A complete founders’ guide to raising a successful angel round
Bonus: Get the list of 300+ top angels in the tech industry from around the world
If raising angel investment is a founder’s dream, the process of raising it is definitely their nightmare.
In this guide, our CEO Ankit Pansari breaks down the steps that led to OSlash's seed round.
Learn how to reach out to top angels and structure your round successfully.
In November 2021, OSlash announced a $2.5 million pre-seed round led by Accel. This was followed by our post-seed round to the tune of $5 million in March 2022.
The rounds saw participation from more than 50 angel investors and operators — the who’s who of business and technology — including Dylan Field (Figma), Akshay Kothari (Notion), Girish Mathrubootham (Freshworks), Olivier Pomel (Datadog), Nicolas Dessaigne (Algolia), Christian Oestlien (YouTube), Kunal Shah (CRED), and Cristina Cordova (First Round), among others.
How did we pull this off?
I put this guide together to answer exactly that question and to make the process of raising an angel round more transparent and easier to understand. I know what a struggle it can be to navigate obscure logistical and legal processes involved in fundraising. The lack of actionable resources for first-time founders only compounds the problem. This is a small attempt from me to solve it for you.
Unlike institutional investors such as Venture Capital (VCs), angels are individuals who take an interest in the startup at a very early stage, when the risks are still high and the fate of the startup is largely undecided. They can be the most crucial source of not just funding, but also provide an ecosystem of social and informational capital that helps a startup thrive.
If you are an early-stage founder looking to leverage the strengths of angels for your venture, this guide can prove extremely useful to you.
It comes with lessons from my personal, hands-on experience. Having conducted multiple private and group sessions for founders and VCs on how to structure a successful angel round prompted me to pen it all down for easy reference.
Let’s dive in!
What is covered in this guide?
Think of this guide as the ultimate playbook for raising money from angel investors. It will help you understand:
- Who are angel investors and how they can support your business
- How to set goals and structure a successful angel round
- How to reach out to angels
- What collaterals to prepare for your round
- How to close your round
What inspired this guide?
Fundraising is a double-edged sword for a startup founder.
On the one hand, it is everything you detest — tedious processes, heaps of paperwork, red tape, and bureaucracy. It eats up time you could be investing more fruitfully in building products, conducting market research, talking to your users, and scaling your business.
On the other hand, it is indispensable if you want to grow. The angel investors you get on your cap table will not just provide finances, but also lend a helping hand as you build your business from the ground up. I wrote this guide to clear the many misconceptions founders have when they think about raising an angel round.
Who is this guide for?
- This guide is for founders of technology companies, who are currently raising their seed round and would like to have angel investors participate or lead the round
- This guide will discuss in-depth how companies can raise a successful angel round from multiple angel investors
Who are angels and how can they help?
Ever wondered why they are called angels and not simply investors? It is because they bring in so much more than cash. They bring in kindness. They are ready to believe in your dream when few others do. And they are ready to put their money where their mouths are. They are your staunch supporters who want your business to succeed as much as you want it.
And how can they help? Well, most angels are themselves successful entrepreneurs, business leaders, innovators, and visionaries who want to help make the world a better place and give back to the community that supported and mentored them in need. They do this by:
- Backing your idea with much-needed finance
- Capitalizing on their vast networks and introducing you to the right connections. These could be additional investors, technical or business mentors, and coaches, great candidates you could hire, or even early customers for your pilots
- Providing a wealth of industry-specific knowledge and know-how gathered and embellished from years of personal and/or second-hand experience, especially if you are building a venture in a very regulated or vertical business
- Cheerleading you and lending crucial moral support and encouragement when plans go awry and you need to do some rethinking, make some adjustments, and pivot
Types of angel investors
There are different kinds of angel investors you can have on board, in order to maximize the utility and benefits you derive out of your angel round.
1. Fellow founders:
- They are angels who have built their own companies, often from scratch, going through each stage of the complex process. They can guide you through every aspect of founding a business and can be mentors and coaches to you
- Since they have faced similar challenges and navigated similar journeys, they are well-qualified to dispense relevant and actionable advice for your company. They can share the best playbook from their journey
- The only thing to keep in mind is that if they are very successful founders, they will not be able to dedicate too much time and energy to your company
- Ex - Dylan Field, CEO of Figma or Girish Mathrubootham, CEO of Freshworks.
2. Super angels:
- Also called archangels, super angels are extremely active investors who have a huge network of executives and advisors
- They have a knack for making money from their well-researched and often commercially successful investments in hundreds of companies
- Ex - Naval Ravikant, Brianne Kimmel
3. Domain experts:
- Angels, who can double up as domain experts, can be a valuable resource for know-how when you are building a deep tech company or going after a vertical industry such as healthcare, insurance, or construction
- There are some investors who have deep domain expertise in certain markets, such as NFX. The entire founding team is that of operators who have built and run marketplaces companies
- Ex - Lenny Rachitsky, Balaji S.
4. Operator angels:
What do angel investors look for in a startup?
Angel investors primarily look for a sweet spot based on many factors before investing in a startup. These include the nature of the business & the market, the founding team’s experience & expertise, and of course, the potential returns on their investment.
Here are a few criteria a startup should fulfill before approaching angel investors:
1. A strong management team: The first thing which any investor, angel or VC, looks for in the startup is the management team. Is the team passionate about the problem? How do the founding members know each other? How long have they been working on this problem? Is the leadership strong, adaptable, observant, and trustworthy? Qualities such as integrity, clarity of strategy and approach, professionalism, determination, self-belief, and belief in the venture are important to angel investors.
