What is the minimum viable compliance setup for a pre-seed startup?

The Minimum Viable Compliance Stack

You don't need SOC 2 at pre-seed. But you should build security habits that make SOC 2 trivial when you do need it.

Must-Have (Day 1)

Control	Tool	Cost
MFA on all accounts	Google Workspace, GitHub settings	Free
Password manager	1Password, Bitwarden	$3-8/user/month
Encrypted hosting	Vercel, AWS, GCP (default)	Already paying
Version control with reviews	GitHub with branch protection	Free
Privacy policy	Standard template on your website	Free

Should-Have (Month 1-3)

Control	Tool	Cost
Device encryption	FileVault (Mac), BitLocker (Windows)	Free
Basic access controls	Separate admin/member roles in GitHub and cloud	Free
Terms of service	Standard template	Free
Offboarding checklist	Notion/Google Docs template	Free

Nice-to-Have (When You Have Budget)

Control	Tool	Cost
MDM	Mosyle (Mac)	~$1/device/month
Security training	Curricula	~$1K/year
Background checks	Checkr	$30-100/check
Vulnerability scanning	Dependabot (free), Snyk	Free-$100/month

Why This Matters at Pre-Seed

• Customer trust: Even early customers appreciate seeing MFA and encrypted data
• Investor confidence: Security basics show operational maturity
• Future-proofing: These habits make SOC 2 a 4-week project instead of 4 months
• Data protection: It's the right thing to do even without compliance requirements

What You Can Skip

• Formal policies (wait until SOC 2)
• GRC platforms (way too expensive at this stage)
• Compliance consultants (no need yet)
• Penetration testing (wait until you have a mature product)
• Compliance frameworks of any kind (SOC 2, ISO, HIPAA)

The Transition Point

When your first enterprise prospect says "do you have a SOC 2?" — that's when you formalize. Everything you've built at pre-seed (MFA, access controls, code reviews, encryption) becomes the foundation for your SOC 2 program. The gap between "minimum viable compliance" and "SOC 2 ready" is mostly documentation.