risk is controlled, not how many people you employ.”

Frequently asked questions

Can a one-person company pass SOC 2?
Yes. Security is the only required Trust Services Criterion, and a solo founder's scope is small, so a CPA can right-size every control to a team of one. Controls that normally assume two people, like segregation of duties, are met through documented self-review and compensating detective controls. A licensed CPA firm can sign a Type I for a one-person company in weeks.
How do I do segregation of duties with no employees?
You compensate instead of splitting the role. Document a self-review on a defined cadence and add automated detective controls, like deploy alerts to a logged channel, branch protection, and audit logs you actually review. The AICPA lets smaller organizations meet the criteria through active owner oversight rather than headcount, so a documented, repeatable practice satisfies the control.
Should a solo founder get Type I or Type II first?
Type I first. It tests whether your controls are designed correctly at a point in time, so the fieldwork is short and there's no multi-month observation window. Type II tests operating effectiveness over a period, usually three to twelve months, and makes sense once your controls have a running history. Most enterprise buyers accept a Type I with a Type II to follow.
Do I need Vanta or Drata as a solo founder?
No, not to pass. Compliance platforms collect evidence and draw checklists, but they cannot sign a SOC 2 report. Only a licensed CPA firm can issue the signed opinion your customer is asking for. A platform is optional tooling. If it saves you time, use it, but don't confuse the subscription with the requirement.
How fast can a solo founder get a signed SOC 2 report?
A Type I can move quickly because the scope is small and there's no observation period to wait out. Readiness can take as little as two to three weeks if your security practices are already in reasonable shape, and the fieldwork for a point-in-time audit is short. The signed report follows shortly after fieldwork wraps.

Keep reading

What is SOC 2?
What SOC 2 is, what it costs, and how to get a real one.
What is a stamp audit?
How box-checking audits happen, and how to spot one.
What is vibe compliance?
Compliance that looks finished on paper but was never tested.
Is your auditor a real CPA?
Two steps to confirm your SOC 2 auditor is a licensed CPA.
What does a first-time audit find?
The gaps a first-time SOC 2 turns up almost every time.

Want a SOC 2 that actually holds up?

Get a fixed price in two minutes, or talk to the CPA who would run your engagement.

See pricing →Book a call →

Sources

  1. Security is the only required Trust Services Criterion in every SOC 2 audit; Availability, Confidentiality, Processing Integrity, and Privacy are optional.
  2. Trust Services Criteria are evaluated at the criterion level; points of focus are illustrative, not requirements (2017 TSC with revised points of focus, 2022).
  3. Solo founders started 36.3% of all new startups in H1 2025, up from 23.7% in 2019.
  4. Roughly 82% of US businesses (about 28.5 million firms) have no employees.
  5. Smaller, less complex service organizations can meet SOC 2 criteria such as CC1.2 oversight and segregation of duties through active owner oversight and preventative-plus-detective compensating controls rather than formal role separation.
  6. SOC 2 Type I evaluates control design at a single point in time; Type II evaluates design and operating effectiveness over a period of three to twelve months.
  7. A SOC 2 Type I audit generally costs between $5,000 and $20,000, with total first-year SOC 2 spend often $25,000 to $50,000 once platforms and tooling are included.
  8. SOC 2 readiness can take as little as two to three weeks for companies with existing security maturity, and Type I fieldwork is relatively short because there is no observation period.