There are a lot of examples where the team has started with a product and has pivoted to something else, Twitter being one of the most famous ones. It started off as a messaging service before Jack Dorsey and team pivoted to Twitter.
2. A large market size: The second thing they look for is if the market is large enough. If it is, they know that there are going to be multiple companies, which will go after this market and someone is going to win. A good example is the food delivery business. People are going to order food.
But this is particularly relevant when angels are investing in a technical product, which may not be exactly like a consumer product, for which everyone just knows there's a market.
3. A convincing business plan: Angel investors will exercise due diligence and invest in only if they are convinced by the complete business plan, including analysis of the target market including competitors, financial projections, marketing plans, and other specifics. They want to see a fully sketched out vision that details the plans for blistering the growth and competitiveness of the company.
4. A problem they can relate to: If you are trying to solve a problem that angels have themselves experienced or one that they relate to, it serves like validation for them to invest in the startup.
5. A viable exit strategy: Since angels take considerable risk while investing in a startup, they expect manifold returns. One way in which they assess their potential returns is by evaluating the exit strategies available to them. They will expect a comprehensive analysis of their payout and their risk in each scenario.
How to raise a seed round with angel investors?
The key to raising a pre-seed or seed round with angel investors is knowing that angel investing is all about building trust and long-term relationships. This may be easier in person but post the pandemic, it has also become common to approach angels virtually. Angel investment networks and groups also exist.
After finding potential investors, you can set up a time to meet with them and present your pitch. Your pitch should be clear and impactful and give them a reasonable idea of your business. If an angel is convinced, they may conduct further due diligence and vet your business plan, financial statements, and the like, and offer you a deal.
Below is a step-by-step breakdown of how you can structure a successful angel round.
But before that, I want to clarify the difference between seed investment and angel investment.
Seed investment vs. angel investment — the difference
Seed money, as the name suggests, is money raised by a company in its very initial stages. It typically involves small amounts, enough to take care of a business’ essential operational needs. Seed finance enables companies to attract more financing to grow and scale themselves.
Seed money can come from a variety of sources, such as close friends and family of the founding team, crowdfunding, startup incubators & accelerator institutions, and private investors including angel investors, and venture capital (VC) funding. So, angel investment is a subset of seed investment.
How to structure your angel investment deals?
For a successful angel round, I will break down the process of fundraising into four steps:
- Goal: Planning how much money you want to raise and from whom
- Outreach: Creating a lead pipeline and networking
- Preparation: Creating collaterals such as an elevator pitch, investment memo, company deck, and product demo
- Closure: Creating a legal structure to collect cheques from multiple angel investors
How much to raise?
If you already have a lead investor and are planning to raise money from a number of small investors, I recommend keeping at least 10 to 15% allocated to angel investors. While negotiating with your lead investor, please mention at the outset that at least 10 to 15 % would be allocated to angels.
In OSlash, we kept a 20% allocation for angels, and our lead VC firm, Accel, was completely on board with the idea. They even introduced us to some angels.
From whom to raise?
Angel Investing can happen in two ways — where angels themselves are leading the round (also called Party Round) or you have a VC firm leading the round and angels participating in that round. If you already have a name VC firm leading you around, you would like to get a few angels to participate.
- If you are working on a dev project, it will help to have founders of companies such as Vercel, Github or Stack Overflow on your cap table as they have already built an audience around developers
- If you are building a consumer tech company, try to get founders of companies such as Instagram, Bumble, Calm and others, who will be good for your cap table
2. Reach Out Investors - Outreach
i. At the outreach stage, you should create a long list of potential angels who could participate in your angel round.
ii. Your list should have a combination of:
- successful founders in your category
- leading operators who can help you build the engineering, product, or marketing functions
- super angels who can open more doors for future fundraising
iii. I recommend putting together a list of 100 to 150 angels.
- If you don’t know where to start, we have created a list of the most prolific angels, which we would love to send to you.
- Send personalized emails to these angels and ask for warm introductions. Follow them on Twitter and if their DMs are open, don’t hesitate to send them your elevator pitch.
You have to lay the groundwork for your potential angels and present them with all the necessary information they need to make a sound investment decision.
After all, an angel is an individual, not an institution. They will be investing their hard-earned money and their trust into your business for a high-risk high-return proposition. Raising money is an exercise in trust-building.
Getting their support will be far easier if you do the following religiously, provide full disclosure in the investment documents, and cover all your bases properly.
You have to work on four major preparation collaterals:
i. Elevator or email pitch
ii. Investment memo
iv. Product demo
i. Elevator Pitch
Write a short blurb about the business. Introduce the company, the problem, and the value proposition or solution you propose with its potential benefits.
Keep it concise (so much so that you can explain it in 30 seconds to one minute).
Here is ours, for example: At OSlash, we are building an all-in-one enterprise URL manager that lets you name, structure, access, and organize long workplace links by converting them into human-readable shortcuts. This simplifies and speeds up information-sharing, productivity, and collaboration for you and your team.
ii. Investment Memo
Expand on the blurb by writing a comprehensive investment memo.
This will be the main document that outlines the key components of the business and presents the case and rationale for investors to put their money into it. Express all the crucial information about the business but also keep it simple.
Here is a draft template you can use:
- Introduction: This should detail:
a. What you do
b. The problem you intend to solve
c. The proposed solution
d. The business model/how the solution will make you money
e. The scale of the opportunity
- Metrics: Highlight in numbers, charts, and graphs:
a. The traction up to now (include a chart)
b. Revenue drivers
c. What go-to-market looks like
- Challenges to growth: Mention:
a. The obstacles hindering you from growing faster
b. How raising money can help overcome the problem
- Market: Define:
a. Your target customers and ICP
b. The thinking patterns and behavior of your ideal customer
c. The scope of the opportunity your target market presents
- Competitive Landscape: Answer how you plan to take on and beat the competitors
- Team: Explain the unique strengths and opportunities your team brings with it
- Use of funds: Elaborate on how much you plan to raise, from whom, and what you plan to do with it
Try to explain the business and why the timing is right for the venture. It’s extremely important to draft a good business memo. The memo is your source of truth for all follow on investment materials that you are going to create in the company.
