How Lemonade Saved 80% of Time Using Drata’s Continuous Compliance Automation

About Lemonade

Lemonade is a consumer-focused insurance company that operates in the U.S. and Europe.

The Challenge

Audits are not fun. I’ve spent well over 200 hours before using Drata just in preparing for and dealing with our SOC 2 audit. If I added in everybody else’s time, I’ve loosely calculated that it’s between 500 to 600 hours of time spent preparing for an audit before using a compliance automation platform like Drata.

At a late-stage growth company like ours—where we’re still developing new product and trying to keep up with the market—that is a lot of time taken away from delivering product. It’s a waste of time in terms of efficiency, and it gets in the way of other important projects like improving overall security for the company.

The Experience

Drata has been great for automating evidence collection. I find it really flexible, and I’m able to make my own control framework. I’m making one specifically around Sarbanes-Oxley’s IT general controls, and we’ve spent less time doing those things that were once manual. I expect I’ll be able to reduce the time that my team and I have to put in by probably 60 to 80 percent.

ROI

I just ran a SOC 2 audit with Drata that we completed in January. I actually didn’t think it was true because I heard almost nothing from the auditor until late January, where she said, ‘Okay, we have a draft ready of your final audit.’ I had only been on the phone for about 4 hours with her—which was 1/10th of the amount of time I had anticipated to spend with the auditor. I spent about 35 to 40 hours collecting evidence and was able to rely upon other people for significantly less.

The auditor called to say, ‘Well, your audit is basically done. We just want you to review the draft with zero nonconformities.’ Let’s just say it’s liberating.