Meet Comply: StrongDM's Open Source SOC2 Compliance Tool


In order to succeed, startups must focus. And so, necessarily, it is tough for startups to help others when they are locked in a struggle to survive.

But one of our portfolio companies, strongDM, seeing the need to solve a huge problem they faced, has decided to do so in a way that can potentially help many young companies.

The challenge is an increasingly ubiquitous security compliance audit called the SOC2. Developed by the American Institute of CPAS, SOC2 focuses on service providers storing customer data in the cloud. The audit applies to nearly every SaaS company, and many others who store customer information in the cloud.

The SOC2 is becoming widely adopted by all kinds of organizations because, with so many data breaches in the news every week, companies are becoming rightfully nervous that they're the next target. So they're investing in more rigorous internal controls. But organizations are only as secure as their weakest link, and often that falls outside of their control. The vendors, consultants and third parties they rely on to conduct business can also compromise their systems. And so, companies aren’t just doing SOC2 audits on their own practices, but demanding the same rigorous security practices of their vendors, and startups are not exempt.

The rub is that an SOC2 audit is broad, detailed and complex. These audits require months of preparation. They put young companies in a real bind. Undertaking the SOC2 internally can all but shut the company down as it soaks up resources essential for tech and product development. Going out of house can be ferociously expensive. As is often the case in situations like this, a horde of high-priced vendors has sprung up to implement SOC2 audits for small companies.

To reduce this burden, strongDM has launched a project called Comply. Comply provides everything necessary to implement SOC2 from a developer’s perspective in an open source mode. Any company can download a pre-authored library of 24 policies, edit directly in markdown, track versions with Github, assign compliance tasks through Jira and monitor progress in a unified dashboard. It's 100% free and open source.

You can download it at:

We think it is laudable when startups can help others while not taking focus off the essentials. StrongDM had to deal with SOC2 for its own success. And the fact that they have shown the generosity and maturity to make their solution available to others is the kind of grown-up behavior we seek in our portfolio companies.