{{pixgeist:cea3f375-8be8-4f7f-9786-1ac6fd8648cc}}

I need to share something that makes my impostor syndrome go absolutely wild: the complete clusterfuck that was our journey to SOC 2 certification.

Because here’s the thing about vulnerability in entrepreneurship—every time I think about sharing the messy parts, that voice kicks in: “Won’t admitting you struggled destroy your credibility?”

Fuck that voice. Let me tell you what actually happened.

The HRMS Fantasy (AKA: How I Wasted a Year)

February 2024. I started building Humadroid with this brilliant (read: completely wrong) assumption that I could solve HRMS better than everyone else. My logic seemed sound—I’d run Prograils, dealt with growing teams, juggled multiple expensive tools that barely talked to each other. I knew the pain points intimately.

What I didn’t know? How impossible it is to break into the HRMS market.

The reality is stupidly simple: Small companies don’t care—Google Docs works fine for them. Larger companies already have systems, and unless their current provider commits spectacular corporate suicide, they’re not switching. That’s it. That’s the whole market insight that took me a year to understand.

A year.

The Pivot Nobody Saw Coming (Including Me)

Then I had coffee with a friend who casually dropped this: “You know what I actually use from Humadroid? The asset management feature.”

That one sentence broke something open in my brain.

I never wanted to build HRMS. I wanted to build a system that fights those 3am anxieties—the ones about expired agreements, missing hardware tracking, compliance gaps you know exist but can’t quite locate. The stuff that actually kept me up at night running Prograils. I never lost sleep over someone’s vacation approval. But invalid vendor agreements? Those caused real, physical dread.

That’s when Bartek and I started building… well, we weren’t quite sure what at first. Asset management? Contract tracking? During one particularly productive wire-framing session, it naturally morphed into compliance management.

Humadroid 2.0 was born.

The SOC 2 Reality Check

Of course, if you’re building a compliance company, you need to be compliant yourself.

(This is where my definition of “MVP” reveals itself to be catastrophically broken.)

I have this problem—I “overcode” things. So when I say we built controls management, evidence submission, policy generation, risk management, business continuity, AND asset management… yeah. That’s not exactly a minimal viable product, is it?

Look, I won’t lie about this: Without LLMs and modern AI coding assistants, we’d still be planning sprint one. Back in my Prograils days, I would’ve estimated this as eighteen months of work for a dozen developers. We had a working version suitable for our own compliance in five months.

I started coding the new Humadroid in March 2025. By June, we’d contacted a third-party auditor and scheduled our preliminary audit for August 12th—conveniently after our vacations, because what could possibly go wrong with that timeline?

Weekend from Hell, Part One

The weekend before the audit, Bartek and I met up to “finalize everything.”

First move: We purged ALL our evidence collected so far. Most of it was test data anyway.

Second move: We started a fresh account in Prograils and began working through controls.

Third move: We discovered our AI-generated control list was completely fucked.

Yes, we’d validated the outputs. But we’d never validated the complete list against the actual Trust Service Criteria from AICPA. Because of course we hadn’t. Shit happens, right?

Wrong. This particular shit meant telling our first demo clients, “Hey, remember that thing we said was ready? About that…”

That conversation felt like swallowing glass.

So instead of reviewing evidence, we spent the weekend rebuilding our entire control framework from scratch. We completed about 80% in two days, which was exhausting in ways I didn’t know work could be exhausting. I knocked out the remaining 20% over the next day and a half.

We submitted everything to our auditor and waited.

The Phone Call

Few days later: “Can we schedule a call?”

I was optimistic—maybe he wanted to learn more about the platform? Or better yet, confirm we were compliant and ready for the actual SOC 2 Type I assessment?

Nope.

“Where are your sub-controls?”

What?

(Okay, I thought “what the actual fuck,” but let’s be professional here.)

Turns out—and I genuinely didn’t know this—SOC 2 best practice divides each control into smaller sub-controls. They provide granular implementation details, better ownership management, clearer audit trails. All that sensible stuff that nobody explicitly tells you until you’re already committed to an audit.

