Expanding Global Reach With SOC 2 Compliance

How Davra achieved SOC 2 compliance, helping expand it’s reach in U.S. markets.

Download Case Study

Overview

Davra is a leading IoT software company empowering businesses to harness the potential of connected devices. Davra’s Application Enablement Platform (AEP) enables businesses to build, deploy, and manage enterprise applications at scale, leveraging the latest IoT and AI technologies. By collecting data from wireless sensors, they enable customers to remotely monitor machines, locations, and processes, and provide real-time analytics about asset health, operational efficiency, health and safety, and more.

Service Provided

  • SOC 2

Challenge

With goals including an ongoing expansion into the United States market, Davra knew SOC 2 compliance would be key to its success. Already holding ISO/IEC 9001 and 27001, SOC 2 was a natural progression in strengthening their security and compliance posture.

Having chosen Drata as its audit platform, it was essential to Davra to find a SOC 2 auditor who understood the platform’s significance. Due to their Drata integration providing a seamless experience and cost-effective, modern approach to auditing, Davra ultimately signed with Sensiba.

“The smoothness of the audit and the ease with which everything was completed is what has us coming back to Sensiba for future audits.”

Darragh GlynnData and Compliance Manager, Davra
Davra

Solution

With deadlines set for its SOC 2 audit (driven by current audit periods ending), Davra began its SOC 2 journey. Having integrations directly with the Drata platform and AI-powered audit tools, Sensiba provided an audit experience that Glynn shared was, “seamless and nothing like we’ve experienced before.”

Having originally set out to complete one of the SOC 2 Trust Services Criteria, Sensiba discovered through the scoping phase that Davra could add another two without drastically increasing the workload. “Everything was relevant to us as a company, and nothing was neglected,” shared Glynn.

Once the audit was underway, Sensiba’s AI- powered audit technology and team of experienced professionals began working to complete the audit within the deadline. This was achieved, with Davra completing their current SOC 2 in a more seamless and efficient manner than they’d experienced in the past.

Result

Having completed their SOC 2, Davra is already seeing the benefits. It’s a necessity for them to show their commitment to security and constantly improving, and is key to winning new business and expanding into new markets. Internally, this has created a mature culture, including “clear onboarding procedures, clear training, standards, and being able to expand as a company without people not being on the same page or having silos,” said Glynn.

With SOC 2 completed, Davra is planning to continue its expansion within the U.S., and continuing to evolve its compliance posture with standards like the EU Cybersecurity Law, NIST 2, and others. Having SOC 2 puts Davra in a good position to comply with these new standards.

For those looking at SOC 2, Glynn shared his advice: “The whole team has to be on board from executive to project teams. It’s a whole business effort. Go slow and build on it.”

Ready to get started?

Find out how our GRC team can help you with your compliance. Contact us to learn more about how we can work together toward your goals.

Contact Us

Case Studies

View all case studies

Ready for more inspiration? Dive into additional client success stories where we showcase diverse projects, innovative solutions, and the transformative impact we’ve had on businesses like yours.

Governance, Risk, & Compliance

ISO/IEC 27001 Case Study: Lucidworks

Read More

SOC 1 Case Study: Vector AIS

Read More

SOC 2 Case Study: EPK

Read More

Streamlining SOC 2 and ISO/IEC 27001 Compliance

How Humanforce achieved compliance with multiple standards.

Download Case Study

Overview

Humanforce, an Australia-founded full human capital management (HCM) suite, supports front-line business with their workforce management, talent, human resources, employee benefits and payroll needs. Humanforce aims to make work easier and life better. With a highly regulated Australian labor market, compliance is a core part of their business.

Services Provided

  • SOC 2
  • ISO/IEC 27001

Challenge

Having recently acquired new businesses, Humanforce faced the challenge of completing SOC 2 and ISO/IEC 27001 audits for four different products in its full suite. With all products already having a stance on SOC 2 and ISO/IEC 27001, it was a “natural view to bring it all together and reduce duplication when it comes to the audit work and process,” said Luke Bongiorno, Chief Product & Technology Officer. “But most importantly, we’re in the market talking about a holistic HCM suite, and we wanted to reflect that on the back end.”

When asked about the challenge of merging multiple companies, Bongiorno shared, “We went from a single product company to a multi-product company over the space of two years, and so a huge amount of change. Completing the acquisitions in a compliant way was paramount to us.”

To assist with bringing the audits together, Humanforce enlisted the CyberNinja team. With an established relationship, this was a seamless flow to begin working on the current audits. When it came time to find an audit partner, it was a no-brainer for Humanforce to keep using its current audit partner, Sensiba. “[Sensiba] have been great partners. We’re really happy with the service we’ve received and the work completed,” said Bongiorno.

“We’ve realized incredible value through Sensiba and CyberNinja. I’ve got no hesitation recommending either of the companies to other people looking for help with managing their security and audit initiatives.”

Luke BongiornoChief Product & Technology Officer, Humanforce
Humanforce

Solution

One area where CyberNinja went above and beyond was helping with Humanforce’s compliance automation tool, Vanta.

“CyberNinja managed that for us and provided a lot of governance. We can leverage Vanta for internal and external sharing and radiate the correct information when needed. We also have a complex environment with four different technology stacks. CyberNinja guides all of these.” Whilst combining four products into each audit was a massive undertaking, Bongiorno reflected on the process, commenting that “it was the right decision. It really drove economies of scale.”

Sensiba was able to provide unity and clarity to Humanforce, which allowed them to complete SOC 2 and ISO/IEC 27001 on the intended deadlines. Through their remote approach, clear scope, owners, and metrics that were set from the start, made the whole process ‘game changing’.

Swapnil Jain, Chief Security Advisor, CyberNinja, shared his thoughts on the audit experience. “To make any security and compliance program succeed, leadership commitment is non-negotiable. At Humanforce, the CEO backed it, tech leaders owned it, and HR, Finance and Legal leaned in, so controls weren’t ‘just tech and security’s problem’. Together, CyberNinja and Sensiba turned that alignment into outcomes. Across multiple projects, our partnership has been exceptional, helping our customers achieve and sustain frameworks like ISO/IEC 27001 and SOC 2. We’re grateful to Sensiba for the collaboration. We’re proud of the progress so far and are dedicated to making next year even more successful.”

Result

Having completed its most recent SOC 2 and ISO/IEC 27001 audits, Humanforce has noticed discussions with stakeholders have become easier due to combining the four different security postures. Deal cycles and security reviews have become easier and faster as a result. Internally, Humanforce has a clearer understanding of ownership, fewer handoffs, and proactive monitoring of controls.

All this ultimately leads to a better standing in the market and a consistent story across its brand.

