Can a solo founder pass SOC 2?

TL;DR
  • Yes, a one-person company can pass SOC 2. Having too few people is not a failure.
  • Security is the only required category, and your small scope works in your favor.
  • Separation of duties gets right-sized with documented self-review and automated alerts.
  • Start with Type I. You don't need a compliance subscription to pass.

The real question isn't "can you pass". It's "how do controls work when the team is one person"

I get this question almost every week, usually from a founder who just got a security questionnaire from an enterprise prospect and felt their stomach drop. The honest answer is yes, you can pass. The more useful question is the one sitting underneath it: how does a control like separation of duties work when you are the entire company?

In five years of fieldwork I never once saw "you have too few people" written down as an audit failure. What I did see was auditors who hadn't learned how to translate big-company control language down to a small company, so they either invented busywork or wrote a finding that didn't need to exist. It helps to know how the standard is built. The Trust Services Criteria, which are simply the security standards your report is graded against, are written at the level of the criterion itself. Underneath each criterion sit points of focus, which are guidance for what "good" tends to look like, not a checklist you have to tick off. That distinction is the whole game for a solo founder, because almost every "you need a separate person for this" assumption turns out to be a point of focus, not a hard requirement.

What's actually in scope for a solo founder

Security is the only category you are required to include. Availability, Confidentiality, Processing Integrity, and Privacy are optional categories you add only if your contracts or customers genuinely need them. For a first SOC 2 driven by one enterprise deal, that almost always means Security-only.

Your scope is small in a way that helps you. A solo founder's system is usually a cloud account, a code repository, an identity provider, a database, and a handful of SaaS tools. Fewer systems means fewer controls to gather evidence for, and a shorter audit. This isn't a rare edge case, either. Solo founders started 36.3% of all new startups in the first half of 2025, up from 23.7% in 2019, and roughly 82% of US businesses have no employees at all. So when someone says SOC 2 "assumes a team," they're describing a market that mostly doesn't exist anymore.

A Security-only Type I for a one-person company is a genuinely small engagement. The work is real, but it's bounded.

How an auditor right-sizes the tricky controls

This is where having a CPA who knows small companies actually earns the fee. The AICPA explicitly allows smaller, less complex organizations to meet the criteria through active owner oversight rather than formal structure. Here's how I think through the five controls founders worry about most.

ControlWhat big-company guidance assumesHow it's right-sized for a solo founder
Separation of dutiesA "maker" and a separate "checker" so no single person can both make a change and approve it.You can't split the role, so you put other safeguards in their place. A documented self-review on a set schedule, plus automated controls that catch problems after the fact: deploy alerts posted to a channel that keeps a record, branch protection, and audit logs you actually read. The point of the criterion is reducing risk, not counting heads.
Insider threat and privileged accessA dedicated security team reviewing admin access to confirm everyone has only what they need.You're the only admin, so the control lives in the tooling, not in people. Single sign-on with multi-factor login, a hardware key or password manager, cloud logging turned on, and a written access review that you perform and date yourself. One person reviewing one account is a valid review when it's written down.
Background checks and HR controlsAn HR function running checks and tracking onboarding and offboarding for staff.With no employees there's nothing to check, and a good auditor scopes it that way. When you bring on a contractor, the control becomes a signed agreement plus the steps you follow to grant and remove their access. You document that the population is one person and that the process is defined.
Vendor and third-party risk managementA procurement team running a vendor risk program with annual reassessments.You lean on the audit reports your vendors already have. A vendor your security depends on, like your cloud provider, is what auditors call a subservice organization, and you collect its SOC 2 report rather than auditing it yourself. Keep a short vendor list with a documented review, gather the SOC 2 reports for your cloud and key SaaS vendors, and note which parts of your security you're relying on them for. The work is reading reports, not building a program.
Change management and code reviewA second engineer reviews every code change before it ships.Merging your own code is fine if the safeguards are real and recorded. Branch protection, automated checks before merge, automated tests, and a logged trail of what shipped and why. An automated control that flags every deploy can stand in for a second reviewer when it's well designed and you have the records to show it.

