
– Swapnil Gawas
VP of Engineering, Turtlemint
– Swapnil Gawas
VP of Engineering, Turtlemint
Einführung
As a leader in fintech and insurtech, Turtlemint needed to demonstrate a credible security posture to existing clients and to unblock new enterprise deals, making SOC 2 a high priority. But the compliance objective extended beyond producing a report. As Swapnil Gawas, VP of Engineering at Turtlemint, put it: “We wanted to get SOC 2 compliant to build trust in our space.
But getting our house in order was equally important to us. We wanted confidence that we’re doing things right.” That dual objective, building genuine trust while establishing real operational discipline, shaped every decision that followed.
Das Problem
With over 1500 employees working across offices and in the field, each carrying different levels of access to sensitive data, Turtlemint faced a structural challenge at scale. Establishing the right access boundaries and securing infrastructure across that workforce, without a platform to orchestrate the effort, would have been tedious and time-intensive. Coordinating compliance tasks, gathering audit evidence, and monitoring people, processes, and technology through manual effort was not a sustainable path forward.
Turtlemint recognized that a platform-centric approach was the only way to bring genuine order to the program. Because SOC 2 was a new mandate for the organization, choosing the right partner mattered as much as choosing the right technology. As Swapnil Gawas explained: “It was important to us that the compliance partner we chose could speak our language and simplify compliance so we could understand it in our context.
That’s why we went with Sprinto.” The combination of certified expert guidance and an automated platform gave Turtlemint the confidence to move forward on both fronts at once.
Die Lösung
Turtlemint began by working with Sprinto’s certified experts to define compliance scope and map a structured path to SOC 2 readiness across 3 TSCs. To establish a solid foundation, Turtlemint connected its people systems, cloud services, and critical systems through Sprinto’s native integrations, creating a centralized view that served as the basis for control implementation and automated tracking. After establishing that foundation, Turtlemint turned its attention to closing specific infrastructure gaps: MFA enforcement was tightened, data encryption and backup coverage were strengthened, and access controls were sharpened.
Turtlemint also classified code repositories, deployed vulnerability scanners, and put branch monitoring in place through Sprinto. To address risk management, Turtlemint used Sprinto’s risk register and vendor risk assessment module to score and systematically mitigate risks across the environment. On the policy and training side, Turtlemint used Sprinto’s pre-built policy templates as a starting point to build its organizational policies and security training program, with automated nudges driving acknowledgment and completion rates across the workforce.
For device management, Turtlemint enforced encryption, screen lock, and antivirus across endpoints through Sprinto’s integrated MDM, keeping 1500+ employees and devices monitored continuously. That foundation supported a clean audit outcome: Turtlemint passed SOC 2 Type 1 within a year of control implementation, with zero exceptions. The program then entered Type 2, beginning a ~6-month observation period during which Turtlemint automatically collected evidence through Sprinto and received escalating alerts for any at-risk controls.
The Type 2 audit concluded without exceptions, producing a clean report. As Swapnil Gawas noted: “We were able to centrally manage all the aspects of our SOC 2 program, with everything being a few clicks away. The visibility made a real difference in our preparedness.”
Auswirkungen
Clearing both SOC 2 audits without exceptions marked a meaningful shift in how compliance is embedded across Turtlemint’s operations. Turtlemint now has a continuous monitoring layer through Sprinto, keeping risks visible and surfacing what needs attention without disrupting day-to-day work. Compliance now carries an underlying logic of data security, supported by a structure and toolset that sustains ongoing goals at scale.
With that foundation in place, Turtlemint is pursuing ISO 27001 through Sprinto’s Common Controls Framework, building on existing controls at nearly half the effort, while simultaneously progressing a SOC 2 audit for a sister entity. As Swapnil Gawas reflected: “We’ve not just gotten better at managing compliance but we’re also more proactive about it now. The best practices we’ve instilled, supported by Sprinto, have made data security an integral part of how we do things.”
Haben Sie Fragen? Sprechen Sie mit unseren Experten!



Fintech / insurtech (insurance distribution)
1500+
Indien