With SOC 2 and ISO/IEC 27001 completed, Humanforce is extending its compliance posture, having undergone an IRAP assessment for the talent part of the suite, and are looking to do this across the whole business. They are also looking into ISO/IEC 27018 and other data privacy requirements in APAC and North America.

Ready to get started?

Find out how our GRC team can help you with your compliance. Contact us to learn more about how we can work together toward your goals.

Case Studies

View all case studies

Ready for more inspiration? Dive into additional client success stories where we showcase diverse projects, innovative solutions, and the transformative impact we’ve had on businesses like yours.

Governance, Risk, & Compliance

ISO/IEC 27001 Case Study: Lucidworks

Read More

SOC 1 Case Study: Vector AIS

Read More

SOC 2 Case Study: EPK

Read More

SOC 2 Compliance: Building Trust Through Risk Management and Scalable Security

A SOC 2 report opens doors to enterprise deals, satisfies regulatory mandates, reduces due diligence challenges, and reinforces your brand’s integrity while demonstrating your commitment to data security, privacy, and operational excellence.

Download our guide to understand how SOC 2 provides foundational trust that enhances risk management and meets customer and regulatory expectations. You’ll gain insights into:

  • Key elements of strong risk management
  • Effective compliance approaches
  • How SOC 2 and ISO/IEC 27001 compare
  • Compliance timelines and milestones
  • How platforms and technology speed compliance
  • Broader compliance considerations

Claim your copy of our guide SOC 2 Compliance: Building Trust Through Risk Management and Scalable Security today.

SOC 1 and 2 Compliance for Agricultural Tech Company CropTrak

How collaboration streamlined compliance for CropTrak.

Download Case Study

Overview

CropTrak partners with agricultural and food companies, from seed genetics and growers to harvesters and food companies, to define, document, and manage their entire supply chain digitally. CropTrak’s platform, created to meet the needs of the food and agriculture industry, enhances supply chain integrity and resilience and enables digital contracts and payments for growers with sustainability data capture, verification, and reporting.

Services Provided

  • SOC 1
  • SOC 2

Challenge

Working with some of the world’s leading agricultural and food companies, CropTrak requires a standard level of security and privacy. This need, combined with CropTrak’s internal commitment and values, drove its SOC 1 and 2 attestation initiatives.

Having experience with audits, Tommy Zwirblia, Chief Technology Officer, knew the work involved and wanted to reduce the manual processes needed to complete both audits efficiently. This is where compliance automation platform Drata, embedded security provider Com-Sec, and Sensiba came in. “Com-Sec really put me at ease with how the process would unfold, what they would handle, and their overall business model. Knowing we would pay a fixed amount and Com-Sec would guide us through the audit was reassuring,” Zwirblia said.

When selecting an audit firm, Zwirblia wanted a partner who would provide guidance throughout the process.

“What stood out to me was Sensiba’s continuous audit model. You weren’t just purchasing an audit but rather partnering with a team of experienced professionals who were there at every stage of the process.”

Tommy ZwirbliaChief Technology Officer, CropTrak
CropTrak

Solution

To manage both audits efficiently, CropTrak divided its internal teams to focus its efforts. The finance and HR teams concentrated on SOC 1, while Zwirblia focused on SOC 2.

“We held weekly meetings where I would receive SOC 1 status updates, but Com-Sec worked directly with that team to complete those requirements. Similarly, the SOC 1 team didn’t need to be involved in all the technical details of the SOC 2 work. They just received project updates,” said Zwirblia.

As the external advisor, Com-Sec played a pivotal role in CropTrak’s audits. They reviewed the evidence, identified overlaps between the standards, consolidated requirements, and presented exactly what was needed to each team. This approach allowed CropTrak to provide the correct evidence from the start, rather than experiencing back-and-forth communications with multiple parties. Having a single point of contact ensured seamless communication between CropTrak and Com- Sec, and subsequently between Com-Sec and Sensiba.

Once the evidence collection process was completed, Sensiba was able to review relevant controls and address both standards simultaneously, all within the Drata platform. This streamlined process enabled CropTrak to achieve SOC 1 and SOC 2 compliance within its target timelines.

Result

Following this successful audit process, CropTrak has been very satisfied with its control audits and continuous improvement process. CropTrak has engaged Com-Sec as its ongoing vCISO to maintain internal systems and streamline what was previously managed across multiple vendors. They have also partnered with Sensiba as their continuous audit provider.

Zwirblia shared his recommendations for others navigating their compliance journey: “The earlier you begin compliance initiatives, the more manageable they become. It’s optimal to establish policies and procedures from the outset, rather than scrambling to implement them for audit purposes.”

“We’ve worked with many different auditors, and it’s been a pleasure working with Sensiba; they make the process smooth.”

Farbod FakhraiCEO, Com-Sec
Com-Sec

Ready to get started?

Find out how our GRC team can help you with your compliance. Contact us to learn more about how we can work together toward your goals.

Contact Us

Case Studies

View all case studies

Ready for more inspiration? Dive into additional client success stories where we showcase diverse projects, innovative solutions, and the transformative impact we’ve had on businesses like yours.

Governance, Risk, & Compliance

ISO/IEC 27001 Case Study: Lucidworks

Read More

SOC 1 Case Study: Vector AIS

Read More

SOC 2 Case Study: EPK

Read More

Building and Expanding Trust Through SOC 2 Attestation

Data platform Lido achieved SOC 2 attestation, strengthening credibility and expanding trust with enterprise clients.

Download Case Study

Overview

Lido, a next-gen data extraction and automation platform built on top of a spreadsheet interface, combines AI, OCR, and integrations with tools like Google Drive, OneDrive, and email platforms to help teams automate processing invoices, purchase orders, contracts, timesheets, and more–without needing engineers. Lido’s mission is to make automation as easy as working in a spreadsheet, so teams can spend more time analyzing data and less time copying and pasting it.

Service Provided

  • SOC 2

Challenge

As a data platform that works with sensitive business documents like financial records, contracts, PII, and more, SOC 2 was essential for Lido to earn and maintain the trust of its enterprise clients.

“Gaining SOC 2 compliance was not about ticking a box but rather showing our customers that we take their data seriously and have the right systems and processes in place to protect it,” said Andres Balcazar, Chief Business Officer at Lido.

After deciding SOC 2 was necessary, Lido quickly discovered they were working with a tight deadline and needed an audit partner who could help them achieve this.

Sensiba stood out as an auditor that understood modern SaaS businesses and could work in a fast, collaborative, and flexible way. They have a great reputation as an auditor–their stamp of approval matters.”

Andres BalcazarChief Business Officer at Lido
Lido

Solution

Working with a tight deadline, Balcazar and the team knew a compliance automation platform was needed. Lido ultimately signed with Drata. Having an audit partner who understood Lido’s goals and timeline, and knew how to work within the Drata environment, was important.

