How Turtlemint built security-aligned compliance management with Sprinto
Turtlemint is a full-stack fintech solution for distributing insurance products across categories like health, life, and motor. The company provides onboarding, certification, transaction processing, marketing tools, and commission management for agents and a SaaS-based distribution solution to the regulated finance sector.
Key requirements
A proven compliance automation and monitoring solution to maintain SOC 2 compliance across security assets while reinforcing data security best practices.
Sprinto solution
- Guided SOC 2 control implementation on Sprinto, with compliance management and monitoring powered by native cloud integrations that bring together people systems, cloud services, and processes in one place.
- Pre-built policies, training, and a SOC 2-aligned risk management toolkit to ensure robust security and compliance, including employee security awareness and device security assurance.
SOC 2 Type 1 and Type 2
India
0 exceptions
In SOC 2 audits
1500+ employees and devices
Monitored 24×7 on Sprinto
Ready to get started?
The Challenge: Taking compliance from 0 to 1
Being a leader in the fintech and insurtech spaces, Turtlemint was keen on demonstrating its security posture both to existing clients and to unblock new deals, making a SOC 2 audit high on their list of priorities. However, their need for compliance went beyond just getting a SOC 2 report.
“We wanted to get SOC 2 compliant to build trust in our space. But getting our house in order was equally important to us. We wanted confidence that we’re doing things right,” remarks Swapnil Gawas, VP of Engineering at Turtlemint.
With over 1500 employees working out of offices and in the field, all with different levels of access to data, Swapnil and the Turtlemint team knew they needed to set the right boundaries. But securing infrastructure and ensuring proper access guardrails would be tedious and time-intensive tasks, especially if done manually.
For this reason, Turtlemint decided to adopt a platform-centric approach to compliance management to streamline the monitoring of people, processes, and technology while reducing the effort spent coordinating compliance tasks and audit evidence. With SOC 2 being a new mandate, they sought a proven solution supported by experts who could provide guidance on the best way forward.
It was important to us that the compliance partner we chose could speak our language and simplify compliance so we could understand it in our context. That’s why we went with Sprinto.
The Solution: A structured path to compliance, powered by automation and guided by experts
Turtlemint worked with Sprinto’s certified experts to define the compliance scope and create a path to SOC 2 (3 TSCs) audit readiness, tailored to their security and operational needs.
Because Sprinto could connect with Turtlemint’s various people systems, cloud services, and critical systems via native integrations, it centralized all security assets for efficient control implementation and automated tracking. Compliance gaps in MFA, data encryption, backups, and access controls were addressed alongside classifying code repositories, implementing vulnerability scanners, and setting up branch monitoring to ensure data security and meet SOC 2 requirements.
Given the broad people scope, technical considerations, and complex data perimeter, effective risk assessment was essential for SOC 2 audit readiness. Turtlemint used Sprinto’s risk register and vendor risk assessment module to identify risks, assign impact and likelihood scores, complete vendor due diligence, and link them to continuously monitored mitigation controls for ongoing risk management.
Turtlemint’s final challenge was implementing policies, training, and device management for their large team. Working with Sprinto, they defined employee scope, used pre-built templates to create policies and training, and closed the loop by nudging policy acknowledgments and training completion using Sprinto. With Sprinto’s integrated MDM solution, they ensured device compliance and enforced best practices like encryption, screen lock, and antivirus. After adding access controls and completing disaster recovery exercises, Turtlemint was ready for audits.
Turtlemint began with SOC 2 Type 1 audit, completing control implementation within a year and passing the audit without exceptions. They moved to the SOC 2 Type 2 audit right after, which involved a ~6 month observation period for ensuring controls were continuously performing as expected. During this time, the platform auto-collected evidence for various SOC 2 criteria.
Sprinto’s context-rich, automated alerts were crucial in helping Turtlemint keep SOC 2 controls in the green. The platform sent steadily escalating alerts to relevant stakeholders when controls were in danger of failure so they could be fixed proactively. This played a crucial role in helping Turtlemint stay audit-ready throughout the observation period.
Much like their Type 1 audit, Turtlemint’s SOC 2 Type 2 audit went through without exceptions and the organization came out with a clean SOC 2 report.
We were able to centrally manage all the aspects of our SOC 2 program, with everything being a few clicks away. The visibility made a real difference in our preparedness.
The Results: Embedded best practices and a demonstrably secure posture
Having achieved their SOC 2 audit goals, Turtlemint could also observe a major shift in how compliances were embedded and managed against their security aspirations.
Compliance now had an underlying logic of data security, complete with a structure and a set of tools to manage goals without disrupting day-to-day processes. Sprinto, in essence, functioned as Turtlemint’s compliance program manager, monitoring data security risks continuously, providing visibility into what needed fixing, and enabling the team to make these confidently.
Now, Turtlemint has its sights on ISO 27001 and is leveraging Sprinto’s Common Controls Framework (CCF) to build on SOC 2 and achieve ISO 27001 compliance at nearly half the effort. The team is also simultaneously pursuing SOC 2 audit for Turtlemint’s sister entity.
We’ve not just gotten better at managing compliance but we’re also more proactive about it now. The best practices we’ve instilled, supported by Sprinto, have made data security an integral part of how we do things.