How FinTech Company Zūm Rails Quickly Obtained SOC 2


Zūm Rails’ all-in-one payments gateway empowers businesses to pick and choose their optimal payment method mix to meet their ideal workflow through a powerful API layer or payment portal that offers the most elegant user experience in the market.

LocationMontreal, Quebec
IndustryFinancial SaaS
A case of preemptively focusing on continuous compliance in order to meet high stakes industry demands.

The Challenge

The fintech and payments space is incredibly sensitive to the topic of security (and rightfully so). As an emerging leader in the industry, we felt confident in the infrastructure and controls we’d put in place to ensure the highest level of data protection for our clients.

But answering endless customer questionnaires and ensuring that we were always maintaining and staying on top of our controls became an inevitable time suck. How could we quickly and continuously lead in this part of our business?

The Solution

Meeting generally accepted compliance frameworks seemed to be the next logical step in our journey. We knew it was paramount in building client trust and accelerating our sales cycle. But when we did our initial research, the cost and sheer magnitude of the process seemed highly time consuming.

We quickly saw the value in utilizing a compliance automation product. We were hopeful that such a tool could provide strong time to value and help us continuously monitor our controls as Zūm Rails scaled.

Why Drata?

Drata’s level of automation and continuous approach to compliance was huge for us. While nothing can be automated 100%, Drata’s integrations and crystal clear user interface made the process far easier than we could have ever anticipated.

What’s more, we were struck by Drata’s own commitment to security and compliance. You’d think that all companies in the space would build their products with this top of mind, but we didn’t necessarily find that to be the case. Drata really “walked the walk” in numerous ways, including using their own technology to achieve SOC 2.

The Audit Preparation

Our choice to go with Drata was largely driven by the advanced technology the company was able to provide. But after onboarding, we were impressed by how incredibly supportive and helpful Drata’s customer success team was. Every meeting request, email, or Intercom support message was answered right away with a thoughtful, impactful response.

Between the platform, the always accessible support staff, and a much-appreciated recommendation to the Johansen Group for our audit, we were able to gain instant visibility into our controls, prepare for the audit, and have our SOC 2 Type 1 in hand in 10 weeks.

What Was the Biggest Surprise?

During our SOC 2 audit, Drata launched a series of new features and functionality, including the ISO 27001 framework and the ability to see all of your controls and relevant mapping at once. The timing was ideal for us and we’ll start using these additions right away.

What’s Next for Zūm Rails?

Receiving our SOC 2 Type 1 was a great accomplishment and will go a long way in showcasing our commitment to security with our clients. And now we have everything organized and continuously monitored in the Drata platform, so it makes sense to go for our SOC 2 Type 2, ISO 27001, and beyond.

The payments industry is high stakes when it comes to security and compliance. The journey by no means ends with successfully meeting SOC 2. Drata helped us not only achieve our initial goals, but will support us as we continue to build upon our strong foundation.

Nadhir Khayati

Head of Engineering, Zūm Rails

Resources for you
PCI Compliance Cost What It Takes to Become Certified

PCI DSS Compliance Cost: What It Takes to Become Certified

Cybersecurity Asset Management

Why Cybersecurity Asset Management Matters and How to Prioritize It

Drata Leadership Update

Drata Brings On New CRO and First-Ever COO to Fuel Hyper Growth

Be a Part of the Best

Join the thousands of companies who trust Drata with their evolving compliance needs.