3rdRisk Achieves SOC 2 Type 1 in 2 Weeks With The Help of Drata and Sensiba

About 3rdRisk

Located in Amsterdam, 3rdRisk is a risk management SaaS company completely dedicated to managing third-party risk and internal control. Our customers use our platform and technology to be in control and stay ahead of the risk that they could face all while remaining compliant with a variety of requirements. Our mission is to help the new generation of risk professionals succeed in a world that is ever changing with threats constantly looming.

Why SOC 2 Type 1?

We decided to pursue SOC 2 Type 1 primarily because our customers trust us with their sensitive data and we want to showcase that their data is secure in our platform. This was especially key for us given the nature of our industry. It’s our duty to be transparent with our customers about how we handle information security and protect the integrity of their data. From a revenue and growth perspective, we knew SOC 2 Type 1 would be important to implement as well.

Compliance Before Drata

As a bootstrapped startup, we were initially managing compliance activities with spreadsheets and using SharePoint for sending emails and manual verification. Eventually, we got to a point where the team felt hostage to those manual efforts.

It would have become extremely costly if we continued with the spreadsheet approach, especially considering we're a small team. Not only that, but it was also a burden to our employees, developers, and technical teams who needed to focus their efforts on the business, when instead, that time was being used for compliance-related initiatives. That’s when we realized we needed to investigate solutions that could help make it easier to manage and leverage automation to speed up the process.

Why Drata Was The Best Solution Out There

When researching compliance automation solutions, we first went to one of our partners, a Big 4 firm, for insights on what solutions were on the market and the latest trends in cybersecurity. I was especially looking for a technology solution with a built-in continuous monitoring capability so my goal was very clear. That’s how Drata popped up on my radar.

My team and I had a specific set of criteria when deciding what solution we wanted to adopt. After evaluating our top two choices head-to-head, these were the reasons Drata beat out the competition:

1. Their Reputation Is Notable in the Industry

One of the main reasons that we selected Drata was because of their fast-growing reputation of being a trustworthy partner in compliance. It’s clear that they invest in their product and provide value to their customers.

2. They Offered a More Robust Set of Integrations

Drata also had the most integrations compared to other platforms on the market. Drata provided the best options based on our tech infrastructure, which was really important for us. Because 3rdRisk was born in the cloud, we needed the integrations to match our control environment.

3. They Sold Their Product With Integrity

From the first sales conversation we had with Drata, our experience was notable because it didn’t feel like a traditional sales conversation. The discussion was heavily focused on discovery, learning about 3rdRisk’s environment, what we were looking to achieve with our compliance program, and how Drata would be complementary to those initiatives.

Our needs were clearly identified, we talked through how leveraging Drata would provide us value, and they painted a clear picture of how we could achieve SOC 2 Type 1 success quickly with Drata.

Key Benefits of Using Drata

From day one of becoming a Drata customer, we’ve seen many benefits to our overall security posture. Here’s a breakdown of how Drata has helped us better manage and level up our compliance program.

1. Continuous Monitoring Is Game Changing

Drata offers so much more than just compliance. Although our primary goal with SOC 2 Type 1 was to achieve compliance for our customers, Drata also offers me real-time visibility into our infrastructure at any time. I’m completely empowered as a co-founder and that’s the beauty about the platform.

It's not a moment in time, it's not a sample—it's continuously checking all the controls. It's real-time, continuous monitoring that can be verified at any moment.

2. Trust Center Shortens Sales Cycles and Enables Transparency

Drata’s Trust Center makes it easy to display the organization’s compliance initiatives, policies, and reports. Customer and prospects can go to trust.3rdrisk.com to:

• Learn more about our platform’s security.
• Verify the latest patches are applied.
• Ensure vulnerability management scans have been performed.
• Get status updates on our continuous monitoring.
• Select certain policies to view.

There’s no more waiting or extensive report to sift through—it’s full transparency at your fingertips.

From a commercial growth perspective, Trust Center enables the company to achieve revenue goals while giving our customers and prospects the visibility they deserve at any given moment. It’s a win-win.

3. Drata’s Automation Keeps My Team Happy and Focused

These days, it's really hard to maintain and attract technical talent so you don’t want to burden your team with a plethora of labor intensive compliance activities. Drata streamlines the way compliance is managed through their automation capabilities. We know with certainty that our technical controls will be automatically verified without any manual interference needed—that's liberating for my team and their time.

4. Implementation Moved At #DrataSpeed

Upon kicking off, we received login credits to Drata’s Platform within a couple of days so it was a very quick turnaround time. The implementation itself was relatively easy and our CTO was able to get us set up in just a couple of hours—all the integrations were ready in no time.

Once our systems were connected, we were immediately able to see the checkmarks and requirements turn from red to green. We had clear visibility into requirements we weren’t meeting and received clear instructions on what we needed to adjust.

5. We Have 5-Star Support 24/5

Throughout the entire onboarding process (and beyond), we have access to technical and expert support with Drata’s team online. Support team members reach out to us proactively to check in and provide us assistance if needed—they’re exceptional at enabling their customers to easily find information and help.

6. Our Compliance Program Can Easily Scale

As a Europe-based company, GDPR will be an important framework for us to achieve down the line. While we were implementing SOC 2 Type 1, we had a dashboard that displayed the positive impact our SOC 2 efforts were making towards readiness for other standards like GDPR. We could directly see how much progress we had made towards GDPR implementation just by the activities that we had performed for SOC 2. This showcased how easily we could build our compliance program with Drata because of their fully integrated approach to compliance. I have tangible proof of the value our compliance program is getting from scaling with Drata.

When we originally established our goal of achieving SOC 2 Type 1 this year, we didn't think our team would have the bandwidth to proceed with additional standards within the same time period. Because of the dashboard insights Drata provides us we thought, "Let's go for a second or third standard!"

Return on Investment in 2 Weeks

If you look at the amount of time that we spent to achieve SOC 2 Type 1, it was less than two weeks end to end. Our audit firm, Sensiba, provided our clean SOC 2 Type 1 report a few days following the audit. It took longer to evaluate competitors on the market than it took 3rdRisk to become SOC 2 Type 1 compliant working with Drata and Sensiba.

Especially considering when our infrastructure begins to scale, this equates to dozens of hours per month that my team will save. We’ll be able to reallocate resources to further maturing our technical infrastructure while focusing on innovation and the commercial side of the business.