How Zipy used Sprinto to get compliant and ace SOC2 Type 1 and Type 2 audit
Zipy is a software debugging and observability platform that empowers engineering teams to solve code-level issues smartly, quickly, and proactively. Trusted by leading enterprises and SMBs alike, Zipy is a choice of platform for B2B businesses that care about delighting customers with seamless digital experiences.
SOC2 Type 1 & Type 2
USA
0
Instances of non-compliance during audits
1 hour a week
Effort to manage compliance using Sprinto
Ready to get started?
Challenge
Building a path to observability demands scanning production systems in great depth and detail – a process singularly dependent on effective tracing and tracking of, among others, infrastructure, code, and system logs. For information this cardinal and critical in nature, Zipy has defaulted to data security from Day 1.
“We practice security in all the ways software is expected to. But it is one thing to say you are following good practices, and another to actually have proof,” notes Bhargava M N N, Engineering Lead at Zipy.
“At some point, our customers started asking that we get auditors to review and verify our policies and practices. Especially for SOC2 – that was primary, especially in North America,” Bhargava adds. “Thinking about it we realized that if we could get SOC2 compliant, other compliances will fall into place quite easily – SOC2 coverage is comprehensive that way” he continues.
While attractive, organizing a SOC2 compliance program was proving chaotic. “We looked at what we needed to do and across which aspects of the business. We figured out the controls and implemented a few of them, but managing them with the right set of information and updating them periodically were lacking. This is where Sprinto became a need,” remarks Bhargava.
On the recommendation of a peer, Bhargava chose Sprinto.
“Once we defined the delta, Sprinto scoped out the entire program and timelines in great detail. We knew exactly what should happen, by when, and by whom – that level of clarity was set by Sprinto. Honestly, we did not feel the need to look at anyone else. We were sure we will have a smooth ride with Sprinto.
Solution
Zipy integrated with Sprinto to operationalize, first, a SOC2 Type 1 compliance program.
Bhargava was joined by members from senior leadership, the security team, the DevOps team, and engineering to collect and map controls to the framework, including policies.
“Collating things took time. While the controls were in place, we needed a platform to organize and manage them centrally,” remarks Bhargava. “Because Sprinto showed us a clear path we knew exactly what to look into, the gaps to fill, and controls to regulate. It was very straightforward,” he adds.
Bhargava spent between 4-6 hours a week implementing the platform, organizing SOC2 controls, enforcing measures, rolling out security training, and getting the dashboard up and running. “Thereafter, the platform told us what needs to be done – whether it was regarding onboarding, code repository, or infrastructure changes. It was simply a matter of responding promptly to Sprinto’s alerts. Tracking progress was easy.”
The Sprinto dashboard clearly showed how compliant we were. Seeing that was a moment of great validation!
Results
Zipy completed SOC2 Type 1 implementation in 16 weeks after resolving migration efforts at their end and moved to a point-in-time audit immediately after. They received their SOC2 Type 1 report 4 weeks later. Thereafter, they moved to the SOC2 Type 2 observation period for 3 months and completed the audit at the end of it.
“Our audit was a cakewalk. Across Type 1 and Type 2 reviews, there was no instance of non-compliance!
Since becoming SOC2 compliant, Bhargav notes Zipy has seen a noticeable increase in customer interest. “More people are willing to talk to us now,” Bhargava notes. “Even before we had the Type 1 report, we started seeing the interest go up as soon as we started saying we are undergoing SOC2 audit. Compliance clearly builds confidence in the business and the platform,” he continues.
Impact on sales aside, Bhargava is quick to note Sprinto’s influence on Zipy’s overall operational practice. “Having Sprinto in place ensures we are diligent in our pursuit of compliance. The platform ensures a certain discipline,” notes Bhargav.
Instrumenting their operations with compliance checkpoints has cultivated a larger culture of compliance at Zipy. “From the way we set up our infrastructure to workflows related to onboarding and offboarding of employees – the way we operate is now fundamentally more streamlined. And the entire organization sees and appreciates this,” declares Bhargava. “Everyone knows that if something breaks there is a process in place to fix it in a way that ensures security and compliance. We have clear steps for everything. And we started seeing this change during the monitoring period itself,” he continues.
Zipy today leans on Sprinto to ensure compliance and maintain compliance-first operations. “Where Sprinto added the most value was in building our confidence around the way we do security,” notes Bhargava. “Going into compliance, we knew what we needed to do. But Sprinto ensured it was smooth sailing. Everything was defined and organized – the platform and the people moved us forward without hassle,” he adds.
Sprinto is our go-to person for compliance. Anytime anything new happens – new roles are added or infra – we default to compliance. How new things impact compliance is our default way of thinking now.