From the first call, Sensiba stood out with their speed, transparency, and experience. “They were true partners,” Balcazar said. “We wanted someone who could guide us through our first SOC 2 audit with clarity and support, without slowing down our growth. Their fixed-fee structure and cloud-first approach also matched the way we work.”

The integration between Sensiba and Drata allowed Lido to experience a smooth and streamlined SOC 2 process. Drata’s automation reduced the manual effort required from Lido and made it easy for the Sensiba team to review the evidence. Weekly check-ins and calls from Sensiba kept Lido on track to complete SOC 2 within the deadline.

“Everything was great,” Balcazar said. “Sensiba are great communicators, they get on calls to help us understand tactical next steps, they are patient, and have a great and respected reputation. Just an awesome experience.

Result

Having completed their SOC 2 audit, Lido is already experiencing the benefits of being able to close more deals and increase overall revenue.

Balcazar and the Lido team would recommend SOC 2 for any company for more than just compliance. It makes any company more trustworthy. “Our advice: don’t wait until the
last minute. Use a tool like Drata to streamline the process and choose an audit partner like Sensiba who understands how startups move. Treat it as an investment in your long-term growth,” Balcazar said.

With Type 1 complete, Lido is working toward its Type 2 attestation. They are also expanding their platform capabilities into RPA, document workflow automation, and more advanced AI integrations. Lido’s broader goal is to continue to empower every team to automate manual data work without writing code—securely, reliably, and at scale.

Ready to get started?

Find out how our GRC team can help you with your compliance. Contact us to learn more about how we can work together toward your goals.

Contact Us

Case Studies

View all case studies

Ready for more inspiration? Dive into additional client success stories where we showcase diverse projects, innovative solutions, and the transformative impact we’ve had on businesses like yours.

Governance, Risk, & Compliance

ISO/IEC 27001 Case Study: Lucidworks

Read More

SOC 1 Case Study: Vector AIS

Read More

SOC 2 Case Study: EPK

Read More
Resources | Insights | SOC 2 Scope: How It’s Defined

SOC 2 Scope: How It’s Defined

|

When preparing for a SOC 2 audit, defining the scope is one of the most critical and often-misunderstood elements. Clients frequently ask what “scope” means in this context, and why it matters.

Understanding scope is essential for delivering a meaningful SOC 2 report that meets stakeholder expectations and provides assurance around the systems and services in use. 

Why Scope Matters

Earlier standards like SAS 70 and FRAG 21 were criticized for giving organizations too much flexibility in setting the boundaries of their reports. Companies could highlight what they did well while omitting areas that raised concerns—without having to disclose what was left out or why.

SOC 2 tightened these rules, but the definition of scope remains a key limitation and area of discretion. Ultimately, a SOC 2 report is only as useful as the scope it covers.

What the Report Should Include

At its core, the SOC 2 scope should include the systems and services your customers rely on. That typically means:

  • The software platform or system in use
  • The infrastructure where customer data is processed or stored
  • The teams and processes that support those services

Client agreements often offer helpful insight into what customers depend on, but because SOC 2 reports are designed for a broad audience, they usually exclude highly customized or client-specific services. They also omit anything deemed immaterial to users.

Once the service boundaries are defined, the Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, and/or Privacy) must be applied to the relevant systems.

Sub-Service Organizations 

If your service depends on third-party vendors, such as AWS, Google Cloud, or Microsoft Azure, they are considered sub-service organizations. These vendors often provide infrastructure, backup, and other key functions.

You must identify whether these sub-service organizations are included in your report using either the “carve-in” or “carve-out” method. Most SOC 2 reports use the carve-out approach, meaning the third party’s controls are excluded from your report, even though your system depends on them.

For example, suppose your SaaS platform is hosted on AWS. In that case, their infrastructure controls are critical to your service delivery but are likely not included in your SOC 2 audit unless you explicitly choose to “carve them in.”

SOC 2 Complementary User Entity Controls

Complementary User Entity Controls (CUECs) outline the responsibilities of your customers. Even if a system is fully within the report’s scope, some control objectives may depend on end users taking specific actions.

For instance, if your system provides access controls, users are still responsible for managing access rights within their organization. If they fail to do so, it could lead to security breaches—even if your controls are functioning as designed

The Bottom Line on Scope

Ultimately, management defines the scope of a SOC 2 report. That flexibility allows organizations to align the report with their service offerings and risk profile, but they must disclose the boundaries clearly and fairly. The service auditor then evaluates whether the scope is appropriate and accurately presented.

While organizations can choose to include only some of their services, they cannot “cherry-pick” within a selected service. Once a service is in scope, all relevant components must be included.

Want help defining or optimizing your SOC 2 scope? Contact us to speak with our compliance experts and ensure your SOC 2 report meets the needs of your customers and stakeholders.

Resources | Insights | Why You Can’t Fully Automate SOC 2 Compliance

Why You Can’t Fully Automate SOC 2 Compliance

|

A growing number of platforms claim to “automate SOC 2 compliance.” These tools often include system monitoring, security configuration management, policy templates, audit support features, and full-scale governance, risk, and compliance (GRC) platforms.

Many of these solutions are valuable. They can simplify evidence collection, strengthen your security posture, and streamline audit preparation. But here’s the bottom line:

No tool automates SOC 2 compliance fully.

Why SOC 2 Compliance Can’t Be Fully Automated

To understand why, it helps to revisit what SOC 2 compliance means. SOC 2 is based on 33 Trust Services Criteria (TSC) under the category of security, and sometimes others like availability or confidentiality. “Compliance” in this context means demonstrating:

  • Controls are implemented,
  • Designed effectively, and
  • Operating effectively over time (for a Type 2 report).

These criteria are not simple checklists. They aren’t limited to system settings, and they don’t prescribe one-size-fits-all control activities. Most organizations include between 80 and 150 controls in their SOC 2 report, covering a mix of:

  • Technical security measures and configurations,
  • Defined and documented governance processes, and
  • Ongoing monitoring and review practices.

Critically, SOC 2 reports must be issued by an independent CPA firm. That requires having the right controls in place, undergoing an audit, and producing a final report that supports the criteria clearly.

How Does Automation Help Achieve and Issue SOC 2 Reports?

While no tool can “automate” SOC 2 compliance end-to-end, many can support and accelerate the journey. Here’s how:

  • System monitoring tools:  These tools help fulfill criteria under System Operations and Logical Access by automating security monitoring and audit trail generation.
  • Security configuration management:  Automation helps demonstrate your systems are configured securely and continuously monitored to maintain compliance with technical requirements.
  • Document generation platforms:  Tools that generate baseline policies and procedures can jumpstart documentation for key areas like risk management, incident response, and change management.
  • Compliance assessment solutions:  These platforms assess how your environment maps to SOC 2 requirements, offer guidance for remediation, and prepare supporting documentation for auditors.
  • GRC platforms:  Governance, risk, and compliance tools track your control activities, risks, and documentation, offering a structured way to manage ongoing compliance and support audits.

