Which compliance framework applies to a brand-new LLC by default?

None of SOC 2, HIPAA, or GDPR applies automatically when an LLC is formed. SOC 2 is a contractual audit standard that only matters when an enterprise customer requires it. HIPAA applies only to covered entities and their business associates, defined narrowly under federal law. GDPR applies only when the LLC processes personal data of people physically located in the European Union or the European Economic Area. The default state of a newly formed LLC with no customers in any of these triggers is that none of these frameworks are in scope.

How much does SOC 2 compliance actually cost in the first year?

For a small LLC pursuing SOC 2 Type II (the common requirement from enterprise buyers), the realistic all-in first-year cost is $25,000 to $80,000. That breaks down roughly as: a compliance automation platform like Vanta, Drata, or Secureframe at $15,000 to $40,000 per year for the smallest tier, the audit firm fee of $10,000 to $25,000 for the Type II report, plus internal time of 100 to 300 hours getting the controls in place. Subsequent years drop to $20,000 to $40,000 because the platform and audit are recurring but the implementation work is largely one-time.

What makes an LLC a HIPAA business associate?

A business associate is any entity that creates, receives, maintains, or transmits protected health information (PHI) on behalf of a HIPAA-covered entity (a health plan, healthcare provider, or healthcare clearinghouse). The classic examples are billing services, IT consultants serving medical practices, transcription services, and cloud hosting providers storing PHI. The trigger is the type of data, not the type of business. A freelance designer who only builds the public-facing marketing website for a hospital is generally not a business associate; one who builds a patient portal that handles appointment data and medical records almost certainly is.

Does a US-only LLC with US-only customers need to worry about GDPR?

Probably not, but the test is sharper than 'US-only customers.' GDPR applies to processing of personal data of data subjects who are physically in the EU or EEA when the processing occurs, regardless of where the LLC is located. An LLC selling exclusively to US-residents with no marketing efforts targeted at the EU is outside scope. An LLC that runs Google or Facebook ads visible to EU residents, accepts EU users on a free tier of a SaaS product, or has analytics fingerprinting EU visitors crosses into scope. The honest answer for most US service businesses with US clients is that GDPR does not apply; the moment any EU-resident customer signs up, it does.

Is a privacy policy enough to be GDPR compliant?

No. A privacy policy is the most visible deliverable but it is the smallest piece of the compliance picture. GDPR compliance for a small business typically requires identifying every processing activity in a record of processing activities (Article 30), establishing a legal basis for each activity (consent, contract, legitimate interest, etc.), signing data processing agreements with every processor (every SaaS vendor that touches personal data), implementing data subject rights workflows (access, deletion, portability), and being prepared to respond within 30 days to any request. The privacy policy is the customer-facing summary of all of that. Posting a generic privacy policy without doing the underlying work is what triggers most enforcement actions.

What is the penalty for ignoring HIPAA or GDPR if I'm caught?

HIPAA penalties range from $137 to $2,067,813 per violation (2024 inflation-adjusted figures from HHS), with annual caps depending on the level of culpability. A 'did not know' violation caps at $30,000 per identical violation per year; willful neglect that goes uncorrected can hit $2 million per identical violation per year. GDPR penalties are tiered at up to 10 million euros or 2 percent of global annual turnover (whichever is higher) for procedural violations and up to 20 million euros or 4 percent of global annual turnover for substantive violations of data subject rights. Enforcement against small businesses is rare in both regimes but escalates dramatically when there is a breach.

When is the right time for a solo LLC to start a SOC 2?

The earliest a SOC 2 audit makes economic sense is when annual recurring revenue clears about $300,000 and the buyer base is meaningfully enterprise (companies with procurement teams, security review questionnaires, and contracts that exceed $50,000 per year). Below that revenue level, the $25,000 to $80,000 first-year cost is hard to justify, and most enterprise prospects will accept a SOC 2 'in progress' status with a Type I report at signing if the Type II is on a credible timeline. The wrong time to start is on the day a single prospect demands one; by then the audit window is already too short to satisfy them.

Can I just buy a compliance platform like Vanta and call it done?