Here are a couple of good investment memos which are public:
Create a full presentation based on your investment memo.
Your deck is a visual and succinct representation of your memo. Keep the number of slides limited and focus only on meaningful data without being too detailed.
Tailor your deck according to the audience; do a little research before you pitch and get to know the people you’ll be pitching to better.
One of the best guides we have found online on how to pitch decks is by Reid Hoffman - LinkedIn Deck pitch to Greylock Partners
iv. Product Demo
- Remember raising funds is an exercise in trust-building. Since it is impractical to meet all the angels because of location and COVID norms, founders have to get more creative and go the digital way for fundraising.
- You can easily make a Loom video of the product or create an early self-sign version for your angels to try out.
- At OSlash, we ended up doing both - we made a Loom video with the signup link for the product. You can find the OSlash demo here
- If you want to learn how to create a compelling product demo, here’s a Twitter thread I wrote on this.
We are now moving to the final stages of collecting the cheque and closing the round.
This is where things usually get complicated. I have seen founders spending a lot of time here and experiencing frustration.
Perils of an angel round
Although having a lot of angels is extremely beneficial for your company, managing all of them is cumbersome:
- Your cap table will get very messy: Early-stage founders don’t realize how difficult it is to maintain a cap table. When you are starting out, you will have only a few line items such as a Lead-VC, founders, and employees. But, as you start adding angels and future investors, the number starts becoming larger. You will have to invest in Cap Table Management software such as Carta or Pulley.
- Legally expensive: If your lawyers need to create separate legal documents for every angel, your legal fees will end up going through the roof. In future rounds, your legal cost will rise further due to a messy cap table. Late-stage investors will be disappointed as more due diligence will be required.
- Chasing signatures and wire transfers: You will need signatures from each angel whenever you are raising a new round. Moreover, you will have to keep track of every wire that has reached your bank account and keep all your angels updated accordingly.
Fortunately, there is an easy way out of all this. Our friends at AngelList have come up with a brilliant solution - the AngelList Roll-up Vehicle.
AngelList Roll-up Vehicle
- Roll-up Vehicles (RUV) are a special-purpose entity set up to create a single holding company for all your angels.
- You can get all the investors to invest via a single entity - without bringing them individually into your Cap Table.
- Upto 250 angels can invest via a single RUV.
- As a founder, you get a neat dashboard where you can track all the investments and stages of wire transfers directly into the company.
- Your investors can directly transfer the money using the ACH payment mode and also save the cost of wire transactions.
- It is as simple as sharing a link with all your investors.
- Once angels transfer the money to AngelList, the latter will take care of all legal formalities and wire the money to your company account, once the round is closed.
- The best part? RUV is private. Only people with the invite links can invest in RUV.
Now that you know how to raise a successful angel investment round for your startup, it may be worthwhile to point out that fundraising is often an ongoing battle and not a one-time affair.
As a founder, your goal should be to close the round as fast as possible so that you can go back to doing what you know and do best - building your company.
I hope that this guide can help you get one step closer to doing that with more awareness, simplicity, and ease of mind.
If you have any questions, you can always reach out to me at email@example.com and I’d be more than happy to help.
1. When is the right time to raise money? How do I know when my business is eligible for an angel round?
The right time to raise money is when you have discovered product market fit. Generally speaking, a business can survive in the long run only when there are people who will buy what it sells. So there should be demand for your product or service and people should be willing to pay for it.
But even before that the question to ask is whether the business even needs angel money? Whenever we think of raising private money or raising money from investors, we have to keep in mind that the business must scale and provide an exit to existing investors. If you're thinking of building a large business, which you believe can scale and go public someday, and will make money for people who are investing in it, then it may be right to go for angel investment. When you know that the business is eligible, make sure you have some understanding of where the customers are going to come from. Because only then will the business succeed and scale, and make money for private investors.
In conclusion, the moment you reach some level of product market fit, you should look at raising some angel money.
2. How do angel investors differ from a VC?
There are four major differences between angel investors and VCs:
a. Cheque size - Angels don't invest as much as VCs. While VCs can invest anything from $500,000 all the way to $500 million, the usual upper limit for angels is $100,000. And they can also invest as low as $1000.
b. Structure - Angels are generally individuals (can also form angel groups to come together and invest). But VCs are structured as a firm.
c. Source of the funds - VCs raise money from large banks, pension funds, universities etc. to deploy into startups. Angels usually invest their own money. But, nowadays you also have angels who raise money to invest in companies.
d. Engagement level - With a VC, because of the firm structure, you have different engagement levels. You have analysts, associates, and partners who would actually be on the board and engage with you. Unless a VC firm has said yes to an investment, a partner is not going to be involved in the business. But, an angel is investing alone. They are trying to help you. They are trying to work with you so they will be personally involved from day one.
