BOMForge Infrastructure & Compliance Budget (April 2026)¶
Researched April 2, 2026. All prices verified against current published rates. Three tiers: Current ($0 MRR), SOC 2 Ready, FedRAMP Ready.
Tier 1: CURRENT (What You Pay Now)¶
| Service | Plan | Monthly Cost | Notes |
|---|---|---|---|
| Supabase | Pro | $25 | Base price; overages for storage/bandwidth add ~$10-50. Budget $35. |
| Google Cloud Run | Pay-as-you-go (Blaze) | $0-5 | Low-traffic B2B API stays within or near free tier (180K vCPU-sec, 360K GiB-sec free/mo). |
| Firebase Hosting | Blaze (pay-as-you-go) | $0-5 | SPA hosting with minimal bandwidth. Free tier covers 10GB/mo hosting, 360MB/day storage. |
| Firebase Auth | Blaze | $0 | Free up to 50K MAUs. BOMForge is well under this. |
| Vercel | Pro | $20 | $20/seat/mo. Includes $20 usage credit. Single seat assumed. |
| Cloudflare | Free | $0 | DNS, basic CDN, DDoS protection, SSL. Sufficient for current stage. |
| Stripe | Standard | $0 | No monthly fee. 2.9% + $0.30/txn when processing. $0 at $0 MRR. |
| Mercury | Free | $0 | No monthly fees, no minimums. |
| Attio CRM | Free | $0 | Up to 3 users, 50K records, 250 automation credits/mo. |
| Resend | Free | $0 | 3,000 emails/mo (100/day). Sufficient pre-revenue. |
| Google Workspace | Business Starter | $7 | $7/user/mo (annual billing). 1 user (tom@bomforge.com). |
| OpenAI API | Pay-as-you-go | $15-30 | Embeddings: text-embedding-3-small at $0.02/1M tokens. GPT-4o-mini extraction at $0.15/1M input, $0.60/1M output. Moderate usage ~500K-1M tokens/day. |
| Google Gemini API | Pay-as-you-go | $5-15 | Gemini Embedding at $0.15-0.20/1M tokens. Enrichment via Gemini Flash at $0.075/1M input. |
| RTX 5090 GPU box | Owned hardware | $30-50 | Electricity: 575W TDP, ~$0.25/kWh LA rate, ~8hrs/day avg usage = ~$35/mo. Internet ~$0 (bundled). |
| Domain registrations | Various | $8 | ~5 domains at $10-15/yr each. bomforge.com, madeinamericasolutions.com, etc. Amortized monthly. |
| TIER 1 TOTAL | $110-175/mo | Midpoint estimate: ~$140/mo |
Notes on Current Tier¶
- Cloud costs are extremely low because BOMForge has zero paying customers and minimal traffic.
- OpenAI/Gemini costs scale with enrichment batch jobs, not user traffic.
- The RTX 5090 box is a sunk cost (hardware paid); only ongoing electricity matters.
- Vercel may be redundant with Firebase Hosting. Eliminating one saves $20/mo.
Tier 2: SOC 2 READY (Add Vanta, Minimal Compliance)¶
Everything in Tier 1, plus:
| Service | Plan | Monthly Cost | Notes |
|---|---|---|---|
| Vanta | Essentials (SOC 2) | $833 | ~$10,000/yr for startups (1-50 employees). Annual contract, billed upfront or quarterly. Custom quoted. |
| SOC 2 Type II Audit | First-year audit | $1,250 | $15,000 audit fee amortized over 12 months. Audit itself is a one-time annual event. |
| Cloudflare | Pro (upgrade) | $20 | WAF rules, enhanced DDoS, image optimization. Required for SOC 2 security posture. |
| Google Workspace | Business Standard (upgrade) | $14 | $14/user/mo. Adds Vault for retention/eDiscovery, enhanced admin controls needed for SOC 2. |
| Resend | Pro (upgrade) | $20 | SOC 2 requires audit trails on communications. Pro adds dedicated IPs, better logging. |
| Penetration test | Annual | $125 | ~$1,500/yr for a small SaaS app. Required for SOC 2. Amortized monthly. |
| Security tools | Various | $50-100 | Endpoint protection, secrets management, monitoring. Estimate for minimal tooling. |
| TIER 2 ADDITIONS | $2,312-2,362/mo | ||
| TIER 2 TOTAL | $2,422-2,537/mo | Midpoint estimate: ~$2,480/mo (~$29,760/yr) |
SOC 2 Timeline and Payment Structure¶
- Vanta: Annual contract. Expect $10,000-15,000/yr. Negotiate startup pricing. Some startups report $8,000-12,000 for first year via YC/accelerator discounts.
- Audit: SOC 2 Type II requires 3-12 month observation window. Budget 6 months from start to report.
