←back to thread

Excalidraw+ Is Now SoC 2 Certified

(plus.excalidraw.com)
233 points gmays | 7 comments | 24 Jun 25 01:54 UTC | HN request time: 0.639s | source | bottom
1. ranger_danger ◴[24 Jun 25 02:48 UTC] No.44362456[source]
> We got tired of endless security questionnaires, so we got SOC 2 certified to make things smoother for everyone.

Can someone explain what they meant by this? Questionnaires by who, and why?

replies(5): >>44362472 #>>44362477 #>>44362480 #>>44362493 #>>44363749 #
2. tptacek ◴[24 Jun 25 02:51 UTC] No.44362472[source]
SOC2 is viral. When you sell B2B services to a SOC2-attested company, they will have a policy somewhere that requires them to ensure that you take adequate security precautions (this is called "vendorsec"). If you're not SOC2, the standard vendorsec process is that your prospective customer gives you a giant Excel spreadsheet questionnaire to fill out. If you are SOC2, your last SOC2 report will usually suffice.
replies(1): >>44367223 #
3. 9283409232 ◴[24 Jun 25 02:52 UTC] No.44362477[source]
Excalidraw is used for everything from napkin math to meeting notes to complete software architecture. Naturally the companies using it want to know what the security make up of the company is. This can come in the form of a giant document of questions or simply asking for the SOC2.
4. aag8 ◴[24 Jun 25 02:52 UTC] No.44362480[source]
B2B companies often have to answer security questionnaires as part of the buyer's procurement process. Things like "how do you maintain separation of data between tenants?" or "do you encrypt data at rest?"

A SOC 2 attestation can bypass / answer some of these by default.

5. Analemma_ ◴[24 Jun 25 02:54 UTC] No.44362493[source]
If you’re not SOC2 certified, a lot of orgs (by policy or by law) have to ask you tons of questions about your security situation to verify that you’re “as good as” SOC2 before they can do business with you.

Strictly speaking it’s better than a hard-and-fast requirement to be certified— at least you have some choice— but as was the case here it tends to be so onerous and repetitive that people tend to just get the certification.

6. jamiecurle ◴[24 Jun 25 07:37 UTC] No.44363749[source]
Organisations need to ensure that doing business with you isn't over their risk threshold. One of the areas they focus on is security (cyber, info and physical and perhaps soon AI). In order to determine this they ask you a bunch of questions in which you insert answers and evidence into a spreadsheet, sometimes an online app. These are "the questionnaires". They're also pretty expensive[0]

Having a SOC 2 attestation or certified IS027001 compliance of your Information Security Management System allows you to do business with "less friction" because you can often shortcut some / all portions of those questionnaires.

But you can never get rid of them.

[0]: https://sharedassessments.org/sig/

7. wglb ◴[24 Jun 25 15:23 UTC] No.44367223[source]
I can tell many stories about the giant spreadsheets. The larges of them has near 1000 rows. And if you have a lot of security-conscious customers, you will get a lot of them. And they supposedly all cover the same topics, but they all divide the topics up differently. Thus, the hope of generalizing a pool of answers is defeated.

Getting a well-designed SOC2 will help some of this. If you are in an industry with a lot of regulation, your customers will ask or insist on getting ISO 27001. That is a substantial amount of work.

So if you have both, the spreadsheets won't totally go away, but it will reduce the load.