When combined, these tools can significantly reduce the time and effort involved in preparing for a SOC 2 audit. But technology alone isn’t enough. You still need people to make sense of the data, review logs, respond to incidents, and continuously improve your processes.

Remember that automation is powerful, but it’s not magic. Even the best tools require oversight and integration into your broader governance framework. If your system logs are never reviewed, or your policies are out of date, you’re not truly compliant, regardless of what software you’ve installed.

Our Recommendation: Start With a Readiness Assessment

Our SOC 2 Readiness Assessment tool offers a smart starting point. It helps you evaluate your current state, document your control environment, and identify any gaps. It’s free, tailored to your business and scope, and designed to help you determine where additional tools or support may be needed.

SOC 2 isn’t a box to check—it’s a journey toward building trust. Automation can support that journey, but it can’t take the wheel.

To learn how to streamline your SOC 2 efforts without compromising quality, contact us.

Octopus Deploy Achieves Multi-Standard Compliance

How a software development company streamlined compliance activities using Vanta and Sensiba.

Download Case Study

Overview

Australian-born software company Octopus Deploy is on a mission to take the panic out of software deployments. Their platform helps developers and companies consistently deploy software features into environments, making it a repeatable and calm process.

Services Provided

  • ISO/IEC 27001
  • SOC 2

Challenge

With the goal to move into the global enterprise space, Octopus Deploy began looking at the requirements of enterprises in Europe and the United States. This involved different compliance standards, and evaluating which ones were considered world-class to these enterprises. It was quickly discovered that ISO/IEC 27001 in Europe and SOC 2 in the United States were going to be key for Octopus Deploy to win clients in each region.

When looking at each framework and the individual requirements, it became apparent there was a lot of overlap between the standards. This resulted in Octopus Deploy’s decision to complete both frameworks. They started with ISO/IEC 27001 and laid SOC 2 over that, with a few additional controls.

With their plan in place, Octopus Deploy started looking for audit firms and the most efficient way to achieve their goal.

“I love the flexibility of Sensiba. The entire team carries the mentality of ‘let’s set the audit over an entire window, but at various points in time, we can shift that window if needed. An example of this is that we recently acquired a new company and needed more time to get them onboarded, and that flexibility really helped us. The personalized service Sensiba brings to the table is very nice, and having people in our time zone and supporting local is a huge benefit.”

Jim BurgerDirector of Information GRC, Octopus Deploy
Octopus Deploy

Solution

After first hearing about Vanta at a conference, Octopus Deploy’s CEO spoke with Jim Burger, the company’s Director of Information GRC, about using the platform on their compliance journey. Wanting to ensure they had all available information, the team looked at several different platforms, ultimately signing with Vanta.

After working with a traditional audit firm, Octopus Deploy started looking for an audit partner that could meet their agile requirements. “We practice agile delivery ourselves, and there had to be a better way to do this. Because we are a remote-first company, we needed something that was really agile alongside us,” Burger said.

After conducting a search looking for the terms ‘agile’ and ‘audit’ and speaking to Vanta, Sensiba stood out as the preferred audit partner. “I was overjoyed to see that it (Sensiba’s approach) would save us a lot of heartache and pain,” Burger said.

The power of Vanta’s automation, metrics, and dashboards meant that at a glance, the Octopus Deploy team knew where they stood. This was particularly helpful for app/user syncing and the ability to instantly know if something/someone had dropped out of compliance. There was no waiting or manual checking. Couple this with the ability to assign tasks to people directly in the platform, and Vanta proved to be a powerful compliance tool.

“Vanta really just takes the pain out of the ‘how am I going to establish the metrics/framework and address all the audit requirements?’ As a cloud-first, remote-first company, I can’t just go and look at a server rack; we rely on automation and tools that are done properly for these things. The vast array of Vanta integrations achieves this. Nearly everything is already in there.”

Result

Working with a team that could provide agile audits was important to Octopus Deploy, which needed an audit firm that could keep up with them as a cloud-first, remote-first business. While there was a deadline to work toward, Octopus Deploy didn’t know when they would be completely ‘audit ready’, and the flexibility and onboarding into the framework that Sensiba provided around this was immensely beneficial.

For Octopus Deploy, compliance was not another box-ticking exercise but rather an opportunity for a fresh perspective on a hard problem. In achieving compliance, they have not only bettered their systems but can reassure clients that their product is secure.

Octopus Deploy has continued to open doors in the enterprise space and ultimately increase its bottom line. From an internal perspective, the team now considers and uses compliance best practices for decision-making.

Ready to get started?

Find out how our GRC team can help you with your compliance. Contact us to learn more about how we can work together toward your goals.

Contact Us

Case Studies

View all case studies

Ready for more inspiration? Dive into additional client success stories where we showcase diverse projects, innovative solutions, and the transformative impact we’ve had on businesses like yours.

Governance, Risk, & Compliance

ISO/IEC 27001 Case Study: Lucidworks

Read More

SOC 1 Case Study: Vector AIS

Read More

SOC 2 Case Study: EPK

Read More

AI-Powered Multi-Standard Compliance

How AI-powered audits, driven by experienced auditors, allowed Bayzat to achieve SOC 2 and ISO/IEC 27001 concurrently.

Download Case Study

Overview

Bayzat is an all-in-one app for HR, payroll, and employee benefits. Bayzat’s localized SaaS platform streamlines HR operations, automates payroll, simplifies expense management, and gives employees mobile-first access to benefits and workplace tools. The company continues to evolve, layering AI across key workflows to unlock real-time insights and operational efficiency.

Services Provided

  • SOC 2
  • ISO/IEC 27001

Challenge

Working with sensitive employer and employee data meant Bayzat had a high baseline security and privacy posture. To further prove trust to current and prospective customers, Bayzat looked into different compliance standards. Having a compliant app would show they are secure, and a company that takes security seriously.

“We wanted to follow the best practice and find ways to improve our security from where we are. There are a lot of clients and prospects seeking information and confidence in our security, and this will make the process shorter and easier for them to have trust in our platform, product, and the company behind that,” said Ahmed Abdelrahman, Chief Technology Officer (CTO) at Bayzat.

With this in mind, the team at Bayzat decided to complete both SOC 2 and ISO/IEC 27001. The bar was set high internally, and the team set out to achieve both standards as soon as possible.

“I did an audit before, and it was a mess, painful, and very long. It was a very pleasant surprise that everything was very smooth and very organized with Sensiba. Thanks to their AI-powered audits and multi-standard approach.”

