What Typically Comes First in Mid-Market SaaS Deals: SOC 2, Security Questionnaires, AI/Data Queries, or Vendor Reviews?

David G.

·Apr 20, 2026 02:43 PM·

(edited)

Question for SaaS leaders who sell into mid-market / enterprise: What usually hits first:

1.
Need for SOC 2/ISO27001/GDPR/HIPAA
2.
Security questionnaires
3.
AI/data handling questions
4.
Vendor review requests

Trying to understand what pressure shows up earliest in deals.

❤️3

15 comments

· Sorted by Oldest

Eric K.
·
·
You forgot ISO27001 and GDPR (etc)
🙌1
Kendra R.
·
·
Data/soc 2 people are paranoid about their call data and where it goes
‼️1
Matthew D.
·
·
what are you selling?
👀1
Matthew D.
·
·
could see this working very differently for, say, martech vs devtools
Kendra R.
·
·
I personally sell live sales coaching, since it listens to the call live, people get paranoid about it but we dont save their convo
🙌1
Eric K.
·
·
Yes, the type of company and type/quantity of data will affect the requirement. Geography also is a big factor here. In general I am seeing companies needing GDPR/CCPA or similar first, followed by ISO27001 (which covers most of the security questionnaires), and then SOC2. Specialized ones will depend on industry and country of service: HIPAA, FCA, etc.
David G.
·
(edited)·
Yes, Kendra! Perfect scenario. How early in the sales process do questions show up?
David G.
·
·
Eric K. Good point! I probably should have framed it less as specific frameworks and more as “what trust requirement shows up first.” Interesting that you’re seeing privacy requirements first, then broader security proof, then formal certifications later. Are you seeing that mostly in larger deals, or becoming common even earlier now?
Kendra R.
·
·
end of call usually
Eric K.
·
(edited)·
David G. mostly these are investor related questions before customer ones. We went straight to ISO2701 and GDPR (we do communications and don't store end customer data). Customers were happy with those and asked about privacy laws as those were the checkboxes they needed first
David G.
·
·
That’s interesting, investor pressure before customer pressure. I can see that being critical during investor evaluations. Sounds like for your model, privacy credibility mattered faster than broader security certifications. Did that come up as a blocker, or more of a “checkbox” to keep things moving?
Eric K.
·
·
Mostly check box
David G.
·
·
Matthew D. Definitely. I’d expect martech to get hit earlier on customer data / privacy, while devtools may get more questions around access, integrations, and internal security posture. The trigger changes a lot depending on what data you touch and where you sit in the stack. What have you seen?
David G.
·
·
Eric K. So less of a hard blocker, more of a confidence signal to keep momentum moving. I think a lot of trust requests start as simple checkboxes, then turn into questionnaires and deeper reviews as deals progress. Are you seeing that happen more now?
Eric K.
·
·
Matthew D. actually we are getting less interest in our security and compliance than in the past.

Eric K.
·
·
You forgot ISO27001 and GDPR (etc)
🙌1
Kendra R.
·
·
Data/soc 2 people are paranoid about their call data and where it goes
‼️1
Matthew D.
·
·
what are you selling?
👀1
Matthew D.
·
·
could see this working very differently for, say, martech vs devtools
Kendra R.
·
·
I personally sell live sales coaching, since it listens to the call live, people get paranoid about it but we dont save their convo
🙌1
Eric K.
·
·
Yes, the type of company and type/quantity of data will affect the requirement. Geography also is a big factor here. In general I am seeing companies needing GDPR/CCPA or similar first, followed by ISO27001 (which covers most of the security questionnaires), and then SOC2. Specialized ones will depend on industry and country of service: HIPAA, FCA, etc.
David G.
·
(edited)·
Yes, Kendra! Perfect scenario. How early in the sales process do questions show up?
David G.
·
·
Eric K. Good point! I probably should have framed it less as specific frameworks and more as “what trust requirement shows up first.” Interesting that you’re seeing privacy requirements first, then broader security proof, then formal certifications later. Are you seeing that mostly in larger deals, or becoming common even earlier now?
Kendra R.
·
·
end of call usually
Eric K.
·
(edited)·
David G. mostly these are investor related questions before customer ones. We went straight to ISO2701 and GDPR (we do communications and don't store end customer data). Customers were happy with those and asked about privacy laws as those were the checkboxes they needed first
David G.
·
·
That’s interesting, investor pressure before customer pressure. I can see that being critical during investor evaluations. Sounds like for your model, privacy credibility mattered faster than broader security certifications. Did that come up as a blocker, or more of a “checkbox” to keep things moving?
Eric K.
·
·
Mostly check box
David G.
·
·
Matthew D. Definitely. I’d expect martech to get hit earlier on customer data / privacy, while devtools may get more questions around access, integrations, and internal security posture. The trigger changes a lot depending on what data you touch and where you sit in the stack. What have you seen?
David G.
·
·
Eric K. So less of a hard blocker, more of a confidence signal to keep momentum moving. I think a lot of trust requests start as simple checkboxes, then turn into questionnaires and deeper reviews as deals progress. Are you seeing that happen more now?
Eric K.
·
·
Matthew D. actually we are getting less interest in our security and compliance than in the past.