Building compliance excellence: How Fresha operationalized compliance using Sprinto

London-based Fresha is the leading marketplace platform for beauty and wellness, trusted by millions of consumers and businesses worldwide. Its software lets consumers discover, book, and pay for appointments with local businesses on its marketplace. Beauty and wellness businesses and professionals use Fresha to manage their entire operations, with an intuitive subscription-free business software and financial technology solution.

Key requirements

  1. Right-sizing compliance to minimize engineering effort 
  2. Automation to tear down silos and minimize friction

A layered security program implemented using the common control frameworks to underscore control overlaps and remove unnecessary edge cases and redundancies, supported by continuous, automated testing.

ISO 27001

hipaa logo

HIPAA

GDPR

UK

3 months

Time to ISO 27001, HIPAA, and GDPR compliance

Ready to get started?

Integrating compliance without interrupting the business

To operationalize ISO 27001, HIPAA, and GDPR compliance programs, Fresha’s challenge was to figure out how various security compliances could be incorporated and audited without disrupting the operating workflow. “We’re performance-oriented, and my job is to remove performance blocks, prioritize tasks, and plan engineering deliverables in a way that results in optimal performance,” notes the spokesperson for Fresha. “But achieving compliance is a lot of collaborative work.”

Our resources are best spent implementing solutions, setting things up, operationalizing IT for performance, and managing it. This is where tooling is effective: it can take on with the day-to-day running of compliance.

IT operations are notoriously patchy. Introducing another system to the mix invites disruption, which Fresha’s leadership wanted to avoid at all costs. “Organizations don’t think about this enough. It’s easy to fall into the trap of doing everything, often unnecessary things. As I see it, compliance is about doing the right things,” the spokesperson observes, “and we were clear we wanted to make it the easiest right thing for our people.”

Applying the Braithwaite triangulation

Meticulously extracting data, validating systems, and capturing evidence is a tedious process prone to errors. Examining the operations to identify weaknesses serves as the starting point for efficiency. Fresha’s spokesperson refers to this as a “contextualizing” exercise. “Compliance isn’t just about publishing policies; it’s about modifying behaviors to impact the organization positively.”

Fresha decided to separate compliance into tasks, people, and company by applying the Braithwaite triangle — an academic model for devising strategies for maximum responsiveness. “By defining clear compliance objectives, assigning tasks to everyone, and making sure team leaders were championing compliance to the rest of their teams, we could simplify compliance and eliminate a lot of the friction. This way, even the most cynical and skeptical people could do their part without breaching deadlines.”

The pursuit of excellence is ingrained in Fresha’s DNA. This value influenced how Enrique Cano, Fresha’s VP of Security and Compliance, and Tomasz Werema, Fresha’s Security, Risk & Compliance Specialist, operationalized the organization’s ISO 27001, HIPAA, and GDPR compliance programs. “Friction-free is a fundamental principle,” they explained. “We constantly strive to simplify and streamline processes for everyone. Even when addressing security questionnaires from potential clients from different markets, our aim is to meet these requirements as efficiently as possible.”

“Infact, most [security] questionnaires that came my way asked for things ISO 27001 covers anyway. It was only a matter of pushing the pedal to get our certification done so that we could skate through these reviews without burdening engineering.”

We have over 100,000 partners using Fresha every day. We process a lot of personal data, and we want to make sure customers can trust us with that information.

Organizing compliance with Sprinto

To accelerate compliance efforts, Fresha turned to Sprinto. “The moment we saw it, we were extremely impressed—we knew that this was exactly the tool Fresha needed to help us handle compliance,” recounts Fresha’s spokesperson.

Fresha prioritized a tool that could seamlessly integrate with their existing tech stack. They note, “Integrations mattered. We wanted to automate as much as possible so people don’t know this is even happening.”

Fresha also aimed to optimize for effort. “We want to right-size compliance by only making changes that would help us meet compliance. After all, we were doing this to optimize our business, not to constrain it.”

In Sprinto, Fresha found an action-oriented program manager.

Sprinto felt like painting by numbers. The ability to see how you are improving and get feedback when you make a change or do something makes it all the more easy.

Once plugged into Sprinto, Fresha could clearly see all tasks needed to satisfy controls against their preferred frameworks. Starting with security training for 330+ employees and the publication of over 30 new policies, all were accomplished as campaigns directly within Sprinto. “We launched a targeted training campaign on Sprinto and completed training for everyone in under 4 weeks!”

The biggest challenge is motivation and encouragement — how do you get people to do their part for compliance? Automated nudges definitely help.

As PeopleOps-related compliance tasks were set in motion, Fresha shifted its focus to access management. The access control module in Sprinto provided a robust framework for zero-trust access management that safeguards critical systems and maintains an audit log of all related events. “This helps us see who’s playing by the rules and who’s not,” shared Fresha’s spokesperson. “Infact, Sprinto gave us a model for designing roles. We reverse-engineered all roles and access rules and updated our Notion database to paint a clear picture of how everything connects. Auditors want to see the process down to the tickets, and now, with Sprinto, everything is clearly logged.” 

Additionally, Sprinto’s change management capabilities helped Fresha identify exceptions at the code level and appropriately adjust the scope of compliance. The vendor management module facilitated seamless structuring, evaluation, and scoring of vendors for risk. Fresha added, “The dots are clearly connected: what’s critical and what’s necessary to operate within the strict confines of compliance and controls, it’s all right there.”

Now it’s easy to get everyone to do the right thing.

To finish line in 3 months

Fresha achieved compliance and audit readiness in three months.

We accelerated to completion in a matter of weeks.

Powered by automation and powerful connectors, Fresha created a unified view of assets, risks, and controls and implemented automated testing to validate compliance status regularly.

Sprinto reports now give Fresha summaries whenever compliance status deviates from the 100% mark, indicating tasks that they need to complete to close the gap.

“Sprinto provides a lot more guidance and better visibility. Our IT team now has a clear protocol for everything, including provisioning access,” their spokesperson shares.

Compliance is rarely about adding more. It is more about improving what you already do for security. Sprinto removes complexity and eliminates too many edge cases so you can do compliance as it is intended—to improve your operations.