How Makeforms achieved compliance with 11 security frameworks at half the cost

Makeforms is an AI-powered data collection and management tool for organizations to build secure forms and custom workflows. With industry-agnostic use cases that run the gamut from healthcare and finance to F&B and manufacturing, and managing data from across 5 continents, Makeforms prioritizes security and data privacy for its users.

Key requirements

A cost-effective means to ensure compliance with required frameworks, enhance security and privacy, and take over day-to-day infosec housekeeping

A unified platform built on a common controls framework to efficiently launch and manage compliance across multiple programs simultaneously, supported by a wealth of out-of-the-box tools and capabilities to streamline the process.

soc2 logo


ISO 27001







Australian DPA and three more



Cost savings


Less effort to close compliance gaps


Frameworks in the bag

Ready to get started?

The challenge – Instilling strong fundamentals while optimizing for cost

With over half a decade of experience building global SaaS offerings, Partik Ghela, founder of Makeforms, understood the importance of having compliance baked into your product from the get-go. 

“With the prevailing SaaS mentality of ‘build fast and break fast’ your product can feel like it’s cobbled together. So, if your client comes to you three months into implementation and asks for compliance, integrating it into a product built with this approach is incredibly difficult,” remarks Pratik. 

In order to instill strong security fundamentals and pre-empt client concerns in a potential partnership, Pratik decided to take a holistic and practical approach to compliance, which would give the product an edge in the market. 

To wet their toes, the team at Makeforms decided to start with the HIPAA framework, as compliance with HIPAA guidelines was crucial to entering the US healthcare sector. 

After an initial consultation with a HIPAA compliance specialist left them frustrated by high prices and high effort, Pratik and the Makeforms team began evaluating GRC tools. To them, these tools offered the promise of quick implementation and compliance with multiple frameworks, but unfortunately, most common tools, including Drata and Vanta, exceeded their budget.

Two things attracted Pratik to Sprinto: its competitive pricing and the user-friendly interface.

I’m a product guy myself, so it was two things with Sprinto – we got a good UI at a good budget, so we went for it!

The Solution – Leveraging a strong foundation to achieve multi-framework compliance

Having thoroughly researched several frameworks during the evaluation phase, the Makeforms team knew that robust security guardrails and operational practices were foundational for a strong compliance posture. 

“Data sovereignty is pretty big for our product. We researched multiple frameworks that would strengthen this value. We found out that there’s a lot in common between frameworks like HIPAA, SOC 2, and ISO, such as data integrity measures, access controls, and more,” shares Pratik.

After speaking with the Sprinto team and taking on their suggestion to bundle GDPR, ISO 27001, and SOC 2 with HIPAA, the Makeforms team onboarded the platform and dove into basic hygiene. 

Right off the bat, Sprinto’s Common Control Framework (CCF) proved crucial. This key feature utilizes existing framework-mapped controls to assess an organization’s potential compliance with new frameworks, highlighting any gaps that may exist.

Once they connected their assets to Sprinto and activated relevant compliance frameworks, the Makeforms team could quickly identify control gaps and configuration inconsistencies. They tackled these issues head-on, implementing minor fixes like enabling automatic system lockouts and multi-factor authentication on various systems and assigning clear ownership for each control.

Sprinto’s out-of-the-box policies, security training modules, and built-in MDM tool, Dr. Sprinto, streamlined and expedited the people-centric portion of compliance, a task that’s typically cost and time-intensive. 

Pratik compares Sprinto to how a consultant would do it, remarking, “The consultant we spoke to quoted a minimum of $1200 and a week’s work just for security training, not including travel and accommodation. With Sprinto, the cost was cut in half, and the whole process was one and done. We started reporting devices at around 10 a.m. one morning, which took an hour, and within the next two hours, we finished going through the policies and completed the training.” 

Sprinto’s built-in risk assessment and continuous monitoring features were key in streamlining the identification and management of various asset-level risks for Makeforms. Pre-defined benchmarks within the platform ensured objective assessments of risk likelihood, severity, and impact. By assigning risk to individual owners directly on the platform, the Makeforms team could rest assured that risk scores and treatment plans couldn’t be changed without proper approval. 