- Total first-year all-in: $25,000-35,000 (platform + audit + tools + staff time).
- UPFRONT WARNING: Vanta typically bills annually. The audit is also a lump sum ($12,000-20,000). First month cash outlay could be $22,000-30,000.
Tier 3: FedRAMP READY (Full Government Compliance Stack)¶
Everything in Tier 2, plus:
Option A: Traditional FedRAMP Low ($250K-500K total)¶
| Service | Plan | Monthly Cost | Notes |
|---|---|---|---|
| AWS GovCloud | App Runner + S3 + CloudFront | $100-200 | GovCloud pricing is ~20% premium over commercial AWS. App Runner: ~$0.064/vCPU-hr active. S3: $0.0288/GB. CloudFront: minimal at low traffic. |
| 3PAO Assessment | FedRAMP Low-Impact SaaS | $2,917 | $30,000-45,000 assessment. Using $35,000 midpoint amortized over 12 months. |
| FedRAMP Consulting | External consultant | $8,333 | $100,000-150,000 for Low. Using $100,000 amortized over 12 months. |
| Security tooling | SIEM, IAM, encryption | $2,500 | $30,000-50,000/yr for required FedRAMP tooling (SIEM, vulnerability scanning, log aggregation). |
| Penetration testing | FedRAMP-grade annual | $333 | $4,000/yr (upgraded from SOC 2 level). |
| Continuous monitoring | Annual maintenance | $4,167 | $50,000-100,000/yr ongoing. Using $50,000 low estimate. |
| ITAR/DDTC Registration | Tier 1 (small business) | $208 | $2,500/yr with small business discount. Required if handling defense articles. |
| ITAR Consulting | Monthly retainer | $2,500 | $2,500/mo for up to 10 hours expert consulting. Only if defense/ITAR scope applies. |
| TIER 3A ADDITIONS | $21,058-21,258/mo | ||
| TIER 3A TOTAL | $23,480-23,795/mo | ~$283,000/yr first year |
Option B: FedRAMP 20x Low (New Accelerated Path, Available H2 2026)¶
| Service | Plan | Monthly Cost | Notes |
|---|---|---|---|
| AWS GovCloud | App Runner + S3 + CloudFront | $100-200 | Same as Option A. |
| FedRAMP 20x tooling | Paramify or similar | $667 | ~$8,000/yr for automated SSP generation + gap assessment. |
| 3PAO Assessment | 20x Low (reduced scope) | $1,667 | Estimated $15,000-25,000 (reduced from traditional). Using $20,000 midpoint. |
| Consulting | Reduced scope | $2,500 | Estimated $25,000-35,000 (reduced from traditional). Using $30,000 midpoint. |
| Security tooling | Same requirements | $2,500 | Same SIEM/scanning requirements apply. |
| Continuous monitoring | Automated (20x native) | $2,083 | Estimated $25,000/yr with automation. |
| ITAR (if applicable) | Same as Option A | $2,708 | Same DDTC + consulting costs. |
| TIER 3B ADDITIONS | $12,225-12,325/mo | ||
| TIER 3B TOTAL | $14,647-14,862/mo | ~$177,000/yr first year |
Summary Comparison¶
| Tier | Monthly | Annual | Cash Upfront |
|---|---|---|---|
| Current | ~$140 | ~$1,680 | $0 |
| SOC 2 Ready | ~$2,480 | ~$29,760 | $22,000-30,000 (Vanta annual + audit deposit) |
| FedRAMP Ready (Traditional) | ~$23,600 | ~$283,000 | $150,000-250,000 (consulting + 3PAO + tooling) |
| FedRAMP Ready (20x Low) | ~$14,750 | ~$177,000 | $50,000-75,000 (reduced scope) |
Detailed Pricing Sources (April 2026)¶
Supabase Pro: $25/mo¶
Base price. Includes 8GB database, 100K MAUs, 100GB file storage, 50GB bandwidth. Overages: $0.125/GB database, $0.021/GB storage, $0.09/GB bandwidth. Most small production apps pay $35-75/mo with overages.
Google Cloud Run: $0-5/mo (low traffic)¶
Free tier: 180,000 vCPU-seconds, 360,000 GiB-seconds, 2M requests/mo. Beyond free: $0.000024/vCPU-sec, $0.0000025/GiB-sec, $0.40/million requests. A 10M request/mo API with 400ms latency costs ~$14/mo. BOMForge at current traffic is near $0.
Firebase (Blaze): $0-10/mo¶
Pay-as-you-go with generous free tier. Hosting: 10GB stored, 360MB/day transfer free. Auth: Free up to 50K phone verifications/mo; email/password auth is free. Firestore: $0.18/100K reads, $0.18/100K writes, $0.26/GB stored.
