Short briefings for operators who'd rather not become accidental auditors.
Honest writing on SOC audits, compliance, accounting, and tax — no vendor theatre, no checklists masquerading as advice.
What a SOC 2 report actually tells your buyer
A short, honest field guide to what enterprise procurement teams look for when they flip to the independent auditor's opinion — and what they don't.
Dev Agarwal6 min readData Processing Agreement: a founder's guide to the DPA
What a data processing agreement does, the clauses GDPR requires, how sub-processors flow down, and how a DPA relates to a BAA, SOC 2, and ISO 27001.
Dev Agarwal7 min readSOC 2 bridge letter: what it is and who signs
A SOC 2 bridge letter covers the gap between your last Type II report and today. Here is what it says, who signs it, and how long it can run.
Dev Agarwal5 min readHow to run a SOC 2 readiness assessment that actually works
A SOC 2 readiness assessment is cheaper than remediation. How to scope it, build the gap list, run an evidence library, and pick Type I vs Type II.
Dev Agarwal7 min readSOC 2 vs ISO 27001: how to pick (and when to do both)
SOC 2 vs ISO 27001, compared by the people asking for them. Buyer geography, timelines, cost, control overlap, and the three sequences that actually work.
Dev Agarwal7 min readSOX 404(a) vs 404(b): management vs auditor attestation
SOX 404a vs 404b in plain English: 404(a) is management's ICFR assertion; 404(b) is the external auditor's attestation. Who files each, and when it kicks in.
Dev Agarwal6 min readCMMC 2.0 explained: levels, timeline, and who assesses you
CMMC 2.0 primer for defense contractors: what CMMC stands for, Level 1, Level 2, and Level 3 requirements, what a C3PAO does, and the rollout timeline.
Dev Agarwal8 min readHIPAA compliance for SaaS: BAAs, safeguards, and the honest path
HIPAA compliance services for SaaS: what a BAA is, when you become a business associate, the minimum technical safeguards, and how SOC 2 maps to HIPAA.
Dev Agarwal7 min readISO 27001 requirements: clauses 4–10 and Annex A
ISO 27001 requirements explained clause by clause. What auditors expect for the ISMS, risk treatment, internal audit, management review, and Annex A evidence.
Dev Agarwal7 min readSOC 3 reports: the public-use version of your SOC 2
SOC 3 is the publicly distributable version of a SOC 2 Type II. Here is what it contains, how it is produced, and when it is worth adding to your audit.
Dev Agarwal6 min readSOC 1 vs SOC 2: which report your buyer is actually asking for
SOC 1 vs SOC 2, plus a note on SOC 3: one covers ICFR for your customers' auditors, the other covers vendor trust for their security teams. Here is how to pick.
Dev Agarwal6 min readSOC 1 Type 1 vs Type 2: which one your buyer is asking for
SOC 1 Type 1 vs Type 2 explained: point-in-time design versus operating effectiveness over 3 to 12 months, and which report a user auditor actually wants.
Dev Agarwal7 min readThe SOC 2 audit process, phase by phase
The SOC 2 audit process in real phases with honest timelines: scoping, readiness, observation window, fieldwork, draft, management review, issued report.
Dev Agarwal9 min readSOC 2 Type I vs Type II: which one to run first
A SOC 2 Type 2 audit tests operating effectiveness over months, not a single day. Here is when Type I is the right first step and when to skip it.
Dev Agarwal7 min readSOC 2 compliance requirements: the practical checklist
SOC 2 compliance requirements are not a fixed control list. The policies, controls, evidence, and observation-window mechanics auditors actually expect.
Dev Agarwal7 min readWhat is ISO 27001? A plain-English primer
What is ISO 27001, what an ISMS actually is, and why the Statement of Applicability matters. A CPA firm's jargon-free primer for US SaaS founders.
Dev Agarwal6 min readTrust Services Criteria, explained for SOC 2 scoping
The Trust Services Criteria are the AICPA categories a SOC 2 tests against. Here is what each one means and how to pick the right scope for your report.
Dev Agarwal6 min readWhat is FedRAMP? A plain-English primer for SaaS founders
What is FedRAMP: the OMB-mandated program that authorizes cloud services for US federal use. Impact levels, JAB vs Agency paths, what a 3PAO does.
Dev Agarwal9 min readHITRUST certification explained: e1, i1, r2, and the honest cost
HITRUST certification primer for SaaS founders: what the CSF is, the e1/i1/r2 levels, who issues the certificate, and how it maps to HIPAA and SOC 2.
Dev Agarwal7 min readWho the HIPAA Security Rule applies to
The HIPAA Security Rule applies to covered entities and business associates that create, receive, maintain, or transmit ePHI. Here is exactly who that is.
Dev Agarwal6 min readISO 27001 certification: how it actually works
A SaaS founder's guide to ISO 27001 certification: who issues it, stage 1 vs stage 2, the three-year cycle, timelines, and how it compares to SOC 2.
Dev Agarwal8 min readWhat Is a SOC 1 Report? ICFR, Examples, and Who Asks
A SOC 1 report is an auditor's attestation on a service organization's controls relevant to its customers' financial reporting. Here is what's in one.
Dev Agarwal7 min readWhat is SOC 2 compliance? A founder's primer
What is SOC 2 compliance, who issues the report, why enterprise buyers ask for it, and how long it actually takes. A CPA firm's plain-English primer.
Dev Agarwal8 min read