No. Compliance automation platforms (Vanta, Drata, Secureframe, Sprinto, Thoropass) handle continuous monitoring, evidence collection, and policy templates. They do not replace the audit, the security work, or the time spent implementing controls. The platform reduces the labor of compliance from roughly 600 hours of first-year work down to 100-200 hours, but the audit firm is a separate engagement and the security controls (access management, encryption, logging, vendor reviews) have to be genuinely operational. Buying the platform without doing the underlying work means paying $20,000 per year for a dashboard that flags how non-compliant you are.

What is a Data Processing Agreement and which vendors need one signed?

A Data Processing Agreement (DPA) is a contract under Article 28 of the GDPR that governs how a processor handles personal data on behalf of the controller. If your LLC is the controller (you decide why and how customer data is processed) and you use any third-party service that touches personal data — email marketing platforms, CRMs, payroll services, analytics providers, cloud storage — you need a signed DPA with each one. Most major SaaS vendors offer a standard DPA you can sign in their privacy or trust center. The practical inventory for a small business often runs 15 to 30 vendors. The DPA is the part most small-business GDPR compliance programs neglect.

Does the LLC structure itself protect me from compliance liability?

The LLC's liability shield separates the owner's personal assets from the business's liabilities for routine commercial obligations. It does not insulate against regulatory penalties imposed on the entity itself, and in some cases (HIPAA, FTC enforcement) the agency can pursue individual officers personally for willful conduct. The shield helps in civil contract disputes and tort claims involving the LLC. It does not help if the LLC commits a HIPAA violation, fails to honor GDPR data subject rights, or misrepresents its security posture to customers. Compliance is a business obligation independent of how the entity is structured.

Compliance

Do I need SOC 2, HIPAA, or GDPR for my LLC?

Last updated: 2026-05-26

The third sales call where the enterprise prospect asks for your SOC 2 report is the moment the question stops being theoretical. Until then, most LLC owners assume compliance is something other people deal with — bigger companies, regulated industries, the law firms in glass towers. Then a procurement team at a Fortune 500 sends a 73-question security questionnaire as a precondition for a contract you have already verbally agreed to, and the question becomes urgent in a way it never was before.

This guide is for the founder who has heard the acronyms — SOC 2, HIPAA, GDPR, CCPA, ISO 27001 — and is not sure which of them, if any, applies to a one-person or small-team LLC. The short answer for most newly formed LLCs is that none of them apply, and the dread is misplaced. The slightly longer answer is that there are specific triggering events for each framework, and once a trigger fires, the cost of getting compliant is real money and real time. Knowing which trigger applies to you, and what to do when it fires, is the only part of compliance that genuinely matters in the first year of business.

The honest default: most LLCs do not need any of these

A consulting LLC that does marketing strategy work for US-based small businesses, an e-commerce LLC selling physical goods through Shopify to US customers, a service LLC offering bookkeeping to local restaurants — none of these LLCs have any obligation under SOC 2, HIPAA, or GDPR in the absence of specific triggering events. The frameworks exist for narrowly defined situations: SOC 2 is a contractual standard, HIPAA is a federal law for healthcare data, and GDPR is an EU regulation for data of EU residents. Falling outside all three is the default state of US small business, not the exception.

The pattern most new founders fall into is reading a viral LinkedIn post about "the compliance everyone is ignoring" and feeling vaguely guilty for not having a SOC 2 report or a 40-page privacy policy. The vague guilt is the wrong reaction. The right reaction is to identify the specific moment that would trigger each framework for your business, set a tripwire to notice when that moment arrives, and otherwise leave the compliance work alone. Spending $30,000 in year one of an LLC on a SOC 2 audit you do not need is one of the more expensive mistakes a small business can make, and it is made more often than founders realize.

SOC 2: a contract requirement, not a law

SOC 2 is short for "Service Organization Control 2," an audit standard published by the American Institute of Certified Public Accountants (AICPA). It is not a law. No government agency enforces it. You cannot be fined for not having a SOC 2 report. The only force behind it is contractual: enterprise customers, particularly those subject to SOX, HIPAA, or financial-services regulation, often require their vendors to produce a SOC 2 Type II report as a condition of doing business. If you do not sell to enterprise customers, SOC 2 is irrelevant to your LLC.

