What we learned (and can share) from passing our SOC 2 Type II audit

Tailscale has achieved SOC 2 Type II compliance, a significant milestone that validates the effectiveness of its security controls over a specified period, unlike the Type I audit, which only assesses the presence of policies. The audit process revealed challenges such as the time-consuming nature of defining internal processes and the limitations of using automated tools due to Tailscale's non-standard infrastructure. Tailscale developed its own tools and processes, including the ToBeReviewed Bot for managing production changes and open-sourcing security policies, ensuring these controls are tailored to its specific business needs. Despite completing the audit, Tailscale acknowledges areas for improvement, such as streamlining vendor security reviews and enhancing endpoint security, and continues to work on making its SOC 2 report more accessible while maintaining transparency about its security practices.