“Based on the type of data we collect, Sprinto’s risk assessment module tells you if it poses low, medium, or high risk. If I had to do this identification based on my judgment, there might be problems,” says Pratik. 

With Sprinto’s continuous compliance monitoring, the Makeforms team could track controls on an ongoing basis. Automated evidence collection reduced their overall workload and freed them from tedious tasks that could have slowed audit preparation.

Sprinto’s support team was also pivotal in helping the Makeforms team accelerate their compliance journey by systematizing the entire process.

Our CSM set up a weekly cadence for us to ensure consistent and quick progress. A lot of GRC tools promise to get you compliant in 2-4 weeks, but this is contingent on you putting in a lot of effort, which wasn’t possible for us as a small, busy team. With Sprinto, this became a reality with minimal effort.

Gamifying compliance to maximize coverage

As Makeforms began approaching 100% compliance with SOC 2, ISO 27001, GDPR, and HIPAA on the Sprinto dashboard, they noticed they were also making progress on other frameworks. 

“We started with four frameworks initially, and while using the Sprinto dashboard, we saw that we’re also 65% compliant with PIPEDA and the Australian DPA, so we asked our CSM if we could go ahead with those frameworks as well since we’re already semi-compliant. From there, it became an obsession for us!” Pratik exclaims. 

Sprinto’s CCF played a crucial role in helping the Makeforms team efficiently scale up their compliance coverage.

“ A quick look at the dashboard showed us our compliance levels with over 20 frameworks and the controls we needed to fix to get fully compliant with each one,” says Pratik. 

Sprinto’s CCF illuminated the gaps and overlaps for each framework so the team could steadily work towards filling these gaps and achieving multi-framework compliance. 

“The platform basically gamified compliance for us. It showed that we were 74% compliant with ISO 27017, 70% compliant with NIST CSF, and so on, and we figured that once we’ve crossed that 70%, the remaining 30% isn’t a big deal. It was like unlocking levels, very satisfying and empowering.” 

With the robust controls baseline established with Sprinto, Makeforms could efficiently and effectively ensure compliance with 7 additional frameworks in addition to ISO 27001, GDPR, HIPAA, and SOC 2.

“Sprinto kept giving us more and more. It was a combination of the right time and the right platform; that’s how we were able to unlock 11 frameworks.”

The Results – Total privacy and security coverage at half the cost 

Having achieved compliance with 11 frameworks, the Makeforms team was ready to proceed to audit for relevant frameworks. 

Here, Sprinto’s automated evidence collection proved invaluable. Because Sprinto automatically collects accurate, time-stamped evidence to sample on the audit dashboard for validation, the time to auditor review was cut by 90%. Armed with complete, verified evidence, Makeforms quickly selected an auditor from Sprinto’s vetted network and proceeded with audits. 

They could collaborate with auditors directly on the platform over a separate, secure dashboard and field requests but these were barely necessary as they sailed through audits without major hitches. 

By achieving and maintaining compliance on Sprinto, Makeforms was able to bridge gaps at both the product and process levels. 

Pratik provides an example: “Earlier, our assets were self-hosted on MongoDB, and we were using Elasticsearch for indexing. But while getting HIPAA-compliant, we saw that our data needed to be encrypted always, so we made a switch to MongoDB Atlas. It would’ve cost us a lot more if we’d made this switch later on.” 

Fluent in compliance, the Makeforms team also implemented new security guardrails, such as background verification and onboarding training at the process level, to tighten up its security posture and ensure compliant operational practices. 

Today, Makeforms proudly exhibits security and privacy compliance with 11+ frameworks as a feature of the product and has successfully partnered with global enterprises such as Salesforce, thanks in no small part to their compliance obsession. 

What we’ve been able to achieve with Sprinto, if we’d used another GRC tool, would’ve taken twice as long and cost twice as much. Getting compliant via Sprinto is quite satisfying and feels like a reward.