OutboundSync achieves SOC 2 Type II compliance, enhancing security and reliability for syncing data between HubSpot, Salesforce, and popular GTM tools.
OutboundSync is officially SOC 2 Type II compliant. In this post, I’ll explain how we did it and what it means for our company, our partners, and our users.
If you're a Smartlead, Instantly, EmailBison, or SASMail user looking to integrate with HubSpot or Salesforce, you're in the right place. If you're a founder considering pursuing SOC 2, you may find it useful too.
Before jumping in, let's set some context for why this matters. Because I believe it reflects a larger trend that's years in the making in the outbound space—and one that's still just building momentum with consequences for founder-led startups and SMBs to multinational, publicly traded companies.
The programmatic outbound movement is going mainstream. Sales motions, powered by AI and automation, are becoming more like marketing. And the tools that enable those go to market ("GTM") teams—like Smartlead, Instantly, EmailBison, and SASMail—are getting traction as a result.
They’re no longer just side projects for solo SDRs trying to book a few more meetings, or growth hackers trying to work around existing tools. They’re powering GTM at fast-growing SaaS teams and mid-market revenue organizations.
As these platforms move upstream, so do expectations. We believe OutboundSync is the best way for companies to sync activity and attribution data from these tools into CRMs like HubSpot and Salesforce—at scale, securely, and reliably.
And we're seeing larger and larger companies wanting to do this, with more complex requirements along the way. With nearly 20m records synced by OutboundSync and counting, we think we're onto something here. And by making this investment in our company, we think we can help bridge the gap to enable revenue teams to run this motion at scale.
SOC stands for System and Organization Controls. It’s a compliance framework from the American Institute of Certified Public Accountants (AICPA).
A SOC 2 report, which we just attained, is specifically “a report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy.” (Source: AICPA)
And yes, it’s from the AICPA because, fundamentally, it’s an audit. Having helped run a $20M hardware company that went through inventory counts and financial audits, the structure felt familiar.
But unlike a financial audit, this isn’t just for the finance team. It touches everything:
You don’t just "get" SOC 2... You commit to it—across your company.
There are two versions of SOC 2:
We chose Type II from the start. The cost and effort are similar, but the level of credibility is higher because it shows that policies are being actively followed over time.
This one’s easy: Our buyers kept asking for it.
We work with a lot of B2B SaaS companies—many of whom are SOC 2 compliant themselves. If you’re one of those companies, it’s a lot easier to use a vendor who also has it.
Security is especially relevant for OutboundSync because we have read/write access to companies’ systems of record (e.g. HubSpot and Salesforce) and are responsible for syncing business communications data. And I always knew I wanted us to invest more in this direction. But when buyers kept asking, it helped get the ball rolling faster.
Having a SOC 2 attestation saves everyone time. But it’s not a substitute for having good security practices. And your SOC 2 attestation can absolutely be deemed insufficient by a CISO who reads through it. So how you do it matters too. Let's talk about that next.
SOC 2 is a set of standards that you choose to follow. You then have to document and manage your compliance.
You can get SOC 2 with spreadsheets, screenshots, and documents that reflect your compliance with those standards. Then send them to an auditor and have them return a report back. This is the way it used to be done. Companies paid a lot more for manual processes and fewer companies did it.
Or you can invest in a trust management platform or governance, risk, and compliance (GRC) platform that helps you manage the whole thing, provides best practice policies, and includes real-time integrations with the tools in your tech stack.
The point of a platform is two-fold:
Needless to say, I recommend selecting a platform. Especially if you anticipate managing additional programs like ISO, GDPR, CCPA, GDPR, etc.
We evaluated several Governance, Risk & Compliance (GRC) platforms.
Some were sketchy. One vendor falsely claimed we were a customer of theirs in a cold email campaign—after we took only one discovery call. Another blatantly misrepresented their product in a sales call. Yikes.
Ultimately we chose Vanta and I'm glad we did. (N.b. their mascot is a llama.)
They essentially created the modern GRC category. And for us, they had the best mix of integrations, platform maturity, quality policy templates to work off of, and appropriate access boundaries.
Many of our buyers also used Vanta. And I suspected that Vanta itself, the platform and their brand, would be trusted as we went through security reviews. I can tell you that this absolutely has been the case and compliance is actually a revenue-driver for us.
After you select a platform, you need to select an auditor that will access your instance of that platform. It's how they create the report that represents your actual attestation.
