Small Team, Big Compliance:
How CaseMark Achieved SOC 2 Type II in Record Time (And How You Can Too!)

You're a small B2B SaaS company. Innovation is your lifeblood, but the specter of compliance looms large. SOC 2, HIPAA, ISO 27001 – the alphabet soup of regulations can feel overwhelming, especially with limited resources. At CaseMark, we faced this exact challenge. We’re a remote first, 11-person legal tech company. Our CEO set a tight, seven-month timeline for the daunting task of achieving SOC 2 Type II compliance. We did it, (plus, we added HIPAA along the way!) and we're here to share how you can too.‍

The Reality of Compliance for Small Teams

Let's be honest. Compliance isn't glamorous. It's time-consuming, complex, and can feel like a distraction from building your product. But as a company focused on summarizing medical records and legal documents, CaseMark has to prioritize data privacy and security. It's crucial for building trust, securing partnerships, and avoiding costly penalties and reputational damage.

SOC 2, or System and Organization Controls 2, is a widely recognized auditing standard. It evaluates a service organization's controls related to security, availability, processing integrity, confidentiality, and privacy. Think of it as a report card demonstrating your commitment to data security and operational excellence.

There are two types of SOC 2 reports:

• Type 1: Assesses the design of your controls at a specific point in time. It's a snapshot of what you intend to do.
• Type II: Evaluates the effectiveness of your controls over a period of time. It's a demonstration of what you actually do in practice.

CaseMark needed to demonstrate our ongoing commitment to security and privacy, which is why we went for SOC 2, Type II.

Our Secret Weapon: Strategic Partnerships

‍SOC2, Type II is a beast with costs in time and organizational friction to get and to maintain. There is an organization change element where people need to start doing the right thing as well as getting systems in place to monitor and comply.

How did a core team of three do it? It came down to project ownership and strategic partnerships. We knew we needed momentum and accountability, and we couldn't do it alone. Peter, our VP of IT and CS, led the project, while our COO, Alyssa Meritt, and CTO, Steven Osborn, ensured operational and technical changes. Having Advantage Partners, our compliance advisor, meet with us weekly kept us on track.

• Expert Guidance: Partnering with compliance experts at Advantage Partners provided invaluable guidance and support in navigating SOC 2's complex requirements. They helped us understand the nuances and develop a tailored compliance strategy that fit where we are as an early stage startup with limited resources.
• Speed to Market: Advantage Partners accelerated our compliance journey, helping us avoid common pitfalls and streamline the process. They kept us accountable and we felt more confident with them pointing out the “gotchas,” and advising on timelines and the audit process.
• Industry Knowledge: Advantage Partner's deep understanding of Vanta and the SaaS industry ensured our compliance program aligned with best practices. They took the time to understand our unique needs in serving legal clients and had in-house subject matter experts on specific topics like HIPAA and GDPR.

The Right Tools for the Job

Technology was crucial to our compliance success. CaseMark used Vanta to document and automate the entire SOC 2 process. Vanta replaced spreadsheets with a centralized control list, allowing us to assign responsibilities, upload evidence, and grant auditors access. Plus, automated detection of vulnerabilities  from cloud platforms (AWS, GCP, GitHub, etc.) saved significant engineering and IT time.

Vanta helped us automate and streamline key processes, including:

• Risk Assessment and Management: Identifying and mitigating potential risks is essential for compliance. 
• Policy Management and Documentation: Creating and maintaining comprehensive policies and procedures is a critical component of SOC 2. Vanta helps you manage your policies, track revisions, and ensure that they are accessible to your team.
• Evidence Collection and Tracking: Collecting and organizing evidence of your controls can be a time-consuming process. Vanta served as a time-stamped vault for documentation.
• Audit Preparation and Reporting: Preparing for an audit can be stressful. We saw our progress in real time as % complete at each stage, as Vanta helped us track our progress and generate reports where we still had work to do.
• Continuous Monitoring: Compliance is an ongoing process. Continuous monitoring tools can help you identify and address potential issues before they become major problems. We get alerts when a control or document is about to expire. 

Tips and Actionable Steps for Your Team

Don't go it alone: Partner with compliance experts. Do you need a coach or just a sounding board? Advisors vary greatly in how they can help you. Understand what they specifically will deliver, and how often. Weekly check-ins with experienced professionals were invaluable for our first certification. Remember, compliance is ongoing. Find a partner who can grow with you.

Get references from companies like you: What works for a multinational or a Series B company might not work for a 10-person startup. Seek referrals based on the partner's ability to deliver for small teams. 

Invest in the right tools: Tools like Drata, Vanta, or Secureframe pay for themselves. Spreadsheets aren't realistic for tracking the complexities of compliance. There are too many dates, elements of compliance to track. Automated reminders and non-compliance flagging are essential for small teams. 

Assess the full toolset: Look for GRC tools that offer more than just one compliance framework. Overlapping requirements mean value in a unified dashboard.

Show your work: Tools that offer Trust Center or RFP support are worth the investment. We closed deals and cut down on lengthy RFPs based on the Trust Center alone. We also purchased an RFP module that let us store answers from past RFPs and host our SIG and CAIQ security questionnaires. This saved the team a lot of time and rework.

Your team size matters: More people, more applications. Build strong systems early on. 
Build a culture of compliance: Ensure everyone understands their role. We discussed compliance in our company All Hands and we regularly demoed our progress in Vanta to the team. 

‍You Can Do It!

Remember, compliance is a journey, not a destination. It's an ongoing process that requires continuous effort and improvement. Once you attain SOC2, it will be important to maintain SOC2. This means sticking to documented policies and processes for as long as you want to be SOC2 “compliant.” Achieving high compliance standards with a small team is possible. By leveraging the right partnerships and tools, you can streamline your compliance journey and build a secure and trustworthy business.