None of this is a loophole. Each one is a compensating control, meaning a different safeguard that achieves the same goal, and an experienced auditor weighs it against the actual risk, then writes it up in the working papers so it holds up when the firm's work is later reviewed. The skill is knowing which controls genuinely need a second person, which is very few, and which just need a documented, repeatable practice, which is most of them.

Type I or Type II first? Type I, almost always

A Type I report tests whether your controls are designed correctly at a single point in time. A Type II report tests whether those controls actually operated over a stretch of time, usually three to twelve months. For a solo founder who needs something to hand the enterprise prospect now, Type I is the right first move. It's faster, the fieldwork is short because there's no waiting period to observe, and it proves your controls exist and are designed right.

Type II comes next, once your controls have been running long enough to have a track record. Most enterprise buyers will accept a Type I with a commitment to a Type II to follow. Get the design right first. Then prove it held.

You don't need a compliance subscription

Here's the part that the companies selling you software tend to leave out: the audit is the required part, and the platform is optional tooling. A SOC 2 report is issued in the name of a licensed CPA firm. Compliance platforms can't issue one. They collect evidence and lay out checklists, which can genuinely save you time, but they are not the thing your customer is asking for. The CPA firm's signed opinion is.

Plenty of solo founders pass with a spreadsheet, their cloud console, and an auditor who knows how to scope a team of one. If a platform like Vanta or Drata genuinely saves you time, by all means use it. Just don't mistake the subscription for the requirement. The same logic holds whether you're a true company of one, a two-person team, or a seed-stage startup with three engineers. Small scope, Security first, Type I to start. The shape of the engagement is the same.

What does it cost? Industry data puts a Type I audit roughly in the $5,000 to $20,000 range, with total first-year spend climbing to $25,000 to $50,000 once you add platforms and tooling you may not actually need.

Frequently asked questions

Can a one-person company pass SOC 2?
Yes. Security is the only required category, and a solo founder's scope is small, so a CPA can right-size every control to a team of one. Controls that normally assume two people, like separation of duties, are met through documented self-review and other safeguards that catch problems after the fact. A licensed CPA firm can issue a Type I for a one-person company in a matter of weeks.
How do I do separation of duties with no employees?
You put other safeguards in place instead of splitting the role. Document a self-review on a set schedule and add automated controls that catch problems after the fact, like deploy alerts posted to a channel that keeps a record, branch protection, and audit logs you actually read. The AICPA lets smaller organizations meet the criteria through active owner oversight rather than headcount, so a documented, repeatable practice satisfies the control.
Should a solo founder get Type I or Type II first?
Type I first. It tests whether your controls are designed correctly at a point in time, so the fieldwork is short and there's no multi-month waiting period to observe. Type II tests whether the controls actually operated over a stretch of time, usually three to twelve months, and makes sense once your controls have a running history. Most enterprise buyers will accept a Type I with a Type II to follow.
Do I need Vanta or Drata as a solo founder?
No, not to pass. Compliance platforms collect evidence and lay out checklists, but they can't issue a SOC 2 report. Only a licensed CPA firm can issue the signed opinion your customer is asking for. A platform is optional tooling. If it saves you time, use it, but don't mistake the subscription for the requirement.
How fast can a solo founder get a signed SOC 2 report?
A Type I can move quickly because the scope is small and there's no observation period to wait out. Getting ready can take as little as two to three weeks if your security practices are already in reasonable shape, and the fieldwork for a point-in-time audit is short. The signed report follows shortly after fieldwork wraps.

Keep reading

Sources
  1. Trust Services Criteria are evaluated at the criterion level; points of focus are illustrative, not requirements (2017 TSC with revised points of focus, 2022).
  2. Roughly 82% of US businesses (about 28.5 million firms) have no employees.
  3. Under AICPA attestation standards (AT-C 205), inquiry alone is never sufficient; the practitioner must inspect, observe, or reperform and test the controls.