How Do Enterprises View Vendor Access Without SOC 2 Certification?

I'm trying to get a grip on the typical security attitudes and potential approval challenges when deploying a vendor's software—specifically, in cases where the vendor (which is my startup) currently doesn't have SOC 2 certification. I'm looking at two main options:

1. **Bring Your Own Cloud (BYOC)**: In this scenario, the vendor's software operates in the customer's VPC or on-premise. This option allows the customer to manage IAM, networking, logging, and keys, meaning they can completely revoke vendor access whenever they want.

2. **Outbound-only VPN Connection**: This involves using a small, customer-hosted connector or agent to create outbound-only connectivity through Tailscale, which functions as a zero-trust network. This means there are no inbound firewall openings, and vendor access would be restricted to certain internal endpoints.

I'm curious about how organizations typically rank these two options, particularly for projects involving sensitive data where approval processes are critical.

- How does your organization evaluate and compare A vs B?
- Does A represent a tangible improvement in terms of approval likelihood, or is it just a small step up from B?
- What security measures need to be in place for B to be considered acceptable (like using app proxies, customer-controlled kill switches, session recording, etc.)?
- What are common reasons a non-SOC 2 vendor gets rejected outright?

Ultimately, I want to manage the balance between reducing development time while ensuring the security and audit requirements are met for successful production deployment.