3. Should I negotiate with an angel? How do I best prepare for negotiations?
a. In most cases, you won’t need to negotiate with an angel because angels are extremely founder-friendly. In fact, you should watch out for angels who try to back you into a corner and reconsider engaging with them. Most angels would try to accommodate whatever your needs are. In my experience, they want to make sure they do right by the founders.
b. In some cases, however, you might have to negotiate, especially where they are asking for a larger allocation in the business that you can’t comply with. For example, you're raising a $2 million round out of which only $200,000 is reserved for angels. And you have an angel who wants a $50,000 allocation (that is 25% of your allocation) that you can't allow. You might have to ask them to reduce it to a $20,000 allocation. In such cases, you need to be very upfront with them and make sure that you give them some upside in the later rounds.
c. In addition, there can be one peculiar situation where you may have to negotiate. Let's say if the valuation of the company is not defined and angels are coming together in the round, you can ask the lead angel to come up with a good valuation for the company, or come up with one yourself. And if they are negotiating, try to understand where they are coming from. Also keep in mind, angels are investing their own money. So you, too, don't want to be very greedy with the valuation.
4. My collateral contains everything about my business. How do I protect the confidentiality of my idea?
a. As I said before, angel fundraising is an exercise in trust-building and it works both ways. If an angel is already investing in your startup, they have a vested interest to make sure all your rights are protected.
b. But in some cases you will come across situations where they may try to show the collateral to another company especially when they might have an investment in a competitor company. To avoid that, try to clarify these things right on the first call with the angel.
c. You can create authentication protocols for accessing the information. At OSlash, we kept our collateral on Notion and shared access only when the angel requested it. Or you can use something like DocSend where your deck can be shared only via email access. But a lot of this depends on trust. You do want to make sure the detailed numbers don't go out, but for the memo and deck, try to make sure access is authenticated. Make it fail safe.
5. How expensive is it to raise an angel round? What are the major costs and fees involved?
a. It was expensive to raise an angel round back in the day. Say if you're trying to get 20-30 angels, you have to bring them all onto your cap table. There’s the legal cost of paperwork. You have to follow up with them to coordinate wire transfers - make sure they send the right banking information, collect the cheques, and more. For us, it was not just legally expensive but also cost a lot of time.
b. Thankfully, a few firms like AngelList came up with a special purpose vehicle where all of these angels can come together as one structured firm and the firm can invest as a single entity in the cap table. And that used to cost $8,000 - all that was required for a successful angel round.
c. Now, with AngelList RUV, things have become even easier. Plus, if a company is incorporated in Delaware and you are raising SAFEs or equity, they offer a no-fee RUV. There is zero cost attached to it. Most software companies incorporated in the US are Delaware incorporated, but if you're not a Delaware incorporation, the whole thing can be done at $2,500 which is still a pretty good deal.
6. What should I do if an angel refuses to invest in my startup? If a deal falls through?
If an angel says no to investing in a startup, that's completely okay! You have many out there, you know? Try to speak with more angels. And I think that should also be a goal. You should always aim higher. Try to get more angels than you need, because some of them might change their mind. After all, all of us are human. So it's not a big deal.
OSlash your everyday links to everyday words
If you are interested in what we’re building here at OSlash,
why not give it a spin?
ESOPs Guide for Founders & Employees in Tech Startups 2022
Bonus: Get the blueprint of the OSlash ESOP policy to effortlessly build one for your organization
With companies adding stock options to compensation packages, it’s important for both founders and employees to understand how ESOPs work. This guide by our CEO, Ankit Pansari, will help dispel the ambiguity around equity compensation in early-stage tech companies.
Here’s OSlash’s ESOP policy to help you navigate through all ambiguities
OSlash your everyday links to everyday words
If you are interested in what we’re building here at OSlash,
why not give it a spin?
Building the best SaaS stack for your startup on a budget
For most startups, funding is a scarce resource and the goal is to put every dollar to work. One area where startups can save money is their SaaS stack. In this guide, our CEO, Ankit Pansari, shares our SaaS stack & describes how we got almost all of these tools for free.
Bonus: Get a list of startup programs that offer great deals on various tools!
Overview of the OSlash SaaS stack
Product and Engineering
Website Development and Optimization
Sales and Customer Success
HR, Finance, and Accounting
Analytics and Data Science
Team Collaboration and Communication
IT, Compliance, and Security
If you are interested in what we’re building here at OSlash,
why not give it a spin?
Encourage healthy habits with the 2022 habit tracker
With companies adding stock options to the overall compensation package of their employees, it’s important to create a sound ESOP policy that gets all your legal ducks in a row.
We’ve made our ESOP policy public to build transparency and foster an open culture of knowledge-sharing across organizations.
Transform confusion into clarity as you build one for your organization.
Download the policy to understand:
- How startups create a legally binding ESOP policy
- Why should you create an equity incentive plan
- The basics of equity compensation
- How to generate your own stock option plan easily to issue equity directly to your employees and shareholders, and automatically vest their shares in real time as your company grows
How to fast-track SOC 2 compliance for your startup - The Ultimate Guide
Bonus: Get a handy checklist of questions to prepare faster for your SOC 2 audit.
Acquiring SOC 2 compliance is critical even for early-stage startups to avoid potential loss of business. The process is far from easy but you can get certified as fast as we did by following our founders’ guide to SOC 2 compliance.
As our world has gone increasingly online, so has our data. With this, the risk of it getting into the wrong hands has risen manifold.
As recently as June 2021, LinkedIn saw a breach that left the personal data—names, emails, geolocation, and more—of its 700 million users up for sale in a Dark Web forum. It exposed its users to a deluge of potential cyber attacks.
Such security threats exist not just for individuals but also for enterprises, especially those working with third-party vendors (such as SaaS providers). If third-party vendors mishandle data, enterprises stand vulnerable to serious security issues such as theft of proprietary secrets and intellectual property, extortion, and installation of malware and viruses.
