How Sprinto organized a seamless multi-standard compliance program for Spendflo
Spendflo is a SaaS buying and management platform dedicated to helping businesses negotiate, renew, and track their SaaS subscriptions. Companies like Synthesis, Urban Company, Crownpeak, and Airmeet have all found success with Spendflo in managing the procurement process while saving time, money, and resources.
SOC2
ISO 27001
GDPR
USA
3 months
Time to complete SOC2 implementation & audit
10%
Marginal effort to layer ISO27001 on SOC2
40%
Marginal effort to layer on GDPR
Ready to get started?
Challenge
SaaS subscriptions make up the largest share of operational expenses. As a one-stop destination for managing procurement end-to-end, Spendflo helps SaaS-enabled businesses stay on top of their spending.
Since the platform is used to store confidential information like contract details and payment information, questions about Spendflo’s data security practices are common. To uphold and demonstrate good data security practices, Spendflo decided to ensure compliance with SOC2, ISO27001, and GDPR.
Right from the start, Spendflo has been security-conscious. Ajay Vardhan, co-founder and CTO at Spendflo, highlights: “to release a successful MVP, certain features were omitted while our entire server infrastructure needed to be reconfigured multiple times to address various security issues. Getting necessary safety protocols in place took some trial and error.”
As the product started gaining traction, Spendlfo saw a surge in inquiries related to data practices. Customers from across geographies – US, India, Middle East – preferred the assurance of a duly filled security questionnaire – standard in the SaaS buying cycle. Noticing this, Ajay realized that they needed a standard and shareable way to prove that they value security and compliance.
Spendflo needed a solution that could inform them and help them enact SOC2 or ISO27001 compliance. They preferred to work with a compliance solutions partner who could help them figure out the nuts and bolts of various standards.
“We needed not just a product that would get us compliant but a sophisticated solution with the knowledge to help us figure out continuous security monitoring requirements, something we could do regularly. A trip to the auditor was initially the plan, but without sufficient resources or [evidence] submission guidance, it was an unmanageable task.
As for the selection criteria:
- Spendflo required a platform that gave the instructional know-how and understanding of how to accomplish compliance objectives.
- Rather than settle for just any product that gets them certified quickly and leaves them to fend for themselves, they wanted something that provided ongoing support.
- Instead of relying solely on auditor instructions or dealing with tedious paperwork, they desired an easier automated solution.
Spendflo decided to meet its security and compliance goals using Sprinto. Sprinto was recommended by common investors and peers who successfully achieved compliance and audit certification. Speaking about this tooling decision, Ajay remarks “Sprinto has a comprehensive suite of features that allow us to automate tasks, track progress over time, and make necessary changes quickly and accurately. We knew Sprinto could hand-hold us through the whole thing.”
Solution
Spendflo spent the first few weeks configuring its systems and implementing controls for the SOC2 standard. Sprinto’s automated policy management capabilities helped monitor for compliance and move to SOC2 audit with confidence in a matter of weeks.
Ajay was amazed that to achieve ISO27001 certification, they only needed to do an additional 10% over what they had done for SOC2. “I don’t remember doing anything extra apart from adding a couple of documents to the platform” he notes. “It was remarkable!”
At the time of the audit, Sprinto’s dedicated auditor dashboard – which collected Spendflo’s compliance evidence against SOC2 and ISO27001 – did the heavy lifting.
There was no need to be familiar with the auditor’s jargon since Sprinto had already set everything up! It was a breakthrough.
With GDPR, Ajay noticed that by virtue of having implemented both SOC2 and ISO 27001 with Sprinto, 60% of GDPR controls were already implemented. The remaining 40% – primarily logging of data processes and legal work – took around a month to complete.
Results
Spendflo achieved SOC2 Type 1 report in under 3 months. And a Type 2 report 3 months thereafter. They received their ISO27001 a few days later.
Armed with audit reports and certification, Ajay says sales discussions with potential customers have become ‘smoother’. “When a major firm sent me a long questionnaire to complete, 20-30 of the inquiries were already addressed in the policies crafted by Sprinto – making it much simpler for me to respond to their complex requests,” he notes.
Ajay is also quick to remark how astounded he was by the prompt alerts and sophistication of the log setup, which he admits would not have been possible without Sprinto. “Now, whenever we add a new employee or an update occurs, Sprinto sends out immediate notifications with detailed instructions on how to proceed. It’s seamless.”
Simply put, Sprinto has made managing compliance at Spendflo much easier than ever!
