What SOC 2 means when you hire a small geospatial vendor

Most small geospatial shops don't have SOC 2. In enterprise procurement, that's a non-starter.

What SOC 2 actually is

An independent auditor examines how a vendor behaves with customer data: who has access, how changes get reviewed, how incidents get handled. They write a report.

SOC 2 is the standard most major SaaS vendors are audited against. AWS, Salesforce, GitHub, and Mapbox maintain SOC 2 reports. For corporate buyers with vendor risk programs, it's the baseline before a vendor conversation can start.

Why location data raises the stakes

Three risks are specific to spatial data.

• Geography is identity. A home address resolves to a household. A GPS trace resolves to a routine. A delivery history maps to individual customers. Removing the name column does not anonymize the data. The geography is the attribution.
• Maps expose patterns of life. In 2018, Strava's public heatmap exposed forward operating bases by mapping the jogging routes of personnel stationed inside. In 2022, a Strava flaw revealed runs of Israeli officials at secret bases. A map of inspection routes shows where coverage is thin. A map of customer locations shows where a competitor should set up. Visualizations often expose more than the records they were built from.
• Combining sources doesn't combine the rules. A typical project pulls from public records, paid data licenses, and APIs like Google Maps. Each one carries its own restrictions on how the data can be used, stored, or shared. The combined dataset inherits all of them at once.

A vendor without discipline on these points will eventually publish what should have been protected.

Why this is rare in geospatial

SOC 2 emerged from the SaaS world. Small geospatial shops grew out of GIS, planning, and surveying. Their default clients were governments and NGOs, not corporates with vendor risk programs. The discipline never filtered in.

The economics reinforce the gap. A SOC 2 audit alone runs five figures, and the controls behind it cost more. Most one and two-person shops can't justify it. The default tooling makes it harder still. Shapefiles travel by email. Accounts get shared. Project files accumulate in shared folders. None of it is malicious. It is simply the field default.

The asymmetric advantage

Enterprise buyers with sensitive geospatial work need three things from a vendor: deep expertise, controls that pass procurement, and a price free of large-firm overhead.

Almost no vendor delivers all three. Large geospatial firms have the controls but charge enterprise rates. Small geospatial shops have the rates but not the controls. The few small shops that have built the controls sit in a gap with no real competition.

For an enterprise buyer, that's the vendor worth finding. For a small geospatial vendor, that's the bar worth clearing.