No company wants to take information security lightly. No company wants to work with a service provider who cannot guarantee the safety of their data. This is where SOC 2 compliance comes in.
And this is why we wrote a guide to help you understand all about SOC 2 compliance and how to achieve it fast, just the way we did.
What is SOC 2 compliance?
SOC 2 (Service Organization Control 2) is an auditing framework and a voluntary compliance standard applicable to SaaS and other technology service companies that store client data in the cloud.
The framework, developed by the American Institute of CPAs (AICPA), defines a set of criteria for effectively and safely managing this data. The benchmark is accepted globally.
A company that is SOC 2 compliant ensures that its controls and practices protect the privacy and security of customer data. It therefore earns not just the business but also the trust of its client organizations.
Why does a startup need SOC 2 compliance certification?
If you’re building a startup, you already have more than enough on your plate—from hiring the right candidates to finding a product-market fit and accelerating growth.
You might be wondering if acquiring SOC 2 compliance is as critical at such an early stage.
And the short answer is yes, it is.
Here are the top 3 reasons why SOC 2 certification is a must-have, even for early-stage startups:
- Demand. Your customers will require the SOC 2 compliance to trust you with their data. Enterprise-level clients will be ready to work with you only when their security concerns are addressed. You could lose prospective customers and big business if you’re not SOC 2 certified. Likewise, you can scale your revenue and growth faster by attracting potential clients with your compliance.
- Reputation. SOC 2 certification is synonymous with accountability and reputation. The U.S. reported its highest number of data breaches—1862—in 2021. The LinkedIn example shows how data breaches can erode trust and cause the reputation of a company to plummet, all while resulting in significant legal issues and reparation fees. No company would want to risk such damage willfully by working with a non-SOC 2 compliant vendor.
- Security. SOC 2 compliance at an early stage helps establish a security-first culture that trickles down to every department in the startup. Think of your development team building a more secure product, your marketing team complying with various data privacy laws, and your IT team ensuring security of all your systems right from the get go. Think also of the time and money you’ll save by pre-emptively dealing with security threats instead of addressing them later after the damage has been done.
What kind of startups need SOC 2 compliance?
If your startup provides technology services, including B2B SaaS and cloud computing, you should invest in SOC 2 compliance. While the certification is not legally mandatory, it is advantageous (and almost essential) considering the reasons above.
What are the SOC 2 compliance criteria?
Despite being a compliance standard, SOC 2 does not prescribe a set of processes, tools, or controls to be applied.
Instead, it lists 5 criteria — the Trust Service Criteria (TSC) — that a company should aim for in order to ensure information security. The companies are free to adopt the security practices and implement the controls that they like.
The 5 TSC are: security, availability, processing integrity, confidentiality, and privacy.
Out of these, only one (security) is a must-have for your SOC 2 compliance report. The rest are optional and can be included in the audit based on the stage of your startup and the category of services you offer.
Here is a glimpse of the 5 TSC:
A must-have for every SOC 2 audit, especially for early-stage startups, security criteria will include measures to safeguard your data and apps from cyber threats.
As the name suggests, the Availability criteria deal with operational uptime and performance standards. You can opt for these in case your customers require reassurance about avoiding downtime, having adequate backup plans, and ensuring that data recovery systems are in place in case of an emergency.
Processing Integrity criteria will be vital in case you have clients that demand accurate, reliable, and timely processing of data (such as a Fintech company).
If you work with customer data that is covered by a Non-Disclosure Agreement (NDA), you’ll need to include Confidentiality criteria into your assessment. This showcases your commitment to safeguarding confidential information such as intellectual property, proprietary/business-sensitive details, and financial information etc. disclosed to you by your clients.
Privacy criteria should find a place in your SOC 2 report in case your clients store Personally Identifiable Information (PII) such as medical records, birthdays, employment data, social security numbers etc. This demonstrates that you have controls in place to protect such data from breaches and unauthorized access.
What is the difference between SOC 1, SOC 2, and SOC 3 reports?
You may have come across various kinds of SOC reports on the internet. They include SOC 1, SOC 2, and SOC 3.
Here are the key differences between them:
What is meant by SOC 2 Type I and SOC 2 Type II compliance?
Not only are SOC 1, 2, and 3 reports different from each other, there are two different kinds of SOC 2 Compliance Reports as well.
While the SOC 2 Type I report signifies that security controls are in place at a particular point in time, the Type II Report validates the presence of the controls over a period of time.
In order to achieve the SOC 2 Type II certification, you have to ensure that the controls are being operated over three-six months for the first audit and over one year for the following audits. Yes, monitoring continues even after the first audit as your SOC 2 Type II compliance needs to be renewed every 12 months.
Tip: The Type I certification can be a good (and relatively inexpensive) starting point for your startup. But as you scale and expand, it’s likely that your clients would require you to produce the more stringent SOC 2 Type II certification as a proof of continued compliance and commitment to their data security.
How to achieve SOC 2 compliance as fast as possible — an overview
While it may take you anywhere between 2 weeks to a month to get your certification once the audit is complete, the preparation phase for achieving an SOC 2 compliance lasts considerably longer, depending upon the nature and scope of compliance you opt for.
1. Identify the type and scope of compliance
Now that you know what TSC are, you should decide which ones are most relevant for your business. These will be the scope of your audit report. You should also decide whether you need a Type I or a Type II compliance audit.
If you choose to go ahead with the Type II audit, remember to take into account the longer timelines associated with it.
Example: If your clients need a 6-month Type II report (evidence that your controls have been in place for 6 months) and your team needs 4 months to prepare for the audit, you’ll need to wait 10 months before you can start the audit. The wait gets even longer if your client needs a 1-year Type II report.