There are two flavors. Type I is a point-in-time assessment confirming that controls are designed correctly — auditors look at your security documentation on a single day and confirm everything is in place. Type II is the more substantial report, covering a period (typically six to twelve months) during which auditors verify the controls operated as designed. Type I is usually accepted as a stopgap when a deal is on the table but a full Type II audit window has not closed yet; Type II is what enterprise security teams actually want on file.

The cost is the part most new founders underestimate. A small LLC pursuing SOC 2 Type II for the first time should budget $25,000 to $80,000 all-in for year one. That covers an audit firm engagement ($10,000 to $25,000 for the report itself), a compliance automation platform like Vanta, Drata, or Secureframe ($15,000 to $40,000 per year at the smallest tier), and 100 to 300 hours of internal time getting the actual controls in place. Years two and beyond drop to $20,000 to $40,000 because the platform and audit are recurring but the implementation work was largely one-time. Below about $300,000 in annual recurring revenue, this math is genuinely hard to justify.

The compliance automation platforms have changed the economics of SOC 2 significantly over the last five years. Pre-Vanta, a SOC 2 audit was a $50,000 consulting engagement that took six to nine months of partner-track work from a Big Four affiliate. The current model collapses that to a SaaS subscription that monitors your AWS account, Google Workspace, GitHub, and HR system continuously, flagging deviations from the controls you have committed to. The audit firm still has to issue the report, but the labor of preparing for the audit shrunk by an order of magnitude. None of this changes the fundamental question, which is whether anyone is going to ask for the report at all.

The threshold to start, in plain terms: when enterprise prospects with $50,000-plus annual contracts start asking for security review packages and rejecting deals without them, the math begins to work. Below that level, "SOC 2 in progress" with a credible roadmap is acceptable to most procurement teams, and a Type I report at signing combined with a Type II committed for completion in the next audit period is the standard concession.

HIPAA: a narrow trigger, but a hard one when it fires

HIPAA (Health Insurance Portability and Accountability Act) is federal law dating from 1996. It applies to two categories of entity: "covered entities" — hospitals, doctors, insurers, healthcare clearinghouses — and "business associates," which is where most non-healthcare LLCs encounter it. A business associate is any entity that creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity.

The definition of PHI is broad in a way that catches many founders by surprise. Any individually identifiable health information held by a covered entity counts: appointment data, billing records, lab results, prescription history, the names of patients, the dates of their visits. If your LLC builds, hosts, or operates any system that touches any of that data in the service of a covered entity, you are a business associate and HIPAA applies in full.

The classic non-healthcare LLCs that end up as business associates are IT consulting firms serving medical practices, freelance developers building patient portals, transcription services, cloud hosting and storage providers, billing companies, and (increasingly common) marketing agencies that handle email lists where the email addresses themselves reveal medical conditions. The hospital marketing director who hands you a CSV of patients-on-statins for a targeted campaign has just made you a business associate, whether either of you realized it or not.

When HIPAA applies, the entity must sign a Business Associate Agreement (BAA) with each covered entity it serves. The BAA is the contractual mechanism that flows HIPAA obligations down to the business associate. Without a signed BAA, both parties are in violation simply by exchanging PHI. The BAA template is published by HHS and most healthcare clients will send their own version; an LLC negotiating a BAA can push back on indemnification terms but cannot opt out of the core security and privacy obligations.

The cost of HIPAA compliance is more variable than SOC 2 because the controls are less standardized. A small LLC operating as a business associate typically spends $5,000 to $25,000 per year on compliance overhead: a security risk assessment ($2,000 to $8,000 for the first one), encrypted email and file storage that meets the HIPAA technical safeguard standards (Google Workspace and Microsoft 365 both offer HIPAA-compliant configurations at the Business Standard tier or above, with a BAA signed by the platform), employee HIPAA training ($50 to $200 per person per year), and ongoing documentation. Insurance — specifically, a cyber liability policy that includes HIPAA defense — runs $1,000 to $5,000 per year.

