OpenSettle
Start building
Back to blog
Compliance·Mar 20, 2026·5 min read

SOC 2 Type I, six months in: the audits we didn't know we'd love

Auditors make you write things down. Writing things down made us better. A field report on what the SOC 2 process actually changes.

HI
Harper IsayamaHead of Compliance

Most engineers treat SOC 2 the way they treat dental cleanings: necessary, expensive, and something you schedule at the last possible moment. That was our view going in. It is not our view now.

What actually changes

The substantive result wasn't the report. It was the forcing function. Having to document every access pathway, every change-management step, every incident response procedure made us write the things a staff engineer would have written on a good day and rarely does. The report was the artifact. The discipline was the point.

What I'd do differently

  • Start the controls catalogue on week one, not month six.
  • Pick an auditor that has strong product opinions, not just checkbox expertise.
  • Use Drata or Vanta from day one. Both are cheap relative to the time they save.
  • Write your own incident runbook. Don't let the auditor's template drive that conversation.

The Type II answer

We're seven months into the Type II observation period. Expect the report in late Q4 2026.

Keep reading
Why non-custodial settlement is the real unlock for stablecoin billing
Next post