This is why it’s important to get started on your SOC 2 compliance as soon as possible, ideally long before requests for reports start coming in from your customers.
2. Choose a compliance platform for automating processes
Imagine manually scouring through every machine, every system in your company to gather the evidence of SOC 2 compliance. And then painstakingly uploading it for your auditors.
You probably won’t be able to get back to running your primary business anytime soon.
This is what makes a compliance platform indispensable. It can help you automate evidence collection, preparation of policy documentation, and security monitoring for smoother audits.
A good compliance platform is one that integrates seamlessly with your existing security tech-stack (and has the potential to adapt if your tools undergo a change in the future). This is essential for it to automatically and continuously gather monitoring information from your data systems to assess the status of your security measures.
To ease this step for you, here is a list of some compliance platforms to choose from, complete with their advantages and limitations.
3. Sign up an audit partner
After setting up your compliance tool, you would need to choose your auditor.
Your audit firm should ideally be a licensed CPA firm that specializes in information security and fulfills basic accreditation criteria such as being registered with the Public Company Accounting Oversight Board.
It is likely that your compliance platform has a list of partner firms to choose from or can recommend to you one that fits. The suitability of the firm will depend on the stage and maturity of your startup, your budget, as well as the relative experience of the firm in dealing with your industry and/or product.
4. Conduct an internal risk assessment
The preparation phase of SOC 2 compliance begins with a financial risk assessment. Together with your audit partner, you will quantify risks related to each Trust Service Criteria and identify if your existing controls are effective. This will help you discover vulnerabilities and potential hazards to your organization in case of a data breach etc.
Automated compliance platforms help in making most of this process painless.
5. Have a robust security stack in place
Once you have the compliance platform and the auditors figured out, you can get down to building up your security stack. Chances are you already have one in place, but it may be lacking the tools that will fetch you your SOC 2 compliance certification.
How will you know which tools are missing, if at all?
Your compliance platform will answer that for you by pointing out the missing security layers in your existing stack. Broadly you need the following types of tools to be SOC 2 compliant:
- Employee background verifier
- Vulnerability scanner
- Password manager
- Antivirus on all company assets
- Some form of MDM tool to manage every employee’s company assets
6. Establish audit readiness by closing security loopholes
Audit readiness is where the bulk of your and your team’s efforts will go during the SOC 2 compliance preparation.
After the internal risk assessment is complete, you’ll have identified some gaps based on existing and potential security threats. It is likely that you have some security controls already in place.
You will establish audit readiness by remedying these gaps and bolstering controls wherever required, as per the TSC you have chosen.
Or, if you’ve implemented the second step of outsourcing it to a compliance platform, you can simply sit back and relax as the software does all the grunt work for you — from writing policies to implementing the right controls.
Tip: Be mindful of the common security issues that can often surface while conducting audit readiness, including
- Defining core policies around data protection in the company
- Conducting adequate employee background checks
- Ensuring security compliance agreements are signed by all employees onboarded
- Creating strong password policies, access controls, and authentication procedures for accessing sensitive data
You should maintain the controls and processes in place right upto the official audit, especially in case of the SOC 2 Type II audit.
7. Write your SOC 2 security system description
After you’ve complied with all the above requirements of the audit, the last step is to write a security system description and submit it to your auditors.
Now you might ask us, What’s a security system description?
Simply put, it is a description or summary of the company and its systems. These are the components that you have in place to be able to carry out your business.
What does it include?
All the details regarding your company’s
- Infrastructure: the computing hardware, software, and SaaS components used in the infrastructure of your systems.
- Product or service: how your product or service is used, service level agreements, sporting databases, and applications
- People: which departments, functions, and teams support your product or service, including third-party vendors
- Customer data: the kinds of data that come into and move out of your product or service systems, its journey, controls in place to protect it against unauthorized access, and other risk mitigation measures
- Operations: the auditor’s opinion on the safety of the operations and protocols involved in delivering your product or service to your clients
For a detailed overview, check out this help article.
8. Receive your compliance certification
Once you hand over the system description to your auditors and give them access to your compliance platform, you are basically through with the process, at least for achieving SOC 2 Type I certification.
For the Type II certification, you need to ensure continuous compliance and leave controls in place over a six-month to one-year period, depending upon the choice of the observation period you made in step 1.
That’s it! You should receive your compliance certification once the observational period is over.
9. Share the good news with your (prospective) clients
As you celebrate becoming SOC 2 compliant, don’t forget to share the good news on your website, social media, newsletters, and basically everywhere else your (prospective) clients can get to see it. And where they can use it to trust you with their business.
It’s a laurel to flaunt. Trust us, we know ;)
How much does the SOC 2 compliance cost?
The cost of SOC 2 compliance for your startup will depend on a number of factors, including
- The scope of your compliance (TSC)
- Salaries for consultants (if you choose a consulting firm for compliance)
- License fees for compliance software (if you automate compliance)
- Your audit firm and their fees
- Miscellaneous legal fees
- (Cybersecurity) training for your team
- Cost of building up your information security architecture
- Renewal fees (recurring)
The total cost of SOC 2 compliance can be broken down into four phases (these are estimates).
As such, you can expect to pay anywhere between $50k (when automating compliance) to $200k (when not) for attaining your SOC 2 Type II compliance.
That’s it! This is the entire process for achieving the SOC 2 compliance for your startup. It’s a lot of effort whether you hire a consulting firm or do it on your own using automation software. You’ll need time, patience, and financial resources.
But it will all be worth it when your next big client asks you if you’re SOC 2 compliant.
We hope we have answered all your questions regarding SOC 2 for your startup.
And while you’re here, let us throw in a superfast way for you to bypass your busywork!