The penalty structure is genuinely scary, which is what makes the lower-end compliance investment worth the cost. As of HHS's 2024 inflation adjustment, HIPAA violations are categorized by culpability: "did not know" violations start at $137 per occurrence and cap at $30,000 per identical violation per year; willful neglect that is corrected runs $14,232 to $71,162 per occurrence; willful neglect that is not corrected runs $71,162 to $2,067,813 per occurrence with no annual cap. The penalties scale with the number of records affected, so a breach exposing 1,000 patient records can multiply into seven-figure territory quickly. Most enforcement actions against small business associates settle in the $50,000 to $250,000 range, plus a corrective action plan that imposes monitoring for two to three years.

A few things HIPAA does not require, despite common misconceptions. There is no certification for HIPAA — no agency issues a "HIPAA certified" badge, and any vendor claiming to be one is using a marketing term, not a regulatory one. There is no annual filing or registration with HHS. The compliance program exists in your own documentation, and the enforcement event is the breach or the complaint, not a routine audit.

GDPR: the geographic test that catches more US businesses than they think

GDPR (General Data Protection Regulation) is the European Union's data protection law, effective May 2018. The test for whether GDPR applies to an LLC is geographic in a specific way: it covers processing of personal data of data subjects who are in the EU or EEA at the time of processing. The LLC's location is irrelevant. The customer's nationality is irrelevant. What matters is where the data subject is physically located when the personal data is collected.

For a US LLC, three patterns trigger GDPR scope. The first is offering goods or services to EU-resident customers, even for free — a SaaS product with a free tier that EU users can sign up for is in scope the moment one EU resident creates an account. The second is monitoring the behavior of EU-resident users, which catches any analytics platform that fingerprints visitors and any retargeting campaign that includes EU geographic targeting. The third is having an establishment in the EU, which is rare for a US-only LLC but worth flagging.

The pattern that catches most US founders unawares is the second one. An LLC running Google Analytics with default settings, serving Google Ads campaigns without geographic exclusions, or using a CRM that captures IP-geolocated visitor data is processing personal data of any EU-resident visitor who lands on the website. Strictly read, GDPR applies. Pragmatically, enforcement against small US businesses for this incidental processing is rare; the EU's Data Protection Authorities focus enforcement resources on larger companies and on bad actors. But the regulation does technically apply, and the standard mitigation is geographic exclusion of EU traffic from analytics and ads, which most marketing platforms support natively.

The compliance burden under GDPR is not primarily about the privacy policy that most founders default to writing first. The bigger pieces are:

A record of processing activities (Article 30), which is an internal inventory of every category of personal data the LLC handles, the purpose, the legal basis, the retention period, and the recipients. For a small business this is typically a spreadsheet with 15 to 40 rows; it is required to be available on request from a Data Protection Authority and is the most common deliverable an enforcement officer will demand first.

A legal basis for each processing activity. GDPR Article 6 lists six legal bases — consent, contract, legal obligation, vital interests, public task, legitimate interest — and every processing activity has to be slotted under one. Consent is the most familiar but the least flexible; legitimate interest is what most B2B activities lean on and requires a documented balancing test.

Data Processing Agreements with every processor. A processor is any third party that handles personal data on your behalf — email marketing platforms, CRMs, cloud hosting, analytics providers, payroll services, support ticketing. Article 28 requires a contract between controller (your LLC) and processor (the vendor) governing how the data is handled. Most major SaaS vendors offer a standard DPA you can sign in their trust center or privacy portal; the practical inventory for a small business runs 15 to 30 vendors. The DPA is the part most small-business compliance programs neglect, and it is the cheapest to fix because the templates already exist.

Data subject rights workflows. EU residents have rights to access their personal data, request deletion, request portability, object to processing, and several others. The LLC has 30 days to respond to each request (with one extension permitted for complex cases). For a small business the volume is low — most LLCs receive zero requests in a given year — but the workflow has to exist on paper before the first request arrives.

