Home » Case Studies

Making SOC 2 Manageable

How we built and maintained SOC 2 for a global SaaS company without slowing teams down, creating tons of busywork, or turning compliance into an annual fire drill.

Case study

The challenge

SOC 2 showed up after the company had already been operating for years.

The product had grown quickly and had gone through several iterations. Engineering moved fast. Access, vendors, and internal processes evolved organically. Decisions were made pragmatically, documentation existed where it was useful, and very little was designed with an audit in mind.

When SOC 2 became necessary due to customer requirements and sales pressure, the gaps were obvious. Controls needed to be defined retroactively. Historical decisions had to be explained. Ownership across engineering, operations, and leadership was implied rather than explicit.

Passing the audit was only part of the concern. The bigger risk was what came next. Without a sustainable system, SOC 2 would become a recurring fire drill every year, pulling engineers into audit prep, slowing product work, and draining time from teams that already had full plates.

The goal was not just to achieve SOC 2 compliance, but to make it maintainable without turning compliance into a constant burden.

What we did

We treated SOC 2 as an operating system, not an audit project.

First, we mapped how the company actually worked across engineering, access management, vendor usage, incident response, and internal approvals. Instead of inventing idealized processes, we tightened existing workflows and made ownership explicit.

We implemented Vanta as a supporting tool, but kept the work in-house. Controls, processes, and evidence were defined and owned internally, with Vanta used to track requirements, surface gaps, and maintain visibility rather than replace operational judgment.

We built a compliance calendar that mapped required reviews, access checks, trainings, tabletop exercises, and renewals across the year. Nothing relied on memory or last-minute effort. Responsibilities were assigned, timelines were visible, and expectations were clear.

The business already had a central knowledge management system, so we created new sections to house policies, procedures, evidence references, and audit context, while performing an audit to remove outdated or conflicting information. This made compliance understandable and accessible, especially as the team grew and roles changed.

To share this information with customers, we also set up a public trust portal by leveraging Conveyor, enabling self-service access to the most commonly requested security and compliance information like audit reports, security diagrams and policy documention.

Finally, we ran the required operational work, designing it to fit into normal day-to-day rhythms rather than treating it like a separate job. Security trainings, access reviews, incident readiness sessions, and tabletop exercises were conducted as real working sessions, focused on preparedness and clarity rather than box-checking.

Impact

  • Directly contributed to increased revenue by enabling the business to close, renew, and expand enterprise and public-sector contracts where SOC 2 was a baseline requirement
  • Reduced security and compliance friction in sales cycles by providing clear, repeatable evidence during customer security reviews
  • Cut annual SOC 2 preparation effort by dozens of hours per audit cycle by distributing work across the year
  • Eliminated last-minute evidence scrambles by embedding controls into day-to-day engineering and operational workflows
  • Increased internal confidence across leadership, engineering, and sales teams around the company’s ongoing security posture

What happened next

SOC 2 stopped being a blocker and became an enabler.

Sales teams could pursue larger, more security-conscious customers without pulling engineers into emergency reviews. Renewals that previously required heavy back-and-forth moved faster. The company was able to confidently expand into enterprise and government-adjacent markets that would not have been accessible otherwise.

Internally, compliance no longer competed with product work. Engineers stayed focused on shipping. Leadership had confidence that controls were being maintained without constant oversight. New hires could understand security expectations quickly, and ownership remained clear as the organization grew.

Most importantly, SOC 2 became a durable capability rather than a one-time milestone. It supported revenue growth, reduced risk, and scaled alongside the business without becoming a recurring drain on time or attention.

Dealing with something similar?

If SOC 2 feels overdue, heavier than it needs to be, or hard to maintain year over year, we can help you put simple systems in place that make compliance manageable without slowing the rest of the business down. Let's talk!