OSlash your everyday links to everyday words
If you are interested in what we’re building here at OSlash,
why not give it a spin?
How to radically level up your sales career—top advice for SDRs from sales leaders
Bonus: Get a list of 50 cold email subject lines to smash your open rates & conversions
Rise to the top of your career with proven tips and tricks on everything Sales.
Read these 11 unconventional pieces of wisdom shared by top sales leaders.
As a Sales Development Representative (SDR), chances are you’ve heard some version of the following story.
Two shoe salesmen go to a remote island to break into new markets. After a few days, one salesperson calls the office and says, ‘I’m on the next flight. Can’t sell shoes here. Everyone goes barefoot.’ The other salesperson sends an email to the boss minutes later: ‘Get ready! The prospects are unlimited. Nobody wears shoes here!’
Why is this story important?
Because it illustrates the greatest hack for growing as an SDR: attitude.
According to Lori Richardson, a thought leader on B2B front-line sales growth, attitude is one of the few things one can control, 100%, in a selling or SDR/BDR role.
“I can stop making excuses for Q2, or the first half of this month, or for my lack of interest in this role. I can be the CEO of my role.”
While attitude is important, it certainly is not the miracle drug to level up your career as an SDR.
We bring to you 11 unconventional pieces of wisdom from veteran sales leaders that will enable you to stand out from the competition and accelerate your ascent to the top.
Let’s get started!
1. Be fearless: Jon Dion, VP Sales at Auditboard
As the VP of Sales at Auditboard, one of the most frequently asked questions Jon encounters is about the qualities of top Account Executives or future sales leaders.
While he has a ton of advice collected from sales experience that spans close to a decade, some of his top recommendations include focusing on revenue-generating activities, cultivating the ability to inspire trust in people, and being fearless.
“There's a difference between trying to win the game, and not trying to lose.
Reps not trying to lose focus on things like what their Business Development Representative (BDR) is doing, what other reps are doing, what their Chief Revenue Officer (CRO) is doing with territory changes, and not making mistakes. They're playing defense. Reps focused on winning know a TON of customer stories, know the product better than their peers, have a POV to present the customer, like making friends at the C-level, and so on. They're playing offense.”
And he’s not the only one to feel this way.
A very popular quote by George Addair, founder of The Omega Vector, goes: “Everything you've ever wanted is sitting on the other side of fear.”
2. Authenticity trumps everything else: Michael A Rosenberg, VP of Sales at RocketReach.co
When we reached out to Sales expert, Michael A Rosenberg, to know the one hack that would enable any future sales leader to radically level up their career, he was brutally honest.
“There is no silver bullet for anything. Many people are looking for the "answer" to sell and there just isn't one for almost any situation.”
There is however one thing that worked for him throughout his long career in sales (over 14 years in impressive roles with companies such as Square, WorkWave, and now RocketReach, among others).
“I've always felt authenticity does it for me. When you have a conversation with a family member or friend, and convince them to do something (sell) you don’t speak in a higher pitched voice, you don't use jargon, you are yourself "
This is often the golden rule for reps to remember. Trying too hard can make you come across as too pushy or too sales-y.
Michael emphasizes that it’s essential for him as a salesperson to believe in the product and definitely need to know it will work for the prospect.
“It's why our discovery call is actually called a Fit Assessment, to ensure that we fit, that I solve an actual problem. Not all are like that, but I'm not the type of person who is going to be selling ice to an eskimo.”
3. Indulge in some self-deprecation: Charlie Locke, Head of Sales at Circle and Co-founder of SDR Nation
As Co-founder of SDR Nation, a membership community meant exclusively for SDRs, Charlie is passionate about helping SDRs nail their job and get promoted. So much so that this mission statement is also his LinkedIn headline.
In one of his letters to this community, Charlie shares a classic, timeless piece of advice for SDRs on how to build a rapport with their prospects.
“Everyone talks about the importance of rapport building, but they rarely talk about the how. It tends to simply be a throw away tactic, something you have to do before you segue over to business. And guess what, if you treat it as such, it comes across super inauthentic (and you would be better off simply not doing it at all).”
When I'm building rapport, I'm trying to humanize myself in a truly authentic way, by being relatable. I want them to know I'm a real person with flaws and all, not some perfectly polished sales bro.”
“The art of self-deprecation (making fun of yourself) is the answer. Self-deprecation has been used by speakers, comics, and sales people for years as an icebreaker, because it's very easy to do…and is always authentic.”
He then gives an example of an unconventional cold call for SDRs to become more relatable:
Seller: "Hi Janielle, it's Charlie here from SDR Nation how are you?"
Buyer: "Um, I'm good. How are you?"
Seller: "I'm OK I guess, my 4 year old decided to wake up the entire family this morning at 5:30AM so I'm a bit tired to say the least! hehehe... The reason I'm calling is…"
This helps because it shows the buyer that you’re not perfect, nor trying to be. You’re human, just the way they are and you go through the same highs, lows, challenges, and struggles of everyday life. The self-deprecation makes you more relatable and more trustworthy.
4. Stop shooting over proposals: Nate Stoltenow, CRO & Founder of Humble Co.
From being an Account Executive at the Sundance Film Festival to climbing the corporate ladder right up to being the Vice president of Sales at Expert Voice, Nate has donned many hats in the sales profession.
He is currently also Sales Advisor to many B2B companies including Plena, Nivati, and OTW Safety, in addition to being Founder and CRO of Humble Co., a B2B Sales Agency.
His one piece of advice for SDRs, especially those selling complex services, products or SaaS is to be in the driver’s seat, always and leave money on the table, never.
