Skip to main content
Startup / Small Co. progress
intermediatePage 13 of 18

Phase 11: Security and Compliance

Daily security hygiene, authentication and authorization patterns, data handling, SOC 2, pen testing, and bug bounties at startup scale.

Phase 11: Security and Compliance

In one line: HTTPS everywhere, validated inputs, server-side authorization checks, secrets in a vault, and SOC 2 once enterprise customers ask. Don't wait for a breach.

In plain English

At solo scale, "security" means HTTPS and not committing your .env. At startup scale, you have customer data that other people will pay to steal — credentials, PII, payment info. The good news: most of what you need is checklist work. The bad news: skipping any item turns into existential risk. A breach can kill a startup.

Daily hygiene

  • HTTPS everywhere with HSTS.
  • Strict Content Security Policy (CSP) headers.
  • All inputs validated with Zod (defense in depth).
  • Rate limiting on auth endpoints, API endpoints, and expensive operations.
  • Dependabot or Renovate for dependency updates.
  • Secrets in a vault (Doppler/1Password), never in code or chat.
  • Database row-level security (RLS) where applicable.

Authentication

  • Strong password requirements + breached-password checks.
  • Multi-factor authentication available (often required for admins).
  • Session expiration and idle timeout.
  • Audit log of admin actions.

Authorization

  • Server-side checks on every protected operation (never trust the client).
  • Tenant isolation in multi-tenant apps (every query filters by tenant).
  • Least-privilege roles.

Data

  • Encrypted at rest (managed DBs do this automatically).
  • Encrypted in transit (TLS everywhere).
  • Regular backups (Supabase/Neon do this; verify they exist).
  • PII minimization (don't store what you don't need).
  • Data deletion on user request (GDPR/CCPA).

SOC 2

  • Most B2B SaaS pursues SOC 2 Type II around 20–30 employees.
  • Vanta or Drata automates ~80% of the work.
  • Costs $10–30K for the audit + ongoing platform fees.
  • Takes 3–6 months to achieve initial Type I; 6–12 months for Type II.

Penetration testing

  • Annual third-party pen test once you have meaningful customers.
  • Costs $10–30K per engagement.
  • Required by many enterprise customers' security questionnaires.

Bug bounty

  • Optional at this scale. HackerOne or Bugcrowd if you want one.
  • Or just an "email security@company.com" address with a responsible disclosure policy.
Worked example: an authorization bug caught by code review

A PR adds a new admin endpoint /api/admin/users/[id]/delete. The code looks correct — it uses await auth() to get the current user.

The reviewer asks: "Where do we verify the current user is actually an admin?" The author replies: "Oh, the route is under /admin, so the middleware blocks non-admins."

The reviewer pushes back: "Middleware can be bypassed if someone calls the endpoint directly. We've been bitten by this before." They add a server-side if (!user.isAdmin) throw new Error('forbidden') inside the handler.

That's the discipline: every protected operation re-checks authorization server-side, regardless of upstream guards. Defense in depth is what saves you when a single layer fails.

Highlight: SOC 2 is half compliance, half checklist

The first time you start a SOC 2 process, it feels like a wall of acronyms. Vanta or Drata reduces it to a checklist: enable audit logs, verify backups, enforce MFA on admin accounts, set up vendor reviews. ~80% of the work is just clicking through the platform's tasks and providing screenshots.

The other 20% is policy writing (security policy, incident response policy) and the audit itself. Total cost: $10–30K plus ongoing platform fees ($300–$1,000/month). For a B2B startup chasing enterprise customers, it's table stakes.

Common mistakes

Where people commonly trip up
  • Treating SOC 2 as security. Compliance is checklist work; security is making sure your app actually resists attack. A SOC 2 Type II company can still have IDOR bugs, leaked API keys, and exposed admin endpoints. Pass the audit and do real threat modeling on critical flows.
  • Building permissions in the UI instead of the database. Hiding a button when user.role !== 'admin' is not authorization — it's a hint. Real authorization happens server-side, ideally enforced by Postgres RLS so even a buggy endpoint can't bypass it.
  • Granting "temporary" prod database access that becomes permanent. Engineer needs to debug something live, gets read-write access "for the day," and it's still there a year later. Every prod credential needs an expiration; use short-lived tokens from your auth provider, not static keys.
  • Pasting secrets into Slack, Notion, or AI tools. "Just for a sec" leaks become permanent — Slack messages get backed up, AI assistants log inputs. If a secret hits any channel that wasn't your vault, rotate it. Make this a team norm, not a SOC 2 requirement.
  • Waiting for the first enterprise deal to think about authorization tests. Multi-tenant leaks (tenant A seeing tenant B's data) are the highest-severity bugs you can ship. Write a "cross-tenant" test suite the day you onboard your second tenant — not the day a customer notices.

Page checkpoint

Checkpoint Quiz

Did startup security stick?

Required

What's next

→ Continue to Phase 12: Maintenance and Scaling where the weekly cadence and Postgres scaling come into focus.