- The SOC 2 Shortcut: Weekly Insights for SaaS Founders
- Posts
- Finally... a SOC 2 Policy Builder auditors love
Finally... a SOC 2 Policy Builder auditors love
Adam
September 25, 2025
Hey friend,
Sorry — I’ve been quiet here. No newsletter for a while.
I’ve been busy helping companies with their SOC 2 journey. In the past 4 months I’ve helped 3 companies to achieve their SOC 2 readiness.
Faced tons of difficulties, and many times tracking compliance progress for each company in Excel felt pretty difficult and burdening and wanted something more like 2025…
Checked around 12 compliance automation tools (Drata, Vanta, Scythe, etc.), but they all seemed built for corporates who have their compliance departments with dedicated resources and budget to spend $10k+ / year on a tool.
There is nothing in between…
Either you track it in Excel which works but pretty boring and tedious (to be honest) or you spend a fortune on an enterprise tool like Vanta and hire some compliance people in your team.
But this is 2025, it’s pretty sad that there is literally nothing for us small teams to use as compliance tracking/automation.
Built for small teams? YES!
So, I’ve decided to build something leaner for myself and my clients.
It worked!
Those companies I’ve mentioned achieved their SOC 2 readiness using this simple app.
Got awesome feedback from the auditors they liked and mentioned multiple times how well they are structured and how easy the tone is. (the auditors didn’t know the policies were generated) and of course the companies passed.
This tool has everything you need to easily achieve the readiness without additional headcounts or countless hours. My key drive for this tool is to have it as tailored as possible to the company, making as efficient as possible.
But enough chitchat for now, I’m going to share much more information in the coming days/week releasing all the features making your life much easier.
Meet nextcomply - SOC 2 Policy Builder which actually works
I’ve tested around 20 policy builders and they all failed because of the followings:
Area auditors probe | nextcomply Policy Builder | General Policy Builder | Why it matters |
|---|---|---|---|
Ownership & accountability | Explicit CSO and CTO with duties (own ISMS, run audits, implement AWS controls). | no named owners | Named roles let auditors trace decisions and approvals. |
Document control & review | Review every 12 months or on major change; version/date; storage path /Security/Policies. | no versioning or canonical storage path. | Auditors will ask “Where’s the latest approved copy?” |
Operating rhythm | Monthly 30-min security sync with agenda and minutes in Security-Meetings folder. | No operating cadence; only general monitoring statements. | Demonstrates the control actually runs, not just exists. |
Exception management | Simple form; CSO decision within 2 business days; owner + end-date tracked. | Not covered. | Exceptions are common; auditors want a trail and closures. |
Evidence & audit support | Evidence repo /Security/Audit-Evidence; audit requests answered within 3 business days. | Mentions compliance but no evidence repository or SLA. | Where to find screenshots/logs/tickets matters at audit time. |
Goals & roadmap | Annual Security Roadmap (SOC 2 checkpoints, IAM reviews, monitoring), reviewed monthly. | Not included. | Shows planned maturity and continuous improvement. |
Acknowledgement/comms | Readers must acknowledge updates within 5 days (tracked via e-signature). | Not specified. | Auditors may sample acknowledgment records. |
After seeing this comparison and the feedbacks from the auditors and clients, I’m pretty pumped to give you access to the Policy Builder and let you tinker with them, so you can see it for yourself. Would love to hear your feedback!
You can access it here: https://app.nextcomply.ai/policy-preview For now there is no usage limit for you (as long as it’s responsible use).
What I plan to do to further improve the policies?
Collect your feedback, and improve the tool based on your feedback. This is by far the most important one!
Fine-tunning the LLM which I'm using. Currently, I'm sending everything in context to get the proper results making it slow and costly. Fine tuning the LLM could in theory improve speed, quality and cost per policy.
There is a simple company profile created (under Settings/Organizations/Edit Organizations) for each company. This profile is being used everywhere to optimize UX and results however I could even improve the policy result if I would ask some policy specific questions for each policy. Example: if you use AWS, I could ask some more questions about services used (which are relevant for that particular policy). This additional information would be stored in the company profile further improving the results.
With automatic cross policy linking the overall compliance posture could be further improved
So again, if you have some time, I’d love your feedback and ideas on how to improve.
Adam
P.S: You can access it here: https://app.nextcomply.ai/policy-preview For now there is no usage limit for you (as long as it’s responsible use). Hit reply and tell me how can I help you in your compliance journey.
Reply