For this, he suggests two things:
1. Stop ‘shooting’ over proposals
“Often I hear salespeople say this post demo: ‘I’ll shoot over a proposal for you this afternoon. When would be a good time to follow up?’
Next time, try this: ‘I can have a proposal together in the next two days. Does Tuesday at 2pm work to review it together? Pull up your calendar and let me know if that time works’.”
2. Schedule a ‘back stop meeting’
“At the end of your proposal review meeting – start implementing a ‘back stop meeting.’
Here’s what you can say: ‘Sounds like it’s going to take a few days to review this proposal. Let’s talk at the same time on Tuesday so we can cover any questions or concerns that might arise between now and then.’
A back stop meeting helps ensure you don’t chase.”
to ace your sales role?
5. Be paranoid about your demos: Florin Tatulea, Head of Sales Development at Plato
As someone who successfully went on to become an AE and Sales Manager from a founding SDR at Loopio within a span of 6 years, Florin is well-positioned to dispense insider tips on sales career growth.
He believes that there are “a number of things top reps do well that are not always very evident or discussed in onboarding, sales training, or in your sales methodology.”
And one of them is being paranoid about their demos happening.
“They don't just assume that prospects are going to show up. They have a diligent process to engage with prospects between the time the demo is booked and it occurring.”
He advises SDRs to take care of these three touchpoints when the demo is one week out.
- Summary email of their initial discussion
- One email providing a piece of content that’s valuable with no ask
- Email intro to the Account Executive a day before the demo
6. Book your meetings for sooner: Tito Bohrt, BDR/SDR Advocate
A BDR/SDR advocate, Tito Bohrt is the CEO of AltiSales, a company that aims to offer world class training to SDRs and execute sales development for organizations.
After analyzing 6414 meetings, one of his top pieces of advice for SDRs is to book their meetings for sooner.
7. Invest in self-education: Richard Harris, 2021 & 2022 Salesforce Top Sales Influencer To Follow and Founder, The Harris Consulting Group
With over 25 years of sales’ experience under his belt, Richard Harris is one of the most reputed names in the industry.
He has been conferred with various tokens and awards over the course of his career including being crowned the Top Sales Leader five times by The American Association of Inside Sales Professionals and the Sales Leader to Follow, twice, by Salesforce.
He shares his biggest pointer for aspiring sales leaders: Invest in self-education.
Many organizations don’t possess the infrastructure to teach their SDRs everything they should know. Especially smaller teams find it hard to dedicate as many resources to sales development.
So it’s essential that the initiative comes from the reps themselves. It is on them to ask questions, seek information, explore educational resources, engage and interact in networks, and build their skills so that they can not just survive but also thrive and reach the next stage of their careers.
8. Have people in your corner: Sarah Brazier, Account Executive at Gong
Having transitioned from an SDR to a Mid-market Account Executive within a span of three years, Sarah shares how having people in her corner made all the difference for her.
In a LinkedIn post, she describes an incident that happened while she was running a Proof of Concept (POC) trial for Gong at a company. The company ended up making a leadership change right when her deal was all but done.
Sarah had been nurturing the account for a month, sharing how-to’s, tips, articles & best practices for her target audience, and building their trust.
She had involved everyone on the trial, single-threading power-users and customizing their instances to know the impact of having/not-having Gong for them.
Unluckily, the new leadership knew nothing about this project.
“Overnight, my deal that was a sure-thing became a best case at best.”
So, what did she do?
“I went to my power users and asked them if they'd feel comfortable advocating for Gong to the new leadership.
They said yes.
Suddenly, instead of having one champion, I had dozens.
It still took a while to close the deal, but with some elbow grease and internal support, we got it across the finish line.”
The lesson? Have not just one advocate but many to get the best possible outcome.
9. Do $100 favors: Sam Nelson, SDR Leader at Outreach
While making calls and demos all day long can seem like a lonely job, sales is anything but a solitary profession.
Sam Nelson, SDR Leader at Outreach emphasizes this with his tip:
“Every time it is easy for you to do something that is worth at least $100 to someone else in your company, do it.
In sales you will notice a lot of opportunities to help a co-worker out and make them money through very little effort on your part. Some examples are sharing useful information, advice, or making an intro. Acting on these is a quick way to improve your happiness, the company culture, company value, and your own success.”
10. Keep growing your average deal size: Ryan Walsh, CEO at RepVue
Prior to leading RepVue, Ryan Walsh spent 17 years in sales — selling, leading sales teams, and mentoring sales professionals.
He believes that as SDRs advance in their sales careers, it is essential to look for roles where the average deal size is growing.
“You're not going to be able to break the $1M barrier closing a bunch of $3k annual deals. But that's also a gradual thing – if you're doing $3k deals now, look to parlay that into your next role where you're selling $15k deals, then $65k deals, etc.”
“Another consideration is the sub-industry. We've seen some meaningful increases in compensation in the cybersecurity space over the past year. First of all, many of these opportunities do come with big deal sizes, (selling to the enterprise), and second, you just need to watch the news. A data breach or similar issue has huge consequences, and I think it's been prioritized for many large enterprises. Prioritization = budget. Budget = spend. Spend = commissions.”
11. Stand out from your competition: Dailius Wilson, CRO at Payble
Dailius Wilson is a sales professional as well as LinkedIn influencer most famous for posting one brand new tip around sales everyday. He has experimented with a wide variety of sales roles over the years, from advisor to entrepreneur and everything in between.
No wonder his LinkedIn is a goldmine of advice, especially for new SDRs.
In one of his posts, he stresses how crucial it is for SDRs to stand out from the crowd. And he suggests ten simple ways to do this.