Ahmed AbdelrahmanChief Technology Officer, Bayzat
Bayzat

Solution

With the frameworks decided on, Bayzat set out to look for an audit firm that could complete both audits. After considering firms recommended by their compliance automation platform, Drata, and asking around their network, Bayzat was introduced to Sensiba, which stood out as the preferred auditor.

“What stood out for Sensiba was their use of AI that really streamlined the process. It’s very well structured and organized, and we like that. We also liked the monthly continuous model, where we continuously have an auditor so we can easily renew every year, and we don’t have this as an event but rather as a continuous process of compliance,” said Abdelrahman.

Result

Through Sensiba’s AI-powered multi-standard approach to compliance, they were able to complete their SOC 2 Type 1 & 2 and ISO/IEC 27001 certification concurrently. “It worked amazingly. Both ISO/IEC 27001 and SOC 2 went very smoothly,” said Abdelrahman.

Initial AI review of their SOC 2 controls showed a 56% pass rate, which increased to 88% on the second iteration. Having the AI review scan controls first allowed Bayzat to understand exactly where they stood and what needed their attention. It also helped the Sensiba team direct their focus and really understand the client’s needs.

“It was phenomenal. When you see that you already have 80% of your controls passed, it speeds up the process a lot and gives you fast feedback on the areas you need to focus on,” said Abdelrahman.

The clear, straightforward requests from Sensiba meant uploading the remaining evidence and completing the final controls was “easy for us to understand. For example, if you missed adding something, it asked you to provide this evidence. It was very straightforward. We knew what we needed to do,” said Abdelrahman.

This modern approach to auditing was a delight to the Bayzat team, who had gone through painful and long audits. The AI-powered audits and multi-standard compliance meant Bayzat achieved compliance and also felt confident moving into the next stage of compliance with Sensiba.

Having completed SOC 2 Type 1 & 2 and ISO/IEC 27001 certification, Bayzat has its sights set on HIPAA, PCI-DSS, and other industry-specific standards. This will position them to continue to grow globally and improve human resources for employers and employees.

Ready to get started?

Find out how our GRC team can help you with your compliance. Contact us to learn more about how we can work together toward your goals.

Case Studies

View all case studies

Ready for more inspiration? Dive into additional client success stories where we showcase diverse projects, innovative solutions, and the transformative impact we’ve had on businesses like yours.

Governance, Risk, & Compliance

ISO/IEC 27001 Case Study: Lucidworks

Read More

SOC 1 Case Study: Vector AIS

Read More

SOC 2 Case Study: EPK

Read More

Communication and Collaboration: The Differentiator of Modern Audit Firms

How CloudHound achieved SOC 2 compliance through a modern approach to auditing SOC 2.

Download Case Study

Overview

CloudHound delivers enterprise-grade discovery and migration tooling for AWS, providing the clarity, insight, and direction needed to accelerate cloud adoption and reduce infrastructure costs. With deep automated discovery, real-time cost modelling, and intelligent recommendations, CloudHound helps partners streamline migration planning and execution for complex enterprise environments.

Service Provided

  • SOC 2

Challenge

CloudHound works with large, security-conscious enterprises where SOC 2 compliance is required. This led Dr. Aidan Gill, Founder of CloudHound, to pursue third-party assurance and adopt broader security best practices. “The customers I work with require standards compliance to align with their security posture. It’s a fundamental expectation in this space, so making it a priority was essential,” he said.

After confirming that SOC 2 was the expected framework for vendors in the APAC region, CloudHound set its sights on becoming compliant. The goal was to achieve compliance as quickly as possible. “Speed of execution is crucial in building trust and momentum with enterprise customers,” Gill said. Having compliance in place meant he could begin negotiations with key customers and partners.

“Sensiba’s outstanding responsiveness, clear communication, and collaborative approach enabled CloudHound to achieve SOC 2 certification in record time.”

Dr. Aidan GillFounder, CloudHound
CloudHound

Solution

CloudHound discovered Sensiba through the Drata Auditor Directory, where their top-rated status immediately stood out. A few key differentiators made the decision to partner with them an easy one.

“Sensiba has the highest rating on the Drata Auditor Directory, and for good reason. I’ve had varying experiences with other third-party vendors, but this process was great. I asked if we could start the same day, and to my surprise, the team said yes. This aligned perfectly with the goals we had for achieving SOC 2, combining high-quality work with the speed of a startup,” Gill said.

Rather than waiting days for answers or dealing with the usual back-and-forth of an audit, CloudHound experienced Sensiba’s modern approach. Built on rapid communication and close collaboration, the process involved responding to questions as they came in with clear, actionable feedback.

“The excellent responsiveness, communication, and collaboration from Sensiba is how we were able to achieve SOC 2 within our deadlines,” Gill said.

Result

While CloudHound has only recently achieved its SOC 2 attestation, it’s already making a significant impact in early customer and partner conversations. In every engagement so far, SOC 2 has been a requirement in continuing commercial discussions.

“These are sensitive environments, and our customers and partners need confidence that we meet the security and compliance standards. That’s where SOC 2 delivers real value, being able to enter these conversations with a formal attestation and a clear commitment to best practices without question,” Gill said.

CloudHound is currently focused on growing its presence in Australia and New Zealand, with plans to expand into global markets. “We have a lot of partners interested in the technology. The goal is to expand into Europe and the U.S. quickly, as this is a global opportunity. We aim to have helped partners and customers analyze many thousands of enterprise servers by the end of the year,” Gill said.

When asked for advice to other startups pursuing compliance, Gill said, “The best way to approach an audit is to be 100% ready before engaging an auditor. Make sure your compliance platform is fully prepared, as starting from a strong position makes the process much smoother.”

Ready to get started?

Find out how our GRC team can help you with your compliance. Contact us to learn more about how we can work together toward your goals.

Case Studies

View all case studies

Ready for more inspiration? Dive into additional client success stories where we showcase diverse projects, innovative solutions, and the transformative impact we’ve had on businesses like yours.

Governance, Risk, & Compliance

ISO/IEC 27001 Case Study: Lucidworks

Read More

SOC 1 Case Study: Vector AIS

Read More

SOC 2 Case Study: EPK

Read More

How ISO/IEC 42001 Is Changing the Game for AI-First Companies

Nebuly knew achieving ISO/IEC 42001 compliance was integral to their continued commitment to security.

Download Case Study

Overview

Based in the United States and Italy, Nebuly is a plug-and-play user analytics platform for generative AI chatbots. They’ve cracked the code on improving user engagement with GenAI chatbots by uncovering the nuances hidden in conversational AI interactions.
Nebuly’s User Intelligence platform extracts valuable insights from 99% of conversations where users implicitly express their needs and preferences. The platform then turns them into actionable insights to increase user satisfaction.

