At Credential Network, we've taken what might seem like a contrarian approach to building our technology infrastructure: implementing SOC 2 Type 2 compliance from the very beginning. When I share this with other startup CTOs, I'm often met with raised eyebrows. After all, isn't this the kind of overhead that slows down early-stage companies?
I don't think so. In fact, I'm convinced that building with compliance in mind from day one is actually the more frugal approach, even though that might sound counterintuitive.
Why did we build security compliance into our foundation? Because it's substantially easier to build it in from the start than to retrofit it later. Here's the thing—when you have a culture that doesn't support a high compliance profile, changing that culture becomes expensive, error-prone, and high-risk.
I've worked at companies that eventually became successful but required large compliance teams responsible for change management. While I really enjoyed working with those people, there's a reason they needed such big teams—and it wasn't a generative one. The truth is, many companies are constantly fixing problems that could have been avoided if they'd just started with better practices.
Starting with compliance in mind puts you in a much higher leverage position because you've solved many problems before they become issues. Ask me in six months if this was worth it, and I'll have better data to share—but everything we're seeing so far validates our approach. That's not even mentioning the explicit benefits of being SOC 2 compliant.
Five years ago, achieving SOC 2 Type 2 compliance would have cost upwards of $100,000. It would have required deep expertise and likely hiring a full-time compliance professional or expensive consultants. The system was honestly a bit ridiculous.
Today, the SaaS market has evolved. There's excellent Governance, Risk, and Compliance (GRC) tooling available that makes this process much more accessible. What's particularly cool is that we use a product called Vanta that functions almost like having a compliance team in a box.
Vanta and similar tools partner with auditors who offer initial audit sets at competitive prices because they want the business and recognize they'll grow alongside you. All told, we're spending about $20,000 including the audit and penetration testing—a modest investment considering the potential ROI.
The monetary investment is reasonable, but what about time? We spend approximately 2-3 hours per week on compliance-related tasks. That's not zero, and I acknowledge there's an opportunity cost here. Those are hours we could be spending elsewhere.
But this is a reasonable amount of effort to invest in something that we would certainly have to do anyway at some point. The bet we're making is that being proactive is part of our engineering DNA because we know it pays off later. We could be wrong—we're not psychics—but it feels right based on our experience.
Our approach might seem like the antithesis of "move fast and break things." We're moving deliberately and predicting the future. One thing that really stands out to me is how this approach is influenced by our confidence in the potential market and in the problem we're solving.
We're convinced about our Total Addressable Market (TAM). We're confident that we're addressing a problem people want solved. The infrastructure—and I count compliance as a kind of infrastructure—means we don't fail at the "find out" phase where many startups struggle. I've seen too many companies build up a tiny monolith, basically sell the demo, and then struggle to get past that point when customers get pissed and leave.
Our values aren't explicitly carved in stone, but themes are emerging as core to our engineering culture:
These values are written in blood—they're informed by mistakes we've struggled with in the past as contributors, not leaders. We don't want to make those mistakes again because they're painful and expensive.
In the long run, being thoughtful and prepared is actually the cheapest solution. Yes, there's an opportunity cost, but we're not going to blow our budget because we added too much compute or failed to anticipate something obvious.
A security problem is a perfect example. We're very focused on security because one breach can tank you. That's millions of investment dollars evaporated overnight. To me, protecting against that risk is the definition of frugality.
Our methodical approach extends beyond security. We're heavily invested in market research, which is surprisingly uncommon in many tech companies. It's actually a bit baffling to me that more companies don't do this—especially well-funded ones.
We're very use-case first, trying not to build anything that doesn't address a real need. This helps us avoid the common startup pitfall of building something no one wants after months of effort. Those missteps can become less reversible decisions that commit the company to suboptimal paths.
When you approach VCs, it's one thing to come in with a slide deck. It's another to arrive with actual customers and a binder full of interviews. Dylan, our CEO, excels at this continuous market research. And it’s a task that’s truly never done: you should always be doing it.
We spend significant time with customers, observing their workflows and understanding their pain points. Medical professionals, clinicians, and people working in billing and credentialing have a specific culture that varies by region. Understanding this culture is a make-or-break proposition.
For example, coordinators are extremely protective of data integrity. If they complete an application for billing with Blue Cross, they need confidence that the information will remain unchanged until the process is complete. The current system is brittle, and everyone in the industry knows it. When a provider mistakenly writes "Street" instead of "Court" on a form, it can literally cost months of work and thousands of dollars if Blue Cross attempts to validate it and finds a discrepancy.
Unlike most software users (who might trust Google engineers with their Gmail contents), these professionals are wary of others meddling with their critical information. They're not interested in having other people touching their data—they want to control it themselves. This is a cultural trait that we need to respect and design around.
This attention to detail influences how we build our product. We're designing around data primacy that gives agency to the users of the data, rather than imposing what we think is the "right way" to handle information.
Ultimately, we're solving a digitization problem that our culture has tackled before—taxes in the 90s, medical records in the 2000s. Yet first responders still arrive at disaster sites with physical binders to prove their credentials. We're still carrying driver's licenses in our pockets.
The concept of identity remains slippery. What does it mean to have a digital identity? How can we make it both portable and reliable? It's a challenging problem, but an important one that causes real pain and expense.
We have the experience to recognize our responsibility to do this right. And that starts with building on a foundation of security and compliance from day one.
We’re always seeking partners to improve the credentialing landscape. If you’re curious about our product, schedule a demo. If you like the way we’re building, let me know.