Vercel Pro: $20/mo per seat¶
Includes 1TB Fast Data Transfer, 10M Edge Requests, $20 usage credit. Consider dropping if Firebase Hosting covers your SPA needs.
OpenAI API: $15-30/mo estimated¶
- text-embedding-3-small: $0.02/1M tokens
- text-embedding-3-large: $0.13/1M tokens
- GPT-4o-mini (extraction): $0.15/1M input, $0.60/1M output
- Batch API: 50% discount on embeddings At 1M tokens/day embedding + 500K tokens/day extraction = ~$20/mo.
Google Gemini API: $5-15/mo estimated¶
- Gemini Embedding 001: $0.15/1M tokens ($0.075 batch)
- Gemini Embedding 2 Preview: $0.20/1M tokens
- Gemini 2.0 Flash: $0.10/1M input, $0.40/1M output
- Generous free tier available for low-volume usage.
Cloudflare: Free ($0) or Pro ($20/mo)¶
Free: Basic CDN, DDoS, SSL, 3 page rules, 5 WAF rules. Pro ($20/mo): 20 WAF rules, 20 page rules, image optimization, enhanced analytics.
Vanta: ~$10,000-15,000/yr¶
Custom quoted. Essentials plan for SOC 2 starts around $10K/yr. YC and accelerator discounts may bring to $8K-10K. Annual billing required. No monthly option.
SOC 2 Type II Audit: $12,000-20,000¶
First audit for a small SaaS. Security-only scope is cheapest (~$12K-15K). Adding Availability + Confidentiality trust criteria raises to ~$20K-26K. Recurring annual cost (Type II requires annual re-audit).
FedRAMP Low (Traditional): $250,000-500,000 first year¶
3PAO assessment: $30,000-45,000. Consulting: $100,000-150,000. Security tooling: $30,000-50,000/yr. Continuous monitoring: $50,000-100,000/yr ongoing. Timeline: 6-12 months traditionally.
FedRAMP 20x Low (New Path, Available H2 2026)¶
Dramatically reduced from traditional path. Pilot participants have achieved Low authorization in under 2 months. No agency sponsor required. Estimated 50-70% cost reduction from traditional FedRAMP Low. Wide-scale adoption opens Q3 FY2026 (April-June 2026).
AWS GovCloud Premium¶
~20% premium over commercial AWS across all services. S3: $0.0288/GB (vs $0.024 commercial). EC2 t3.medium: $0.0520/hr (vs $0.0416 commercial). App Runner: ~$0.064/vCPU-hr active, ~$0.007/GB-hr memory. CloudFront in GovCloud has limited edge locations.
ITAR Compliance¶
DDTC registration: $2,500-3,000/yr (Tier 1, small business discount). Monthly consulting retainer: $2,500/mo (10 hours). NOTE: BOMForge is a data/analytics platform, NOT a manufacturer or exporter. ITAR may not apply unless handling controlled technical data from defense customers. Get a legal opinion before investing here.
Recommendations¶
Immediate (Current Tier, $0 MRR)¶
- Stay on free tiers everywhere possible. Current ~$140/mo is lean.
- Evaluate whether both Vercel ($20/mo) and Firebase Hosting are needed. Pick one.
- Keep Attio on free tier until you exceed 3 users or 50K records.
- OpenAI batch API saves 50% on embeddings. Use it for non-real-time jobs.
When to Move to SOC 2 ($10K+ MRR or first enterprise deal)¶
- Defense/government buyers will ask for SOC 2 before signing contracts.
- Start Vanta 6+ months before you need the report (Type II needs observation window).
- Total first-year cost: ~$25,000-35,000. This is a pre-requisite for enterprise sales.
- Having SOC 2 reduces FedRAMP remediation costs by 30-40% later.
When to Pursue FedRAMP ($50K+ MRR or signed government LOI)¶
- Do NOT pursue FedRAMP before SOC 2. SOC 2 is a stepping stone that reduces FedRAMP costs.
- FedRAMP 20x Low opens for wide adoption H2 2026. This is the path for BOMForge.
- Traditional FedRAMP Low costs $250K-500K. 20x could cut this to $100K-200K.
- Get an agency sponsor or LOI before committing capital. 20x removes the sponsor requirement but having one still helps.
- ITAR: Get a legal opinion on whether BOMForge's data platform triggers ITAR. If you are only providing supplier discovery (not handling controlled technical data or defense articles), ITAR registration may not be required.
Sequencing¶
- Now: Optimize current tier. Aim for $100-120/mo.
- At first design partner: Start SOC 2 prep. Budget $30K.
- At $10K MRR: SOC 2 report in hand. Begin FedRAMP 20x prep.
- At $50K MRR or government LOI: Execute FedRAMP 20x Low authorization.