How Sprinto helped Uncover build a connected risk program and achieved ISO27001 and GDPR compliance
Founded in 2022, Uncover is a fast-growing legal-tech SaaS startup based in the Netherlands, focused on enabling lawyers with tools that help them win cases. Theirs is an AI-enabled platform for structuring, managing, and analyzing reams of case documents with ease.
Time to implement the ISO27001 program
Time to complete audit and receive certification
Marginal lift to layer on GDPR over ISO27001
Ready to get started?
While Uncover has operated with the highest standards of data security, it turned to security compliance for validation and proof. “In continental EU, customers need proof that you are a service provider that complies with all data security requirements,” notes Ingrid Van-de Pol Mensing, Cofounder and Co-CEO at Uncover.
For Uncover, an ISO27001 certification would solve a large part of the need for ‘proof of good security practice’. Complemented by GDPR, driving trust with customers in the EU would become easier.
For this, they required
- A means of organizing security in a way that aligns with different compliance standards.
- Eliminate reactive work by fundamentally shifting security left.
Their previous experience with a compliance partner left them feeling short-changed on account of responsiveness. “Price aside, responsiveness and efficiency in the process were important criteria,” remarks Ingrid. “We aren’t experts so we preferred working with experts and standardized workflows” she adds.
Uncover turned to Sprinto to meet its compliance goals.
Uncover implemented Sprinto and got started with the ISO27001 program. Imre Gelens, CTO at Uncover, led the compliance exercise. “Everything was clear from the get-go,” he notes. “The initial meeting made clear the time requirements, what the process was going to be like, what we are doing, and the nature and number of meetings and topics we’ll go through in each. Most of these were on my plate,” he adds.
During the implementation, Imre worked with a Sprinto CSM to configure the platform to pull risks and control information directly from their systems. Because Uncover deploys a lot of infrastructure and actively does development, they configured Sprinto to function autonomously so as to avoid spending new effort incorporating an infrastructure into the security fabric. To do this, Imre only had to take the time to tag each entity in AWS for Sprinto to pull and process information smoothly without stopping. “I preferred a repeatable process that could keep pace with how we deploy infra,” Imre notes. “With Sprinto the process is now fully automated.”
Once set up, Uncover leveraged Sprinto’s integrated risk management suite to scope out security risks, assess business impact, and underscore risk mitigation controls. “This process happens fast because the platform equips you with standardized resources,” notes Imre. Through this process, Uncover could dynamically spot the gaps in their security practice and take steps to not only fill them but also continuously monitor them.
To implement ISO27001-aligned policies, Uncover leaned on Sprinto’s policy templates. “It’s a real time saver!” Imre says.
In just 4 sessions, Uncover was able to implement the ISO27001 program and move towards audit.
For GDPR, Uncover only had to do 6 additional checks over and above what was done for ISO27001. These included:
- Appointment of an EU rep. As both founders of Uncover have a legal background and are citizens of an EU member state, this was a short leap.
- A process for Data Subject Access Requests (DSAR) to address and manage data-related requests [deletion/modification] from website and app visitors/users from the EU and the UK.
- A Record of Processing Activities (RoPA) documenting how different departments within Uncover process the PII data of EU citizens.
- Management review of contractual obligations
- A GDPR-compliant cookie banner solution on their website.
“The additional effort was no more than 15%,” remembers Imre. “And because Sprinto has automated workflows and integrations with our infrastructure, all checks happen continuously and are automated,” he adds.
We did not have to spend time checking boxes, the platform checked the boxes for us. And this guarantees you will remain compliant even after the certification is done.
Uncover completed its audit and received the ISO27001 certification in 14 days.
Over and above the certification, Uncover walked away with not just a stronger security posture but also a compliance posture. At an architectural level, Uncover had to modify very little of its infrastructure. Indeed, effort spent logging and tagging entities ensured a self-sustaining process for all deployment-related events, monitored and managed end-to-end over the Sprinto platform
“This mechanism makes sure all the infra is getting picked up by Sprinto whenever we deploy something,” remarks Imre. “Right up front, Sprinto asks you to classify whether something is a production or nonproductive event. By tagging your resources as you deploy them, you can easily automate necessary checks,” he adds.
In effect, Uncover has successfully built security and compliance into the development function. “Now when we deploy something new, we immediately get a notification asking if we have classified this piece of infrastructure. It’s easy to stay on top of things with minimum effort,” Imre remarks.
By virtue of operating continuously in the background, Sprinto lives to ensure Uncover is operating mindfully and in a compliant manner. “Things like database recovery plan, disaster recovery plan – these are things one has to anyway think about. It is important to build for it, train for it, and check every so often. Sprinto encourages this behavior, forcing us to be more specific,” Imre notes.
Since becoming compliant, Uncover confidently asserts its newfound status in sales conversations. “We make it a point to mention we are compliant,” notes Ingrid. “Being compliant is an important part of the way we operate. Continuous monitoring is a big part of why we like Sprinto – it makes sure we are and remain compliant.”