We interviewed several auditing firms and got different vibes from each. Some felt like report mills where they would just plug you into a process to get a PDF on the other side.
We went with a smaller, more engaged, conscientious, and emerging technology-focused firm, Advantage Partners, based in Seattle. I felt like they would help us get to a place we’d be proud of. And they did.
If you’re in the outbound space like we are, you may be happy to know this auditor also works with Clay. I learned later but it validated my decision when I learned this because I respect the Clay team, what they’re building, and how they’re doing it.
Once you have your platform and your auditor, you just need to roll up your sleeves and work with your team.
This is the long, quiet part. Drafting policies. Reviewing templates. Cleaning up vendor lists. Configuring cloud infrastructure. Integrating tools and creating automations.
During this time, a few critical things helped get us ready for our audit.
Any good GRC platform is going to provide templates and out of the box integrations to help you get started. Vanta certainly did for us. But they don't do everything for you. And the auditors don't get started at all until you're ready for them.
Here be dragons! Don't be like other companies I've talked to that got stuck here.
Once you're ready, you'll go through final review with your auditor and get to work. Audit window/observation periods vary. During this time you will be following all the policies and controls you put in-place earlier.
Once the audit is complete, you'll review your audit with your auditor and provide a management representation or sign off that everything in the audit report is true.
And you're done!
Here's a quick overview of how long it took us to complete the SOC 2 Type II process, from beginning to end. My understanding is that this experience is pretty typical but your mileage may vary.
For us, the answer is yes—unquestionably.
We closed deals in the month after getting compliant that exceeded our annual cost of compliance. More importantly, it made our company better.
If you think of your data like water, we consider our role to be like that of an aqueduct, channeling it from one place to another. Especially from remote places (siloed tools) to central locations (your systems of record) where it's more valuable. As an infrastructure company, investing in our security and reliability will always be a priority as it's core to what we do.
Our team sleeps easier knowing that we have:
It was a forcing function for growth. And now, a foundation for what’s next, the kind of company we’re trying to build for our partners and customers too.
As the programmatic outbound and GTM engineering approach goes more mainstream, we believe more mid-market and enterprise customers will require it as companies like Smartlead, Instantly, EmailBison, and SASMail get more traction. We've certainly already seen it with Clay.
The security community can be pretty cynical. Fairly so. Add any cyber security professional to your group chat and they can share why. In practice, you can do checkbox security and “get away with it” with many customers.
Just because you’ve made a SOC 2 attestation, it does not mean it will be accepted by your buyers. As lower quality GRC platforms and auditors have entered the market, I'd wager that the percentage of companies getting rejected during security reviews has gone up and will continue to go up.
We didn't go that route.
SOC 2 is a voluntary, self-attestation with limited guardrails. For the most part, it is not prescriptive. In many cases it states that you must have a policy—not what that policy should be. And you can deactivate controls that don’t apply to your company. It's up to each company to define what a good security posture looks like for them.
We are doing our best to get this right from the start.
We’ve identified things we’ll implement in the next year to improve our security posture further. This includes the training, process documentation, and tooling that we use to run our company. But finishing the process did feel a little anti-climactic.
Am I writing this blog post in pursuit of some closure? Perhaps... (Yes.)
To learn more about our security program, visit OutboundSync's Trust Center, continuously monitoring 80 controls, subprocessors, and more. If you're interested in syncing outbound data to your system of record, contact us.
And if you're just interested in SOC 2 in general, I hope this post helps you choose the right security posture for your company.
Thanks for reading and good luck!
We couldn’t have done this without joining TinySeed, the accelerator for bootstrapped SaaS companies. I have to acknowledge this because the capital from TinySeed made it possible for us to make this investment as early in our company's life as we did.
Joining TinySeed changed the trajectory of our company. The guidance from their team, other founders in the batch, and of course the funding made this possible.
And as the founder, it changed my life. If you're curious, I wrote about our decision to join TinySeed here: OutboundSync Selected for TinySeed Spring 2024
Discover OutboundSync's new Salesforce features: log outbound activities as tasks and use dynamic block lists to enhance your sales strategy.
Discover OutboundSync's new Salesforce integration, bridging the gap between Smartlead and Salesforce. Request access today!
Unlock CRM attribution with EmailBison, HubSpot, and Salesforce integrations for agencies to prove ROI, retain clients, and secure higher retainers.