Whenever we get a client with around 100+ head count, they ask to fill their own security assessment. It takes a lot of time as it has sometimes 100+ questions.
We can't also deny them, but we're getting tired. We're too small to hire someone for this and as a founder, my time can surely be used better somewhere else.
How do small startups handle this without getting SOC2?
It's competitive out there. Using an advantage to your company's benefit as a founder is your job - not work that is beneath you. Fill it out and bring some money in.