How Chameleon Leveled-Up Their Security Program with SOC 2 Type 2 Compliance

The Challenge

We knew that we had some good security practices but needed the validation of SOC 2 compliance to demonstrate this more easily to our prospective customers. Our customers use Chameleon for business-critical user engagement within their software, which includes passing user data, so it’s imperative that we maintain strong security practices, and can easily demonstrate these to prospects to help us close sales deals. Almost all of our larger prospects have a security evaluation stage during the buying process which we wanted to make as smooth and seamless as possible. But before we met Drata, we anticipated SOC 2 Type 2 would be such a pain and kept putting it off.

The Solution

One of the most compelling aspects of Drata was the time-to-value. We could get value on Day 1 of using Drata with their standardized policies that we could adapt and leverage. We’ve already used these across our sales deals prior to even receiving an attestation report. In addition we found the continuous monitoring Drata offered as a truly credible way to demonstrate our adherence to our security protocols, and the live report that lets customers/prospects see the specific details of this is such a killer feature. It moves away from trading notes in spreadsheets to being able to see clear proof of compliance!

Why Drata?

Drata’s partnership model has been really impressive; they’ve worked with us and gone above and beyond to provide us tips, suggestions, connections, and support, as we’ve onboarded onto our platform and initiated improvements and enhancements to our systems and processes. We felt like we were getting software + consultants and that is so valuable.

The Experience

Within just the first couple of months, we were able to use policies generated in Drata, reference our continuous monitoring in security questionnaires, help validate our team’s security training, and made improvements to our infrastructure access control.

Drata really made SOC 2 Type 2 compliance more accessible and easy-to-understand. The support team provided ample best practices, suggestions, tools, and tips which helped us further understand our compliance posture and even navigate how to engage with auditors. Having a centralized platform was also critical for us in quickly showing our customers the protocols and policies we have in place without digging through our system.

ROI

We had little guidance prior to working with Drata, leading us to think we’d have to hire an external consultant that would be both time-intensive and expensive. Drata quickly dispelled those myths and outlined the entire process for us in a digestible manner. We were able to save tens of thousands of dollars by using Drata and leaning on automation to guide the journey, all while handling everything in-house.

What’s Next?

Now that we’re SOC 2 Type 2 compliant, we’re looking to standardize how we engage prospects through the security evaluation phase when they are looking to purchase Chameleon, leveraging Drata. We’re also expanding our bug bounty program that we run in-house to stay ahead of the latest risks and threats.