From a software development perspective, this wasn’t an easy fix. This was an architectural change. Supporting sub-controls and infrastructure assets properly took another month.

The “Easy” Part

September 19th: Preliminary assessment completed. Few small findings, nothing critical.

We asked our auditor to start the full assessment the following week.

Because obviously, everything was ready now. Right?

(Narrator voice: Everything was not ready.)

Here’s what I didn’t understand about preliminary assessments: they check if everything’s in place and the evidence makes sense. They don’t validate if you’ve completed all the documentation requirements.

Weekend from Hell, Part Two (Electric Boogaloo)

Friday evening, I got a question about our “system description.” I’d sent over a paragraph—maybe two—describing what Humadroid does and who we are as a company.

Seemed sufficient. Went to bed. Enjoyed my weekend.

Monday, Tuesday, Wednesday, crickets from the auditor. I checked in: “Everything okay? Need anything else?”

Oh yes. They were still waiting for the System Description.

Not a paragraph. Not a page. The capital-S, capital-D System Description—a structured document that’s supposed to be 20-200 pages of specific technical and operational details, written in a very particular format.

This was bad.

It got worse as I researched how to actually write one. Articles about “proper system descriptions” kept making it sound impossible. Complex. Something that requires teams of consultants.

Oh, and this was also when Bartek told me he was moving on. Different life priorities. Totally understandable. Absolutely terrifying timing.

I was now a solo founder staring down:

• A system description I didn’t know how to write
• An audit timeline I’d promised
• A product I’d told customers was “ready”
• A partner leaving

I needed a few days to sit with that cocktail of anxiety before deciding: fuck it, I’ll implement the fuck out of this.

If we’re promising to make our customers SOC 2 ready in a week, we need to keep our word—even if that means I have to build the feature that saves us first.

The Crunch

What followed was one of the most intense weeks of my career. Not long—just a week—but the kind of intensive that makes you question your life choices hourly.

But you know what? A week later, I had it. Not just a proof-of-concept. A fully working feature that helps our customers write their system descriptions.

And when I read the output? When I saw what we’d built and realized how far we’d pushed LLMs to actually understand and assist with compliance work?

I felt proud.

Look, I know that sounds like motivational poster bullshit. But it’s true. Compliance is surprisingly difficult—not conceptually impossible, but practically exhausting. The constant context-switching, the precise language requirements, the interconnected dependencies.

With proper context and prompts, it’s now approachable. Not easy—it still requires responsibility and attention—but approachable. You can use ChatGPT or Claude to manage some of this yourself, same way we used Google Docs and Sheets for ISO 27001 at Prograils years ago.

But there are better tools now. Tools that don’t suck the life out of you at every step.

Managing compliance without assistance is like going on a date with a Dementor—except compliance is actually useful and important.

What We Actually Built

Here’s the part where I’m supposed to do the hard sell, but honestly? I’m just tired and relieved.

Humadroid works. It’s a mature tool for SOC 2 management. Not because we planned it perfectly from day one—we didn’t. Not because we never made mistakes—we made dozens. But because we built it while using it for our own compliance.

Every pain point we felt, we fixed. Every gap we discovered, we filled. Every “wait, this should be easier” moment became a feature.

We got our SOC 2 certification. Despite the chaos. Despite the pivots. Despite the weekend crunches and the partner departure and the system description crisis.

If your impostor syndrome is screaming that you’re not ready for compliance, I get it. Mine still does. But the truth is simpler than we make it: compliance isn’t about being perfect. It’s about being systematic. And having tools that don’t make you want to quit.

(Also, if you’re wondering—yes, I did just write a 2000-word essay essentially saying “we built compliance software by being really bad at compliance first.” The irony isn’t lost on me.)

---

Building Humadroid continues to be an adventure in organized chaos. If you’re facing your own SOC 2 journey and want to hear more about the weird corners we discovered, hit me up. Misery loves company, and apparently, so does compliance.