How Turtlemint Built Security-Aligned Compliance Management with Sprinto

Turtlemint is a full-stack fintech solution for distributing insurance products across categories like health, life, and motor. The company provides onboarding, certification, transaction processing, marketing tools, and commission management for agents, and a SaaS-based distribution solution to the regulated finance sector.

turtlemint hero image
<1 Jahr From control implementation to SOC 2 Type 1 with zero exceptions
1500+ employees and devices monitored 24×7 on Sprinto
2 SOC 2-Audits Type 1 and Type 2 passed with a clean report
Sprinto-Vergleichstabelle-Sprinto-Logo
Vor Sprinto
Nach Sprinto
With 1500+ employees across offices and the field, all carrying different levels of data access, setting the right access boundaries and securing infrastructure manually would have been tedious and time-intensive.
All people systems, cloud services, and critical infrastructure were connected through Sprinto’s native integrations, with 1500+ employees and devices now monitored continuously through Sprinto’s integrated MDM.
Coordinating compliance tasks, gathering audit evidence, and monitoring people, processes, and technology manually was not a sustainable path forward.
Evidence was collected automatically throughout the ~6-month observation period. Both SOC 2 Type 1 and Type 2 cleared without exceptions, producing clean reports.
SOC 2 was a new mandate for Turtlemint. The organization needed a compliance partner who could speak their language and simplify the process in their specific context.
Working with Sprinto’s certified experts, Turtlemint scoped SOC 2 across 3 TSCs and closed gaps in MFA, encryption, backups, and access controls. Turtlemint is now expanding to ISO 27001 at nearly half the effort.
“We wanted to get SOC 2 compliant to build trust in our space. But getting our house in order was equally important to us. We wanted confidence that we’re doing things right.”


– Swapnil Gawas
VP of Engineering, Turtlemint

“We were able to centrally manage all the aspects of our SOC 2 program, with everything being a few clicks away. The visibility made a real difference in our preparedness.”

– Swapnil Gawas
VP of Engineering, Turtlemint

Einführung

As a leader in fintech and insurtech, Turtlemint needed to demonstrate a credible security posture to existing clients and to unblock new enterprise deals, making SOC 2 a high priority. But the compliance objective extended beyond producing a report. As Swapnil Gawas, VP of Engineering at Turtlemint, put it: “We wanted to get SOC 2 compliant to build trust in our space.

But getting our house in order was equally important to us. We wanted confidence that we’re doing things right.” That dual objective, building genuine trust while establishing real operational discipline, shaped every decision that followed.

Das Problem

With over 1500 employees working across offices and in the field, each carrying different levels of access to sensitive data, Turtlemint faced a structural challenge at scale. Establishing the right access boundaries and securing infrastructure across that workforce, without a platform to orchestrate the effort, would have been tedious and time-intensive. Coordinating compliance tasks, gathering audit evidence, and monitoring people, processes, and technology through manual effort was not a sustainable path forward.

Turtlemint recognized that a platform-centric approach was the only way to bring genuine order to the program. Because SOC 2 was a new mandate for the organization, choosing the right partner mattered as much as choosing the right technology. As Swapnil Gawas explained: “It was important to us that the compliance partner we chose could speak our language and simplify compliance so we could understand it in our context.

That’s why we went with Sprinto.” The combination of certified expert guidance and an automated platform gave Turtlemint the confidence to move forward on both fronts at once.

Die Lösung

Turtlemint began by working with Sprinto’s certified experts to define compliance scope and map a structured path to SOC 2 readiness across 3 TSCs. To establish a solid foundation, Turtlemint connected its people systems, cloud services, and critical systems through Sprinto’s native integrations, creating a centralized view that served as the basis for control implementation and automated tracking. After establishing that foundation, Turtlemint turned its attention to closing specific infrastructure gaps: MFA enforcement was tightened, data encryption and backup coverage were strengthened, and access controls were sharpened.

Turtlemint also classified code repositories, deployed vulnerability scanners, and put branch monitoring in place through Sprinto. To address risk management, Turtlemint used Sprinto’s risk register and vendor risk assessment module to score and systematically mitigate risks across the environment. On the policy and training side, Turtlemint used Sprinto’s pre-built policy templates as a starting point to build its organizational policies and security training program, with automated nudges driving acknowledgment and completion rates across the workforce.

For device management, Turtlemint enforced encryption, screen lock, and antivirus across endpoints through Sprinto’s integrated MDM, keeping 1500+ employees and devices monitored continuously. That foundation supported a clean audit outcome: Turtlemint passed SOC 2 Type 1 within a year of control implementation, with zero exceptions. The program then entered Type 2, beginning a ~6-month observation period during which Turtlemint automatically collected evidence through Sprinto and received escalating alerts for any at-risk controls.

The Type 2 audit concluded without exceptions, producing a clean report. As Swapnil Gawas noted: “We were able to centrally manage all the aspects of our SOC 2 program, with everything being a few clicks away. The visibility made a real difference in our preparedness.”

Auswirkungen

Clearing both SOC 2 audits without exceptions marked a meaningful shift in how compliance is embedded across Turtlemint’s operations. Turtlemint now has a continuous monitoring layer through Sprinto, keeping risks visible and surfacing what needs attention without disrupting day-to-day work. Compliance now carries an underlying logic of data security, supported by a structure and toolset that sustains ongoing goals at scale.

With that foundation in place, Turtlemint is pursuing ISO 27001 through Sprinto’s Common Controls Framework, building on existing controls at nearly half the effort, while simultaneously progressing a SOC 2 audit for a sister entity. As Swapnil Gawas reflected: “We’ve not just gotten better at managing compliance but we’re also more proactive about it now. The best practices we’ve instilled, supported by Sprinto, have made data security an integral part of how we do things.”

Haben Sie Fragen? Sprechen Sie mit unseren Experten!

Frameworks-Logos-Hintergrund
Frameworks-Logos-Mob-Hintergrund
Industrietyp

Fintech / insurtech (insurance distribution)

Mitarbeiter

1500+

Regionen

Indien

Verwendete Module
Kontinuierliche Überwachung Risikomanagement Richtlinienverwaltung Zugangskontrolle
Verwendete Frameworks
sprinto-customer-template-aicpa-soc-img.webp