Compliance Software Explained
Most companies buy compliance software because a customer asked for their SOC 2 report and they panicked. This guide covers what compliance software actually does, when you need it, what the frameworks mean in plain English, and how much it costs — before you sign anything.
On This Page
What compliance software actually does
Compliance software solves a specific problem: proving to an auditor (or an enterprise customer's security team) that your controls exist and work continuously — not just the day someone asks.
The four core functions:
- Evidence collection: Integrates with AWS, GCP, Azure, GitHub, Okta, HR systems. Continuously screenshots and logs proof that controls are active (MFA enabled, access reviews done, encryption on, etc.).
- Policy management: Stores your security policies, versions them, and gets employees to acknowledge them. Auditors require signed policy acknowledgments — this automates it.
- Risk and vendor tracking: Maintains a risk register, tracks third-party vendors and their security posture, flags issues as they appear.
- Audit readiness: Organizes evidence into the exact format auditors expect. When a CPA firm comes in for your SOC 2 audit, they get a read-only view — no frantic Drive folder scrambling.
Without software, all of this is done manually in spreadsheets, email chains, and Google Drive folders — which collapses fast under real audit pressure.
When a company needs compliance tools
| Situation | What you likely need |
|---|---|
| Enterprise customer requires SOC 2 Type II before signing | SOC 2 compliance software |
| You store or transmit patient health data (PHI) | HIPAA compliance software |
| You store, process, or transmit credit card data | PCI DSS compliance tools |
| EU customers, GDPR documentation needed | OneTrust or TrustArc (GDPR module) |
| Government contracts (FedRAMP, CMMC) | Specialized GRC — consult a MSSP |
| General security posture improvement | Compliance automation tools |
If none of these apply: You probably don't need compliance software yet. See the SideGuy clarity section below before spending $20k/year on a tool you don't need.
Major frameworks explained in plain English
🔒 SOC 2
Voluntary. B2B SaaS standard. Audited by CPA firm. Type I = point-in-time snapshot. Type II = 6–12 months of continuous evidence. Most enterprise buyers require it.
SOC 2 deep dive →🏥 HIPAA
Federal law. Required for anyone handling protected health information (PHI). No certification — you self-attest and get audited by HHS OCR if there's a breach. BAAs required with vendors.
HIPAA deep dive →💳 PCI DSS
Required if you touch cardholder data. Four merchant levels by transaction volume. SAQ (self-assessment) for lower levels, QSA audit for Level 1 (6M+ txns/year).
PCI DSS deep dive →🌍 GDPR / CCPA
EU and California privacy laws. Requires consent management, data subject rights handling, breach notification. OneTrust and TrustArc are the main platforms.
Covered in OneTrust / TrustArc docs
🏛️ ISO 27001
International standard. More process-heavy than SOC 2. Common requirement for UK/EU enterprise deals. Certification from an accredited body. Typically takes 12–18 months.
Often paired with Vanta or Drata
🛡️ NIST / FedRAMP
US government cloud security. FedRAMP required for federal agency contracts. Very expensive and time-consuming — budget 18–36 months and $500k+ for initial authorization.
Requires a 3PAO assessment
Typical pricing ranges
| Tier | Tools | Annual cost | Best for |
|---|---|---|---|
| Startup / Entry | Drata, Vanta, Sprinto | $10,000–25,000/yr | Startups pursuing first SOC 2 or HIPAA |
| Mid-market | Tugboat Logic, TrustCloud, Secureframe | $15,000–40,000/yr | 50–500 employee companies, multi-framework |
| Enterprise GRC | OneTrust, ServiceNow GRC, MetricStream | $50,000–200,000+/yr | Large enterprises, complex risk programs |
| Open source / DIY | OpenRMF, Prowler, manual | $0 + staff time | Technical teams willing to build, not buy |
Don't forget the audit cost. The software gets you ready for an audit — the audit itself is a separate line item:
- SOC 2 Type II audit (CPA firm): $15,000–50,000
- PCI QSA audit (Level 1): $20,000–70,000
- HIPAA: No formal audit cost — self-regulated, but OCR breach investigations can be very costly
- ISO 27001 certification: $10,000–30,000 depending on company size
See the full breakdown: Compliance software cost guide →
Automation vs manual compliance
| Manual (spreadsheets + Drive) | Automated (Vanta, Drata, etc.) | |
|---|---|---|
| Evidence collection | Someone screenshots things monthly | Continuous, automated via integrations |
| Policy acknowledgment | Email "please sign this PDF" | In-platform, tracked, timestamped |
| Audit prep time | 4–8 weeks of scrambling | Days, mostly pre-organized |
| Control gap detection | Discovered when auditor finds it | Real-time dashboard alerts |
| Cost | Staff time only | $10k–40k/yr software |
| Scales to | ~10 controls before breaking | 100s of controls across frameworks |
Manual compliance works at very small scale — 1–5 employees, one framework, infrequent audits. Once you have a SOC 2 Type II (12 months of evidence required), manual becomes painful very fast.
