Ops Playbook #51

Navigating SOC 2, mastering GDPR, and staying CAN-SPAM compliant.

Hi Operators ⚙️

Nothing says "startup fun" quite like navigating a labyrinth of regulations, am I right? 🙃

Today, we dive into the thrilling world of compliance

We're taking a whirlwind tour through the basics of data protection, EU regulations, and email marketing laws. 

Buckle up. We've got you covered.

Here’s what we’ve got going on today:

  • SOC It 2 Me → The certification in between you and the big contracts

  • GDPR For Newbies →  Don’t even think about the EU without a permit

  • CAN-SPAM in a Nutshell → Despite the name, you actually can’t spam

Let's dive in 👇

P.S. Building a business can be lonely. Wanna solve that? Let’s connect on Linkedin

PRESENTED WITH VITALLY
We Help Teams Build Scaled Customer Success

500+ CS teams use Vitally’s all-in-one platform to automate workflows with your real-time customer data. But don’t just take our word for it.

G2 customers consistently rank Vitally #1 for Fastest Time to ROI.

If you’re a CS decision-maker at a B2B SaaS company with 20 - 1,000 employees, book your intro call today. After chatting with our team, you’ll get a free pair of AirPods.

Not a CS decision-maker but want AirPods? If you connect us with the right people at your org, we’ll send you AirPods for the introduction after the demo call.

Operator’s Library

  • Why are most startups registered in Delaware? (Capbase

  • Check out this list of over 50 compliance startups funded by YC (YC

  • What’s a few billion in fines? Here’s 10 compliance horror stories (EQS)

  • Interested in following one startup’s SOC 2 journey? (Kolide)

I. SOC It 2 Me

If you're handling customer data in the cloud, SOC 2 compliance is like having a VIP pass to the "Trustworthy Business Club."

It's not legally mandated, but a lot of larger companies will require their partners to be certified before sharing any data.

You want the big contracts? Then you want SOC 2 💸

SOC 2 is like the Swiss Army knife of data security frameworks.

Developed by the AICPA (try saying that five times fast), it’s based on five “Trust Services Criteria”:

  1. Security: the lock on your digital fortress

  2. Availability: because 404 errors are embarrassing

  3. Processing integrity: ensuring your data doesn't go rogue

  4. Confidentiality: keeping secrets safe

  5. Privacy: for when you need to hide your embarrassing Spotify playlists

There are two flavors of SOC 2:

Type I (a snapshot of your controls at a specific moment) and Type II (a more comprehensive look at how your controls perform over 3-12 months).

Think of Type I as a selfie and Type II as a full-blown documentary of your security measures.

Getting SOC 2 certified involves an audit by a CPA who's clearly living their best life by meticulously examining your controls.

There are also some more automated solutions that have built momentum recently: platforms like Vanta or Scrut.

However you choose to do it, you’ll probably want to get it taken care of before you really start to scale.

II. GDPR for Newbies

Insight from European Data Protection Board (EDPB)

GDPR applies to US companies if they so much as look at an EU citizen's data. Non-compliance can result in fines of up to 4% of global revenue or €20 million, whichever is higher.

Collecting email addresses? GDPR.

Tracking IP addresses? GDPR.

Thinking about Europe? GDPR, believe it or not.

Compliance involves a fun little to-do list:

  • Conduct a comprehensive data audit to document what personal data you collect, process, and store

  • Implement robust security measures, including encryption, for all personal data you handle.

  • Establish processes to promptly respond to user requests for data access, deletion, and portability

Oh, and you might need to appoint an EU representative. It's like having a pen pal, but with more legal responsibilities.

But fear not!

You can always outsource this to one of the many compliance vendors that will handle the whole process for you (Drata, for example).

Or, you can always sell only to Americans (at least you don’t have to convert anything to the metric system 🇺🇲).

III. CAN-SPAM in a Nutshell

Ah, email marketing.

The art of sliding into someone's inbox, actually getting opened, and not being immediately banished to the spam folder.

For those of us that have not yet mastered the art, we contend with CAN-SPAM. It's the law that's here to keep your emails legal and your customers' inboxes slightly less cluttered.

First things first: CAN-SPAM isn't just about those "Get Rich Quick" or "Enlarge Your... Business" emails.

It applies to all commercial messages, even those fancy B2B communications you're so proud of.

Each violation can cost you up to $51,744.

Suddenly, that "blast email to everyone we've ever met" strategy doesn't sound so smart, does it?

Here's your CAN-SPAM compliance cheat sheet:

You have 10 business days to honor opt-out requests.

And here's the kicker: you're still on the hook for compliance, even if you outsource your email marketing to that "guru" you met at a conference.

Choose your email marketing partners wisely, folks.

Help me help you

Did I do good?

Login or Subscribe to participate in polls.

How am I doing? 👋

I take all feedback I receive to heart. Keep it coming! Just hit reply and let me know – I'd love to hear from you!

Cheers,

Rameel from The Bottleneck

Spread The Word

If you learned something today, I’d appreciate you forwarding this to a friend. It’ll take you 9 seconds. It took us 12 hours to write today’s edition.

Reply

or to participate.