Services Provided

  • ISO/IEC 42001
  • ISO/IEC 27001
  • SOC 2

Challenge

Nebuly maintains a strong commitment to security and compliance, holding both ISO/IEC 27001 certifications and SOC 2 attestation, and wanted to remain at the cutting edge of compliance for their AI-first product. Operating in regions with evolving regulatory landscapes, it was no surprise when customers started asking about responsible AI and the EU AI Act. This led Nebuly to investigate ISO/IEC 42001. “Customers started asking about EU AI Act compliance, we looked into how to approach it, and we identified ISO/IEC 42001 as the practical solution we needed,” said Roux.

“We think about this as a triangle. We (Nebuly) have the knowledge about the company and our proprietary AI systems, Fairly AI has been very helpful in providing structure in terms of how to prepare for the audit, and Sensiba in conducting the audit itself.”

Julien RouxCo-Founder, Nebuly
Nebuly

Solution

Having already gone through ISO/IEC 27001 and SOC 2 audits, Roux and the team understood the work required in “preparing for the audit, and that an external partner would be needed.” Although with a newer standard, the Nebuly team had to find a partner who already had experience in the space.

Enter Fairly AI. Fairly AI provides automated testing on AI products on dimensions like fairness, privacy, and security, and this is helpful to companies wanting to adopt responsible AI practices. “We moved earlier than most companies (Q4 2024), and there were not many companies working on ISO/IEC 42001 back then. When I researched, I could see Fairly AI shaped the space and had real experience,” said Roux.

Fairly AI’s role was instrumental in getting the Nebuly team not only audit-ready but implementing the findings from the ISO/IEC 42001 audit. “I’d like to praise Fairly AI, because they’ve been instrumental in making this happen. They have been very helpful in providing the structure on how to prepare for the ISO/IEC 42001 audit.”

Result

With their audit readiness underway, Nebuly began the process of looking for an audit firm to complete the audit itself. Nebuly has been working with Sensiba for their ISO/IEC 27001 and SOC 2 audits, so adding ISO/IEC 42001 to the mix was a no-brainer for the team.

“We’re a startup, we need to move fast, and when we were looking at ISO/IEC 27001 and SOC 2, we felt that Sensiba’s process aligned with those values. Since we work with big companies, it’s important that we have a reputable auditor. After having a good experience with the other standards and a good relationship with the team, we thought this was the best way to get ISO/IEC 42001 off the ground,” said Roux.

The collaboration and communication between all three teams had an added layer of complexity, with Nebuly’s AI team based in Italy, Fairly AI in Canada, and Sensiba offering global teams. Because the audit process was spread out, it gave all three companies the chance to collaborate in a way that worked for everyone. Sensiba provided great collaboration and communication, which meant that if there was ever an issue, it got solved fast. This agile, remote approach meant the time zones didn’t impact the experience or the result.

“We think about this as a triangle. We (Nebuly) have the knowledge about the company and our AI proprietary systems. Fairly AI has been very helpful in providing structure in terms of how to prepare for the audit, and Sensiba in conducting the audit itself,” said Roux.

Ready to get started?

Find out how our GRC team can help you with your compliance. Contact us to learn more about how we can work together toward your goals.

Contact Us

Case Studies

View all case studies

Ready for more inspiration? Dive into additional client success stories where we showcase diverse projects, innovative solutions, and the transformative impact we’ve had on businesses like yours.

Governance, Risk, & Compliance

ISO/IEC 27001 Case Study: Lucidworks

Read More

SOC 1 Case Study: Vector AIS

Read More

SOC 2 Case Study: EPK

Read More

Taking SOC 2 Type 1 From a Plan to a Possibility

Discover how FactorySense RFID achieved SOC 2 for their asset tracking platform through Sensiba’s AI-powered audits.

Download Case Study

Overview

If it matters to a company, FactorySense RFID will tag it, track it, and leverage its location to automate otherwise manual business processes. FactorySense RFID is an end-to-end asset-tracking solution provider. Using RFID Digital Twin Technology, FactorySense RFID creates a living digital model of their customer’s factories. This tags and tracks important assets, providing user-friendly, scalable solutions that integrate effortlessly into operation workflows, whether they are tracking tools, products, equipment or work-in-process. Alongside hardware, they provide software and consulting services for a full-suite RFID solution.

Service Provided

  • SOC 2

Challenge

For FactorySense RFID, a company built around trust and RFID expertise, achieving SOC 2 attestation was essential. “We work with enterprise clients in regulated industries like defense and aerospace, so demonstrating that we have the most robust security controls in place to protect sensitive customer data and critical information is incredibly important to us,” says Neal Lober, founder and CEO at FactorySense RFID.

“Sensiba was really plugged in. They integrated with Drata, used AI technology on the back end, and have auditors who understood our businesses. For us, it was the optimum pairing.”

Neal LoberFounder and CEO, FactorySense RFID
FactorySense RFID

Solution

Traditionally, the SOC 2 process can be overwhelming. Throw in different time zones and a quick timeline, and this process can go from overwhelming to something that seems impossible. Not for FactorySense RFID, though.

Sensiba’s tech-enabled approach allowed FactorySense RFID to collaborate with an audit firm that understood their business, understood technology, and used technology throughout the audit process. The speed at which SOC 2 was achieved was a testament to the communication and professionalism of the Sensiba team and the way they integrated technology into their practices.

“To put it simply, Sensiba exceeded our expectations when it came to matching our intensity and achieving the goal. I loved their speed, their turnaround and the fact they knew how to communicate with us,” says Lober.

“We were dealing with different time zones, but this honestly worked well. During the European day, the Sensiba team would review evidence and provide clear feedback on any areas that needed attention. When we came online to start the day in the United States, we had a slight cross-over to collaborate if needed, and then we had the rest of the day to action what had been clearly outlined for us. Sensiba then came back online to finalize the relevant items,” Lober said.

What made the most difference to the team at FactorySense RFID was having an auditor who “understood that we needed some flexibility because our customers demanded a tighter security posture, we needed to tighten down in a slightly different way than a traditional software company. There was no resistance from the Sensiba team who really understood what we needed and adapted accordingly,” says Lober.

Result

FactorySense RFID has already seen the impact of its SOC 2 report, having sent it to its customer base. This verified commitment to security further assured their customer base of their commitment to privacy and security. The sales team has also seen the benefits of the SOC 2 report, with it being used to expedite the sales cycle.

Looking ahead, FactorySense RFID is embarking on its SOC 2 Type 2 journey and planning for ISO/IEC 27001 and other defense-specific standards in the United States. With Sensiba as a continuing strategic partner, FactorySense RFID is poised to push the boundaries of RFID technology.

Ready to get started?

Find out how our GRC team can help you with your compliance. Contact us to learn more about how we can work together toward your goals.

Case Studies

View all case studies

Ready for more inspiration? Dive into additional client success stories where we showcase diverse projects, innovative solutions, and the transformative impact we’ve had on businesses like yours.