Common mistakes businesses make
- Buying software before scoping the framework. SOC 2 has 5 Trust Service Criteria — not all of them apply to you. Scope defines cost. Get a gap assessment first.
- Buying an enterprise GRC when a startup tool suffices. OneTrust for a 15-person startup is overkill. Vanta or Drata does 90% of the same job for 20% of the cost.
- Assuming HIPAA is self-certifying. It is — but "self-certifying" means you're on the hook if HHS comes knocking. Many companies underinvest in HIPAA documentation and get burned.
- Not mapping their own tech stack before choosing software. Compliance tools derive value from integrations. If your stack isn't supported, you lose 60% of the automation value.
- Treating SOC 2 as a one-time project. Type II requires continuous evidence over 6–12 months. Your controls must stay in place year-round, not just during the audit window.
- Conflating compliance with security. Compliance proves you follow a process. Security is whether that process actually protects you. The two can diverge. Compliant ≠ secure.
🧭 SideGuy: Do you actually need compliance software?
Run through this before spending $20,000/year:
- ✅ You need it if: an enterprise customer is blocking a deal pending your SOC 2 report, you store PHI under a BAA, you store cardholder data directly, you're going for federal contracts.
- 🟡 You might need it if: you have 5+ enterprise sales opportunities stalled on security reviews, you're growing into regulated markets (healthcare, fintech, government), or your CISO says controls are not documented.
- ❌ You don't need it yet if: all your customers are small businesses who never ask about security, you have no PHI or cardholder data, you have fewer than 10 employees and simple data handling, or you can't name a single deal that was lost due to a security review.
If you're unsure: the right first step is a gap assessment ($2,000–8,000 from a CISO-for-hire or compliance consultant) — not buying a $20k/year platform to discover what you actually need.
Full compliance cluster — deep dives
Glossary
- SOC 2
- Service Organization Control 2. A voluntary audit framework covering security, availability, processing integrity, confidentiality, and privacy. Audited by a licensed CPA firm.
- HIPAA
- Health Insurance Portability and Accountability Act. US federal law governing protected health information (PHI). Requires BAAs with all vendors who touch PHI.
- PCI DSS
- Payment Card Industry Data Security Standard. Required for any company storing, processing, or transmitting cardholder data. Maintained by the PCI Security Standards Council.
- BAA
- Business Associate Agreement. A contract required under HIPAA between a covered entity and any vendor that processes PHI on their behalf.
- GRC
- Governance, Risk, and Compliance. A broader category of tools that manage enterprise risk, internal controls, and regulatory compliance across multiple frameworks.
- Evidence
- In compliance, documentation proving a control is in place and operating. Examples: screenshot of MFA enabled, log of access review completion, signed policy acknowledgment.
- SAQ
- Self-Assessment Questionnaire. PCI DSS self-certification for lower-volume merchants. Replaces the need for a QSA audit at lower merchant levels.
- QSA
- Qualified Security Assessor. A PCI-certified auditor required for Level 1 merchants. Similar role to a CPA in SOC 2 audits.
- Trust Service Criteria (TSC)
- The five categories SOC 2 evaluates: Security (required), Availability, Processing Integrity, Confidentiality, and Privacy (all optional).
- Type I / Type II
- SOC 2 report types. Type I = controls designed correctly at a point in time. Type II = controls operated effectively over 6–12 months. Enterprise customers almost always require Type II.
Not sure which compliance framework applies to you — or whether you need software at all?
Text PJ · 773-544-1231FAQ
What does compliance software actually do?
Automates evidence collection, policy management, risk tracking, and audit preparation. Integrates with your tech stack to continuously prove your security controls are active — instead of scrambling to gather screenshots when an auditor arrives.
When does a company actually need compliance software?
When an enterprise customer requires your SOC 2 report before signing; when you handle PHI under HIPAA; when you store or process credit card data under PCI DSS. If none of these apply, you likely don't need it yet.
How much does compliance software cost?
Entry-level (Vanta, Drata, Sprinto): $10,000–25,000/yr. Mid-market: $15,000–40,000/yr. Enterprise GRC: $50,000–200,000+/yr. The audit itself (separate cost) runs $15,000–50,000 for SOC 2 Type II. See the full cost guide.
What is the difference between SOC 2, HIPAA, and PCI DSS?
SOC 2: voluntary, B2B SaaS standard, CPA-audited. HIPAA: federal law for health data, self-regulated with OCR enforcement. PCI DSS: card industry standard for anyone touching cardholder data, self-cert or QSA audit depending on volume.