Launching a Free Product to a Skeptical Customer Base: The PLG Journey at TrustCloud

March 14, 2023

Picture this. You’re a startup founder doing business with an enterprise. They ask: “Do you have SOC 2?”

“Sock-what?” Insert sweat emoji.

We get it, compliance is daunting. It’s one of the few industries that is still wary of product-led growth (PLG) as a successful growth lever.

We wanted to change that.

I started at TrustCloud (formerly Kintent) in August 2022 as a senior product manager. Three months in, my team launched a beta of our free tier called TrustCloud Starter—a tool that makes obtaining SOC 2 compliance easy and affordable for startups. Folks could sign up on to get access. It was one of the first PLG-inspired tools to serve the governance, risk, and compliance market.

We hit a nerve. In less than two months, we had hundreds of sign-ups via We are aiming for thousands more startup customers this year.

Our team has learned a lot since our official launch in December. Even with our sales-led roots, we found successful ways to wade into PLG waters. Here’s how we did it.

But first, the why

Our mission at TrustCloud is to democratize access to compliance—similar to existing tools that startups rely on, like HubSpot for email marketing and Google Analytics for web analytics. Until we launched TrustCloud Starter, there weren’t any approachable compliance solutions for startups.

It’s a chicken and egg problem. A SOC 2 attestation is often required for startups that want to move forward with enterprise clients. But achieving that attestation takes time, resources, and money (thousands of dollars to set up and maintain annually) that few startups have. So how are startups supposed to win big deals and grow?

If messaging tools like Slack and marketing tools like Hubspot can be free, well, startups should have SOC 2 readiness for free. We want to challenge the compliance market, and create opportunities in an industry that traditionally doesn’t support startup growth.

We took an incremental approach to PLG

TrustCloud Starter is our first foray into product-led growth. We like to think of it as an “incremental” PLG motion. Customers can sign up through the site,, and jump on an onboarding call where we learn more about their pain points regarding compliance. Onboarding calls take time—but when it comes to SOC 2, we’ve found that the human touch is what reassures our customers.

Why we added an onboarding assist

We could have made the entire process self-service (true PLG), but it was important for us to move quickly. We knew that true PLG was not something that could have been achieved in three months or less.

Also, having prospects talk to our team allows us to build a relationship and address any skepticism around product safety (this is a security audience, after all!) and answer the most commonly asked question: “Is it really free?” It also enabled us to do things like:

  • Create a rapid feedback loop for the product and design team. This gives us the ability to identify self-service UX blockers and create documentation to further educate our teams.
  • Help us learn about the needs of our customers and identify special use cases to build upsell levers on our roadmap.
  • Put a face to our software when you get free access to the product. Our TrustCloud Starter customers receive a point of contact to help them onboard, activate, invite colleagues, and explore new use-cases.

On the whole, it reassures customers that we are there for them throughout their compliance journey.

How we launched our PLG motion: a step-by-step guide

Step 1: Sell leadership and sales on PLG

When we first started with PLG, our revenue teams had concerns: Will this cannibalize my business? Will I need to support free customers to the same extent as paid? Will the influx of customers overwhelm me? We also needed buy-in from leadership. I had conversations with our CEO and chief product officer explaining:

  • Why we should try this approach;
  • What we’re offering;
  • When we’re launching; and
  • What story will we tell (internally and to the market).

Why should you care about telling a good story to leadership?

Marketers know the value of a good story. Make sure your company believes it as well. When you’re offering a free tool to the market, people tend to view it as a gimmick.

This is where my PLG team stepped in. We wanted to explain how this free tool could disrupt the market, amplify our voice, and generate network effects that would lead to more paid customers.

Step 2: Make our solution easy to understand and access

Once we had buy-in, it took us roughly three months to ship a beta product and sign-up experience. Our team—myself, one engineer, one designer, a demand gen marketer, and two sales reps— needed to start promoting it online.

The process is simple and only takes a few minutes:

  1. Visit the landing page, which features product testimonials and insight on the process.
  2. Enter basic info to schedule an onboarding call.
  3. On the call, provide info about a company’s systems and infrastructure so TrustCloud can develop a SOC 2 compliance program.
  4. Log into their account on TrustCloud to observe progress.

Two growth levers to obtain more customers: onboarding and exploration

The journey sounds straightforward, but within it are two important growth levers.

