Introduction Compliance is often presented as a wall of impenetrable jargon. We're breaking that down. Every control exists to solve a simple business risk. Here is what they actually mean.

Core Terms - **SOC 2 Type 2:** A "trust report" that proves your internal security controls work consistently over time, not just for a snapshot. - **Access Control:** Simply making sure the right people have the right permissions. If an employee leaves, their access should be revoked immediately. - **Evidence:** The proof you show an auditor (e.g., a screen recording of your cloud setting, a PDF of your employee onboarding checklist). - **Control:** A structured process or tool designed to manage risk. - **Authentication (AuthN):** The process of verifying *who* a user is (e.g., password + multi-factor auth). - **Authorization (AuthZ):** The process of verifying *what* that user is allowed to do once signed in. - **Penetration Test (Pen Test):** Hiring a hacker to try and break into your systems to find vulnerabilities before the bad actors do. - **Risk Assessment:** Intentionally thinking about what could go wrong (data breach, server outage, human error) and deciding how to handle each. - **Encryption:** Converting your data into unreadable code so it cannot be stolen or accessed by unauthorized people. - **Incident Response Plan:** A written "if this happens, then that" document that guides your team when something goes wrong (e.g., a security breach).

Why This Matters For a non-technical founder, compliance is not just a hurdle to close big enterprise sales; it's a foundation for building a trustworthy, scalable business. Understanding these terms keeps you in control.