Privacy policy. Yes, you need one. It has to disclose what data is collected, the purposes, the legal bases, the retention periods, the recipients, the rights, and the contact for a complaint. Most US privacy policies that predate GDPR are inadequate; the gap is usually around legal bases, retention periods, and the right-to-complain notice.

GDPR penalties are tiered. Procedural violations cap at the higher of 10 million euros or 2 percent of global annual turnover; substantive violations (consent failures, breaches, denial of data subject rights) cap at the higher of 20 million euros or 4 percent of global annual turnover. The largest fines on record are against Meta, Amazon, and Google in the hundreds of millions of euros. Small-business fines are rare and usually in the five-figure range, but the asymmetry is the problem — the cap is high enough to ruin any business that draws enforcement attention.

CCPA and CPRA: the California analog

The California Consumer Privacy Act (CCPA, 2018) and its successor the California Privacy Rights Act (CPRA, 2023) are the closest US analog to GDPR. They apply to any business that collects personal information of California residents and meets one of three thresholds: annual gross revenue over $25 million, annual buying/selling/sharing of personal information of 100,000 or more California consumers, or deriving 50 percent or more of annual revenue from selling or sharing personal information.

For a new LLC, none of those thresholds are likely to be crossed in year one. CCPA does not apply by default. The threshold to start paying attention is when the business genuinely scales — most one-person LLCs never hit the 100,000-consumer threshold and almost never the $25 million revenue threshold. The "selling personal information" threshold is the one that occasionally catches small LLCs that rely heavily on data brokers or ad networks for revenue.

Even below the thresholds, California residents have rights under the regulation, and any business that wants to serve California customers should at minimum: publish a privacy policy that addresses the categories CCPA requires, honor "Do Not Sell or Share My Info" requests if any data sharing happens, and respond to access and deletion requests within 45 days. The implementation overhead for a small LLC is modest — a "Do Not Sell" link in the footer of the website, a privacy policy update, and a workflow for handling requests through the existing customer support inbox.

The order things actually happen in a small LLC

The standard sequence is roughly this. The LLC forms with no compliance scope. A few months in, a privacy policy gets published, usually generated from a template — Termly, iubenda, or a competent free template from the IAPP. The policy is broadly accurate and is sufficient for the LLC's current state.

Then one of three things happens. An enterprise prospect asks for a SOC 2 report and the LLC has to make a decision about whether to start the audit process. A healthcare client offers a contract and a BAA appears in the contract pack. An EU customer signs up for the service and the LLC becomes a GDPR controller for the first time. In all three cases the trigger is contractual or customer-driven; the regulation has been there the whole time, but it becomes operationally relevant only when a specific transaction depends on compliance.

What follows depends on the framework. For SOC 2, the LLC signs up for a compliance automation platform, implements the controls over three to six months, then engages an audit firm for a Type II report covering a six-to-twelve-month observation window. From decision to first issued Type II report is typically nine to fifteen months. For HIPAA, the LLC signs the BAA, completes a security risk assessment, implements the technical safeguards required by the Security Rule, and trains everyone who will handle PHI. For GDPR, the LLC builds the Article 30 record, signs DPAs with every processor, implements data subject rights workflows, and updates the privacy policy. None of these are weekend projects.

When to hire a compliance lawyer or consultant

The threshold to involve a professional differs by framework. For SOC 2, the compliance automation platform plus the audit firm cover most of the work; an outside consultant is helpful but not mandatory, and the consulting market for SOC 2 is competitive enough that a fractional Virtual CISO costs $2,000 to $8,000 per month, far less than full-time hiring. For HIPAA, a security risk assessment from a firm specializing in healthcare compliance is genuinely worth the $5,000 to $15,000 fee because the consequences of getting it wrong are much higher; an HIPAA-fluent attorney is also worth retaining at $400 to $700 per hour for the BAA negotiations.

For GDPR, a privacy attorney with EU practice experience costs $400 to $900 per hour, and the right engagement is usually a fixed-scope project: review the data flows, identify the legal bases, draft the Article 30 record, review the privacy policy, draft the standard contractual clauses for international transfers. Total fees for that engagement typically run $5,000 to $15,000 and the deliverable is a compliance package the LLC can maintain in-house thereafter.