  1. The onboarding call. We used the learnings from every call to iterate on product and design, refine our process and story, validate or disprove hypotheses, and identify upsell levers. Because the product is free, we had multiple onboarding calls per day. That’s a lot of feedback to work with.
  2. Opportunity to explore the platform. This allows users to organically get to an ‘aha’ moment with the product and become an evangelizer. For example, through the use of the real-time compliance portal TrustShare, startup CTOs can showcase their compliance posture, reduce time spent on security questionnaires, and eliminate sensitive compliance email ping-pong. When they have an account, users can go back to their leadership team and advocate for our solution. It also helps that they’re already past the evaluation stage and into our ecosystem.

With our offering, they avoid the stress and time required to evaluate compliance tools and the disappointment of not even being able to try them out. So many tools create barriers to entry, and we took a transparency-first approach: clarity around the product and pricing is paramount.

Step 3: Let the customer tell you what’s best about your product

The onboarding call actually gave us a ton of ideas on how to market TrustCloud Starter, thanks to customer feedback.

In fact, our best-performing LinkedIn ad simply said: “CEO wants SOC 2 in 2023. It’s free.” This reflected what most prospects said during our onboarding calls. They’re looking for SOC 2 compliance because their CEO asked for it.

The messaging was so effective that people shared the ad via word-of-mouth—internal Slacks, reposting it on their LinkedIn, and more. The domain,, also helped with stickiness. People may not remember “TrustCloud,” but “free SOC 2” is a catchy slogan. People now associate us with that phrase.

But not everything was perfect. And when they weren’t, our customers let us know. While we iterated to improve with speed, there were moments where we stumbled. Early on, some customers doubted us and our platform. They would say, ‘Yeah, it’s free, but it’s buggy.’ We had to go back to our product and design team to make these changes and just keep learning.

Step 4: Move users past onboarding to upselling

Getting customers onto the platform is great. But as any startup founder knows, it’s another thing altogether to retain and convert them into paying users.

Compliance is a moving target, so it makes sense to find upsell opportunities regarding SOC 2 renewal certificates—as companies need to renew annually. Once customers start using the TrustCloud platform, they can continue partnering with us to manage their compliance obligations. Boom, retention answered.

There’s also additional compliance certifications that they might need down the line, like:

  • ISO 27001 (international compliance)
  • CMMC (government compliance)
  • HIPAA (medical compliance)

There are multiple touch points within the product where free users can convert to paid to access additional services—and many have taken us up on that offer.

Fighting market skepticism

Offering free tools leading to SOC 2 compliance sounds too good to be true, and the immediate reaction from the market was that it was too good to be true. One customer said, “If it’s free, what’s the catch?”

They also said that if you’re not paying for the product, you are the product, which is not a good vibe when it’s a security compliance tool. (Plot twist: This person ultimately signed up and became a paid customer!)

We definitely asked ourselves about the validity of free SOC 2 compliance. ‘Maybe we’re off here. Maybe the market is not ready. Maybe we should turn back now.’

Startup founders tell us that compliance requirements remain difficult to understand, while the costs of obtaining compliance prohibit growth. But each call we took in the last four months proved that we were onto something—that there is true pain for startups trying to afford compliance.

Lessons learned from implementing the world’s first free SOC 2 PLG offering

For founders looking to do something similar, here are some experiences worth learning from:

  1. Launch before you’re ready. It takes guts to launch something embarrassing. We had product errors during onboarding calls, which fostered doubt and jeopardized partnerships. We lived and we learned. By launching fast, we gathered feedback quickly, iterated, tightened our processes, and acquired hundreds of new customers before our competitors realized what we were doing.
  2. Creating internal excitement helps create curiosity. Product leaders need to sell the story internally by using data and customer feedback. I like to tell internal teams that product-led customers grow with the organization. Once you win their business, it’s incumbent on you to serve them well so that they graduate to a paid plan. It’s like investing in the future of the business.
  3. PLG is not a single light switch. It’s actually multiple light switches. You need to have a stable platform, upsell levers, and ways to validate all this before opening the floodgates to PLG growth.

Free SOC 2 represents the first phase of our PLG ambitions. We plan to launch Free HIPAA and Free CMMC later this year to help accelerate compliance for startups serving the healthcare and government sectors. We want to ensure startups have the tools to stay secure, earn customer trust, and grow.

Note: TrustCloud is an OpenView portfolio company. For a full list of OV portfolio companies, visit our Portfolio page.

PLG Lead at Previously, a product growth lead at health social network, and at stock photography website Currently, Gary resides in Chicago. He grew up in Brooklyn, NY, and is a self-proclaimed pizza snob.