Most small geospatial shops don't have SOC 2. In enterprise procurement, that's a non-starter. The few that have done the work occupy a category most buyers don't know to look for. For procurement teams that find them, it's a meaningful advantage.
What SOC 2 actually is
SOC 2, short for Service Organization Control 2, is an audit framework from the AICPA, the body that sets US accounting standards, for evaluating how service providers handle customer data.
An independent auditor examines how a vendor behaves with customer data: who has access, how changes get reviewed, how incidents get handled. They write a report.
SOC 2 is the standard most major SaaS vendors are audited against. AWS, Salesforce, GitHub, and Mapbox maintain SOC 2 reports. For corporate buyers with vendor risk programs, it's the baseline before a vendor conversation can start.
Why location data raises the stakes
Two risks are specific to spatial data.
- Geography is identity. A home address resolves to a household. A GPS trace resolves to a routine. A delivery history maps to individual customers. Removing the name column does not anonymize the data. The geography is the attribution.
- Maps expose patterns of life. In 2018, Strava's public heatmap exposed forward operating bases by mapping the jogging routes of personnel stationed inside. In 2022, a Strava flaw revealed runs of Israeli officials at secret bases. A map of inspection routes shows where coverage is thin. A map of customer locations shows where a competitor should set up. Visualizations often expose more than the records they were built from.
A vendor without discipline on these points will eventually expose what should have been protected.
Why this is rare in geospatial
SOC 2 emerged from the SaaS world. Small geospatial shops grew out of GIS, planning, and surveying, fields where specialist knowledge is the offering. Their default clients were governments and NGOs, not corporates with vendor risk programs, and the discipline never filtered in. The economics reinforce the gap: a SOC 2 audit alone runs five figures, and the controls behind it cost more. Most small shops can't justify it. The result is that almost no small geospatial vendor clears the procurement gate, which is what makes the exceptions worth attention.
The market gap
Most small geospatial shops bring specialist expertise. Most large firms bring the controls that pass procurement. The rare vendor that has built both sits in a useful gap.
Some geospatial projects are hard to staff because they need depth, discipline, and credible handling of sensitive data. They are best served by vendors small enough to do the specialist work well and mature enough to be trusted with it.