Governance, Risk, & Compliance

ISO/IEC 27001 Case Study: Lucidworks

Read More

SOC 1 Case Study: Vector AIS

Read More

SOC 2 Case Study: EPK

Read More

The New Wave of Audit Technology

How Sensiba’s AI-powered audit reshaped everything Lleverage.ai knew about SOC 2.

Download Case Study

Overview

Lleverage.ai is the new wave in RPA (robotic process automation) technology. They aim to help companies automate business processes through generative AI. Their platform is based on easy-to-use building blocks and allows the user to automate what once was a series of complex tasks.

Services Provided

  • SOC 2
  • ISO/IEC 27001

Challenge

SOC 2 and compliance weren’t new concepts to Lennard Kooy, founder and CEO at Lleverage.ai, who had been involved in numerous SOC 2 audits in previous software roles.

When asked why Lleverage.ai began the SOC 2 process, Kooy says, “I knew that ISO/IEC 27001 and SOC 2 were enablers to work with bigger clients if you’re a smaller company. And because the processes that we (Lleverage.ai) automate are often proprietary business processes that have proprietary information, we wanted to reassure clients that we are taking this seriously from the start,” he says.

“I’ve been involved in more than 10 audits throughout different roles and this was by far the best experience I’ve ever had. The communication from start to finish and use of technology was fantastic.”

Lennard KooyFounder and CEO, Lleverage.ai
Lleverage.ai

Solution

Sensiba’s AI-powered audit technology integrated directly with Drata, allowing for a seamless and efficient audit experience. By providing clear instructions on the different types of evidence and reducing the back and forth, the audit experience measured up (and exceeded) what Lleverage.ai expected from an audit firm.

Lleverage.ai was able to complete its SOC 2 audit alongside its ISO/IEC 27001 audit, achieving both nahead of schedule. This was possible due to the cross-over of the frameworks and the efficiency gained from doing both side-by-side rather than one after the other.

“From getting audit ready in Drata to assigning Sensiba, and then working through the evidence uploads and controls, it was quite a painless process, and I’m generally happy with it,” Kooy says.

Result

Lleverage.ai has already seen immediate benefits from its SOC 2 audit, having recently signed a client who needed all vendors to have a SOC 2 attestation. They can now use this as a point of differentiation during future sales processes, further proving their commitment to security.

As Lleverage.ai continues to strive for growth, it also has its eyes set on expanding to new frameworks and increasing the scope of its SOC 2 attestation. Further proving their security commitment. Alongside commitment and expanding their compliance, they have added new business processes to ensure they are continuously meeting the SOC 2 requirements.

Ready to get started?

Find out how our GRC team can help you with your compliance. Contact us to learn more about how we can work together toward your goals.

Case Studies

View all case studies

Ready for more inspiration? Dive into additional client success stories where we showcase diverse projects, innovative solutions, and the transformative impact we’ve had on businesses like yours.

Governance, Risk, & Compliance

ISO/IEC 27001 Case Study: Lucidworks

Read More

SOC 1 Case Study: Vector AIS

Read More

SOC 2 Case Study: EPK

Read More

Preparation Increases SOC 1 Audit Efficiency

By aligning control objectives with key risks, Vector AIS streamlined a SOC 1 audit with Sensiba.

Download Case Study

Overview

With a commitment to building the next generation of fund administration, Vector offers closed-end fund managers industry-leading technology, top-tier talent, innovative workflows, and a comprehensive suite of integrated fund services.

Service Provided

  • SOC 1 Reports

Challenge

To demonstrate the effectiveness of its internal controls over financial reporting, Vector AIS enlisted Sensiba to conduct a SOC 1 audit. As a service organization, Vector needed to demonstrate it had effective controls in place to safeguard the funds it was managing for clients.

“Our clients want their investors to feel comfortable that we’re taking care of the investments in the funds we service,” says Chief Operating Officer Kristina Dayback. “Having a SOC 1 report helps us demonstrate we’re a trusted service provider.”

Being satisfied with two SOC 2 audits Sensiba had performed previously for Vector, the client engaged the firm and began preparation for the SOC 1 review.

“In any kind of service provider business, the relationship is key. Sensiba helped us focus on the controls that actually make an impact.”

Kristina DaybackChief Operating Officer, Vector AIS
Vector AIS

Solution

To kick things off, Vector and Sensiba began by reviewing the audit approach and methodology to ensure Vector understood the goal of the engagement. Next, Sensiba performed walk-through meetings with the Vector team to understand the system and identify current controls that were already in place, as well as noted areas that lacked controls. Finally, Sensiba was able to perform the audit by outlining the required and expected evidence needed from Vector. “They made us feel really comfortable about the process,” says Dayback.

“They outlined the controls they were testing, what they would be looking for, and the best ways to provide the information they’d need. We knew well in advance what we had to do to support their team, and we were confident the audit would be a seamless experience.”

Result

Obtaining a clean audit opinion in the SOC 1 report has helped improve Vector’s position in the marketplace. Vector had two clients that were requesting the firm demonstrate SOC 1 compliance, and Sensiba was able to deliver a report that met those client needs. Working with Sensiba, Vector was also able to complete the audit well ahead of client deadlines. “Clients are looking at this,” says Dayback. “SOC compliance helps legitimize our business offering and lets everyone know we’re a real player in this space, and we take what we do seriously.”

Examining its controls and documentation to prepare for the audit also enhanced Vector’s understanding of its key risks, as well as the steps it has taken to mitigate those exposures. “The process was relatively easy and we’re continuing to see benefits because we established a clear framework from the beginning,” says Dayback.

Dayback recommends that firms approaching a SOC 1 audit invest time to examine the risks first, and then prioritize the controls addressing those risks. “Focus your efforts on the controls that make the most impact. I’ve done other SOC audits, and some vendors made it overly complicated by focusing on all the controls at one time. Start with the critical risks, put the controls around them, and work with your internal teams to ensure the controls align with how they do their job internally.”

Ready to get started?

Find out how our Risk Assurance team can help you with your compliance. Contact us to learn more about how we can work together toward your goals.

Contact Us

Case Studies

View all case studies

Ready for more inspiration? Dive into additional client success stories where we showcase diverse projects, innovative solutions, and the transformative impact we’ve had on businesses like yours.

Governance, Risk, & Compliance

ISO/IEC 27001 Case Study: Lucidworks

Read More

ISO/IEC 42001 Case Study: Cresta

Read More

SOC 2 Case Study: Beneration

Read More

SOC 2 Case Study: Clario

Read More
Resources | Insights | Frameworks for CDR Accreditation?

Frameworks for CDR Accreditation?

|

If your organization is exploring opportunities under Australia’s Open Banking framework, the most significant hurdle (in effort and cost) is meeting the Consumer Data Right (CDR) information security requirements outlined in Schedule 2.

