WebSentry
Log inSign up free
All articles
SaaS SecurityStartup ComplianceSOC 2

The Pre-Series A SaaS Security Compliance Checklist

A practical SaaS security compliance checklist for early-stage startups: real controls, tools, and steps to pass vendor reviews and avoid breaches.

WebSentry TeamMay 22, 20266 min read

Early-stage SaaS founders usually discover security compliance the same way: an enterprise prospect sends a 200-question vendor security questionnaire two weeks before contract signature. Suddenly you're scrambling to document policies, retrofit MFA, and explain why your S3 bucket logs go to nowhere.

This checklist is built for startups between pre-seed and Series A — teams of 2 to 25 who need real security controls without hiring a CISO or paying $40,000 for a SOC 2 audit on day one. Every item below is something a procurement team or auditor will actually ask about.

1. Lock down identity and access first

Identity is the single biggest source of startup breaches. Get this right before anything else.

  • Enforce SSO across all SaaS tools — use Google Workspace or Okta as your identity provider. Connect GitHub, AWS, Vercel, Stripe, Linear, and your production dashboards.
  • Require MFA everywhere, with hardware keys (YubiKey) for anyone with production access.
  • Kill shared logins. No more founders@ shared password in 1Password. Every human gets their own account.
  • Set up role-based access in AWS/GCP using IAM roles, not long-lived access keys. Rotate any keys older than 90 days.
  • Off-boarding script: when someone leaves, you should be able to revoke access in under 30 minutes. Document it.

2. Write the policies you'll actually be asked for

You don't need a 90-page security policy. You need short, signed documents that exist before a customer asks. The standard set:

  1. Information Security Policy
  2. Acceptable Use Policy
  3. Incident Response Plan
  4. Data Classification & Handling Policy
  5. Vendor Management Policy
  6. Business Continuity / Disaster Recovery Plan
  7. Access Control Policy

Tools like Vanta, Drata, or Secureframe will generate templates, but you can also start free with open-source sets like the SOC 2 Starter Kit on GitHub. The point is: have them written, dated, and acknowledged by every employee.

3. Harden your production application

This is where most early-stage startups quietly fail. Policies look great in a PDF, but auditors and serious customers will check the public-facing surface.

Web and transport security

  • TLS 1.2 minimum, ideally 1.3. No mixed content. HSTS enabled with a long max-age.
  • Valid certificates with auto-renewal (Let's Encrypt or your CDN's managed certs).
  • Security headers in place: Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.
  • Cookies marked Secure, HttpOnly, and SameSite=Lax or stricter for session tokens.
  • CORS configured with an explicit allowlist — never Access-Control-Allow-Origin: * on authenticated endpoints.
  • DNS hygiene: SPF, DKIM, DMARC for email; CAA records to restrict who can issue certs for your domain.

You can verify all of the above in a few minutes by running a free scan on WebSentry. It grades your site A–F across SSL, headers, CSP, cookies, DNS, and CORS — which maps directly to the technical evidence vendors will request.

Application-layer controls

  • Rate limiting on login, signup, and password reset endpoints.
  • Brute-force and credential-stuffing protection (Cloudflare Turnstile, hCaptcha, or built-in WAF rules).
  • Password storage with bcrypt, scrypt, or Argon2 — never MD5 or SHA-1.
  • SQL via parameterised queries or an ORM. No string concatenation in queries, ever.
  • File uploads scanned and stored outside the web root, served via signed URLs.

4. Encrypt data at rest and in transit

  • Database encryption at rest enabled (RDS, Cloud SQL, Supabase all support this out of the box).
  • Backups encrypted, stored in a separate region, and tested at least quarterly. A backup you've never restored is not a backup.
  • Secrets in a manager — AWS Secrets Manager, Doppler, or 1Password Secrets Automation. Not in .env files committed to Git.
  • Scan your repos with gitleaks or GitHub's secret scanning. Rotate anything that's been exposed.

5. Logging, monitoring, and incident response

If something goes wrong, can you tell what happened? Auditors will ask, and so will enterprise buyers.

  • Centralised application logs (Datadog, Better Stack, Axiom, or self-hosted Loki).
  • Audit logs for admin actions, login events, permission changes — retained at least 12 months.
  • Cloud audit trail enabled: CloudTrail in AWS, Cloud Audit Logs in GCP.
  • Alerting on suspicious events: failed logins, IAM changes, new SSH keys, unusual data egress.
  • A written incident response plan with named roles, a Slack channel, and a customer notification template ready to send.

6. Manage your vendors

Your security is your vendors' security. Maintain a simple spreadsheet listing every SaaS tool that touches customer data, what data it sees, where it's hosted, and a link to the vendor's SOC 2 or ISO 27001 report. Review it twice a year. When a vendor has an incident (and they will), you'll know immediately who's affected.

7. Build a security review into your dev workflow

  • Required code review on every PR — no direct pushes to main.
  • Dependency scanning with Dependabot, Renovate, or Snyk.
  • SAST in CI: Semgrep is free and catches the obvious stuff.
  • A quarterly external check — at minimum, re-run a WebSentry scan after every major release to catch header, cookie, or DNS regressions.
  • An annual penetration test once you're handling real customer money or sensitive data. Plan for $8,000–$15,000 from a reputable firm.

8. Know which framework you actually need

SOC 2 Type I or Type II

Default for US B2B SaaS. Type I is a point-in-time snapshot (faster, cheaper, ~$15,000). Type II covers a 3–12 month period and is what most enterprise buyers really want.

ISO 27001

More common in European and global enterprise sales. Heavier process burden than SOC 2.

GDPR / CCPA

Not optional if you have EU or California users. Publish a privacy policy, support data export and deletion, sign DPAs with sub-processors, and maintain a Record of Processing Activities.

HIPAA, PCI-DSS, FedRAMP

Only if you're touching health data, card data, or US government contracts. If you don't know whether you need them, you probably don't — yet.

9. Make compliance visible to buyers

Once the controls exist, make them easy to verify. Publish a /security page on your marketing site listing your controls, sub-processors, and certifications. Set up a Trust Center (Vanta, Drata, and SafeBase all offer one). Link to a one-page security overview from your sales deck.

Before you ship that trust page, run your domain through a free WebSentry scan at websentry.dev — it takes about 30 seconds and tells you exactly where your public security posture is leaking points before a prospect's security team finds it for you.

Check your own site

Run a free security scan and see if your site has the issues covered in this article. Results in under 30 seconds.

Run a free scanCreate free account
PreviousWhat Enterprise Security Reviews Actually Check (and How SaaS Vendors Pass Them)