Below those thresholds, the small LLC can often handle the work using published resources. The IAPP (International Association of Privacy Professionals), the HHS Office for Civil Rights guidance pages, the AICPA's SOC 2 resources, and a handful of competent law firm blogs (Bryan Cave Leighton Paisner, Hogan Lovells) publish more than enough material for a self-directed compliance program at the small-business scale. The cost of getting it wrong without a consultant exists, but the cost of paying a consultant when the business is still under $500,000 in revenue often exceeds the risk-adjusted expected harm.

The myths that cost money

A short tour of the misconceptions that lead small LLCs to spend money they should not be spending.

"My LLC has a privacy policy, so we are GDPR compliant." No. The privacy policy is the customer-facing summary of compliance, not the compliance itself. The Article 30 record, the DPAs, the legal bases, the data subject rights workflows — those are the actual compliance program. The policy is the receipt.

"SOC 2 is required by law." No. It is a contractual standard. There is no statute that mandates SOC 2. Customers may require it, but the government does not.

"HIPAA does not apply to my business because I don't work in healthcare." Partially right, partially wrong. HIPAA does not apply if you are not a covered entity or business associate. It very much does apply the moment you become a business associate by signing a BAA or handling PHI on behalf of a covered entity, regardless of what your business "is" in marketing terms.

"I do not store data, so HIPAA does not apply." The Security Rule covers PHI in transit as well as at rest. An IT consultant who only logs into a hospital's system and reads PHI without copying it is still subject to HIPAA technical safeguards on the access path.

"I am SOC 2 compliant because I subscribe to Vanta." No. Vanta monitors and documents. The audit firm issues the report. Subscribing to the platform without engaging an auditor produces no report and no compliance status.

"GDPR does not apply to my US LLC." Probably true. Almost certainly false the moment a single EU resident customer signs up or visits the website with analytics active.

The compliance roadmap for the typical year-one LLC

For most LLCs in their first year, the entire compliance program reduces to four items. Publish a competent privacy policy that covers what data is collected, why, and how to contact the business for questions. Maintain the legally-required state-level filings (Articles of Organization, annual report, registered agent). Sign any vendor contracts (operating agreement, registered agent contract, payment processor terms) that the LLC encounters in the normal course of business. Be aware of the four triggering events — enterprise SOC 2 requests, healthcare BAA requests, EU customer signups, California consumer threshold crossings — and have a plan for what to do when one fires.

The mistake is the opposite of due diligence. It is buying compliance products preemptively because of a vague sense that "compliance" is something serious businesses do. A serious business that does not need SOC 2 does not have SOC 2. A serious business with no EU customers does not have a 40-page GDPR-styled privacy policy. The trap is mistaking the marketing language of the compliance industry for the actual obligations imposed by law and contract.

When a trigger fires, the cost is real but the response is structured. SOC 2 takes nine to fifteen months and $25,000 to $80,000 in year one. HIPAA takes one to three months to implement and $5,000 to $25,000 in year one. GDPR for a small US LLC with limited EU exposure takes one to two months and $2,000 to $10,000. None of these are catastrophic, all of them can be planned for, and all of them have a path that does not require an in-house compliance team. The work begins when the business need begins, not before.

Related guides

How to form an LLC, step by step — the formation paperwork that creates the entity at the center of any compliance program.
Single-member LLC operating agreement — the internal contract that some compliance frameworks reference.
Best business banking for new LLCs — banking decisions intersect with PCI and GLBA scope for some businesses.
Tools every new LLC owner needs in year 1 — the software stack a compliance program runs on.
BOI reporting (FinCEN) — the federal beneficial-ownership disclosure that some foreign-owned LLCs still file.
Form 5472 for foreign-owned LLCs — another federal disclosure that intersects with international business operations.
How is an LLC taxed? — tax compliance is a separate stream from the privacy and security frameworks covered here.

Run the LLC cost calculator →