To gain accreditation as a CDR data recipient, your systems and processes must satisfy 24 prescribed security requirements. These include multi-factor authentication, data loss prevention, system monitoring, and user access controls. To demonstrate compliance, you’ll need an independent assurance report—typically under SOC 1, SOC 2, or ASAE 3150.

Here’s how to evaluate which report is right for you, and how to make the most of your investment.

Start With What You Have

If your organization already maintains a SOC 1 or SOC 2 report, you’re ahead of the curve. You may be working with frameworks like GS 007, ISAE/ASAE 3402, ASAE 3150 (which aligns with SOC 2 Trust Services Criteria), or AT-105 (the official SOC 2 standard). These frameworks vary slightly in structure and origin but share a common goal: validating that your controls meet specified objectives.

Notably, ISO/IEC 27001 certification—while widely recognized—does not meet CDR accreditation requirements.

Choosing the Right Path to Accreditation

If you don’t currently have a SOC report, the fastest and most cost-effective option may be a one-time ASAE 3150 report tailored to the CDR criteria. However, this type of report has limited utility beyond CDR accreditation.

If you anticipate needing assurance reports for customers or want to streamline future due diligence efforts, investing in a SOC 2 report may offer greater long-term value. Whichever option you choose, be sure the report specifically addresses CDR requirements.

If you already have a SOC report, you may need to expand its scope. For example:

  • SOC 2 reports often align closely with CDR requirements and may need only minor adjustments.
  • SOC 1 reports are less prescriptive and may require more extensive updates.

Either way, extending your existing SOC reporting approach is likely the most efficient path forward.

Three Key Differences With CDR Reporting

CDR compliance introduces a few nuances that differ from standard SOC reporting. These areas require special attention:

1. Scope of Systems

Under Schedule 2, Part 1, CDR requires a clearly defined “CDR Data Environment.” This includes the systems, people, and processes that collect, store, or interact with CDR data.

While traditional SOC reporting starts with the scope of services and associated systems, CDR flips the model: it starts with the consumer data and works outward to define scope. If your current SOC report wasn’t built with this in mind, you may need to expand its boundaries to meet CDR expectations.

2. Carve-In Approach to Third Parties

Standard SOC reports typically use a “carve-out” approach, excluding the controls of third-party service providers. Instead, the focus is on how your organization oversees those providers.

The CDR requires a “carve-in” approach. You must demonstrate all third parties supporting your CDR Data Environment meet the same stringent security standards. Cloud infrastructure providers like AWS, Microsoft, and Google typically meet this requirement with their own SOC reports.

However, challenges may arise with vendors that don’t offer SOC reports—such as certain software developers, IT service providers, or data center operators. In these cases, ISO/IEC 27001 or similar certifications are not considered sufficient under CDR, which may require a more thorough evaluation of your third-party risk strategy.

3. Prescriptive Control Requirements

CDR is unique in that it prescribes specific control activities. For example, it mandates multi-factor authentication across all in-scope systems. This contrasts with traditional SOC reporting, which allows more flexibility in how organizations meet control objectives.

To satisfy CDR, your report must directly align with each of these specific requirements.

CDR Compliance Extends Beyond Information Security

While Schedule 2, Part 2, is often the most challenging and costly piece of the CDR framework, it’s not the only requirement. To achieve full accreditation, organizations must also:

  • Maintain adequate insurance coverage
  • Uphold strong privacy practices
  • Honor consumer privacy rights
  • Define and govern the CDR Data Environment
  • Establish oversight and monitoring mechanisms

Some of these may already be addressed in your existing SOC report. Others will require additional planning and documentation.

Tailoring Your Approach

Achieving CDR accreditation requires a strategic, prescriptive approach to assurance. Whether you pursue a SOC 1, SOC 2, or ASAE 3150 report, your selected framework must fully address CDR’s rigorous security requirements.

For many, the best path is building on an existing SOC reporting process—updating its scope and controls to align with CDR expectations. If starting from scratch, carefully weigh the value of a report tailored solely to CDR against the broader benefits of a SOC 2 that can support future business needs.

To evaluate the best approach for your organization’s CDR accreditation strategy, contact us. We’re here to help you align compliance with opportunity.

Sensiba and Drata’s Audit-Led Compliance Program

How ProxyLink achieved audit readiness and SOC 2 Type 1 with the support of Sensiba and Drata’s Audit-Led Compliance Program.

Download Case Study

Overview

Every day, customers are delegating more customer support tickets to third parties (a.k.a. “proxies”). That’s where ProxyLink comes in. As masters of third-party customer experience, they make this process more efficient and streamlined. ProxyLink participated in Sensiba and Drata’s Audit-Led Compliance Program to achieve its SOC 2 report. We sat down with John Walter, Founder and CEO at ProxyLink, to chat about his experience.

Service Provided

  • SOC 2

Challenge

For those beginning the SOC 2 journey for the first time, the process can be overwhelming as they consider differ different software vendors, auditors, and more. This was no different for John Walter from ProxyLink, who found navigating the vast array of options challenging.

After choosing Drata as their compliance platform, the ProxyLink team was introduced to Sensiba as the team’s audit firm. “Having Sensiba integrated into the process was a necessary prerequisite for me choosing to become a customer of Drata,” shared Walter.

“I honestly don’t know how a company going through SOC 2 for the first time can accomplish compliance on Drata without a consultant like Sensiba.”

John WalterFounder and CEO, ProxyLink
ProxyLink

Solution

After meeting with Sensiba and Drata, it was clear that the Audit-Led Compliance Program was perfect for ProxyLink’s needs. The program provides a step-by-step guide to the controls needed for SOC 2 and how to satisfy them, as well as upfront access to the audit team. Having these was a “game-changer” for ProxyLink.

The progeram made the high expectation for data security clear and provided a clear path that helped ProxyLink and Sensiba achieve the required tasks. “I truly felt like they (Sensiba) were by my side the whole time,” Walter said.

Result

By enrolling in the Sensiba and Drata Audit-Led Compliance Program, ProxyLink was able to complete audit readiness ahead of schedule, followed by its SOC 2 Type 1 report within deadlines.

“If you are going through this process, I recommend starting your journey by contacting Sensiba. I feel very lucky to have met them,” said Walter.

Ready to get started?

Find out how our GRC team can help you with your compliance. Contact us to learn more about how we can work together toward your goals.

Contact Us

Case Studies

View all case studies

Ready for more inspiration? Dive into additional client success stories where we showcase diverse projects, innovative solutions, and the transformative impact we’ve had on businesses like yours.

Governance, Risk, & Compliance

ISO/IEC 27001 Case Study: Lucidworks

Read More

SOC 1 Case Study: Vector AIS

Read More

SOC 2 Case Study: EPK

Read More