Leading enterprises across various sectors trust Happay to automate their expense management process. Happay’s AI-powered software automatically populates receipts and invoice data from multiple sources, eliminating manual effort and preventing errors. This provides end-to-end visibility into spending and spend management.
Challenge
Happay was already compliant with PCI-DSS and ISO 27001 standards when the need to prove SOC 2 compliance came up. Increasingly, to engage enterprise customers with a presence in regions where SOC 2 compliance is required, a SOC 2 audit report becomes a baseline requirement for triggering deals. “Enterprises have a lot of faith in SOC controls,” notes Gourav Kumar, Director of Infosec at Happay.
To collect evidence against SOC 2 requirements, Happay chose to rely on technology rather than people. “Gathering compliance evidence in a company with over 450 employees is already challenging. Getting everyone to participate at the same time, with the same proficiency, is even more difficult,” notes Gourav.
Happay opted into compliance automation primarily to streamline evidence gathering.
But having worked on other security standards with consultants, it was evident that approaching SOC 2 as a ‘project’ will not cut it. Given their pace of growth, it became increasingly important for Happay to start thinking about compliance as a ‘process’. “We needed a robust system that could respond to requirements as they came up, without disrupting the business,” notes Gourav.
Operationalizing a SOC 2 compliance program quickly became more than just solving coordination and evidence gaps. In light of evolving circumstances, it became an opportunity for Happay to become proactive about compliance.
Happay placed its hopes on Sprinto to achieve both goals.
As an infosec leader, having a system that drives compliance, grows with the business, and helps meet reporting requirements is useful. If only to ensure nothing disrupts the business or derails compliance.
Solution
Happay started by enabling the SOC 2 Type 2 audit readiness program on Sprinto. With their cloud stack tightly integrated with the platform, Happay was able to move a large part of the control implementation and monitoring activities to Sprinto. These activities could then be tracked and tackled according to the requirements of the standards.
For non-technical aspects of SOC 2, Gourav leaned on the PeopleOps function at Happay to drive compliance. “In the very first meeting, we scoped out all people-related activities and got the HR team onboarded. People, after all, have the biggest impact on compliance outcomes,” notes Gourav.
To orient the overall organization towards SOC 2 requirements, new policies needed to be drafted and implemented. Happay expedited this requirement using Sprinto’s built-in policy templates and policy acknowledgment module. “It was easy to publish and update policies in a single place, instead of creating multiple policy folders and sharing them with everyone over emails,” remarks Gourav.
Sprinto is an easy 8.5/10 in terms of usability and presence. It is familiar and interactive to the point that you can make a mind map easily and move forward with confidence.
To ensure strictness in technical controls, Happay utilized Sprinto’s built-in security tools to double down on its efforts. Gourav notes that these embedded features were very useful, especially integrating with Sprinto’s SL scan. This integration provided deeper visibility into code bugs and vulnerabilities, which complemented their own efforts.
For Happay, Sprinto’s continuous compliance monitoring capabilities and automated alerts proved to be the most useful levers in driving compliance and achieving audit readiness. Throughout, by automatically tracking compliance drift, Sprinto raised alerts to the right roles within the org and triggered follow-ups to drive timely remediation.
Additionally, actionable alerts supported by clear workflows ensured Happay’s compliance function was not bogged down by administrative tasks. “If I post a device status reporting requirement today, I can immediately see who the requirement is sent to, who has completed it, and who is facing problems. The dashboard provides immediate visibility,” notes Gourav. He adds,
Technical aspects of compliance are easy. It’s the collaboration with people that is stressful. Initiating policies, granting access, training employees, reviewing policy changes, and ensuring everyone acknowledge the changes can be a lot of mundane work. Sprinto gives me the ability to launch and manage all of these tasks from one place, with just a few clicks.
After implementing SOC 2 controls, Happay also decided to enforce GDPR controls. As the technical aspects of compliance were already covered by the SOC 2 implementation, the only effort spent was on ensuring the legal parts of GDPR compliance. Sprinto connected Happay with legal experts specializing in DPA as well as an EU representative. Since then, Happay updated its policies to reflect GDPR readiness and implemented measures that uphold GDPR compliance.
Results
Happay achieved SOC 2 Type 2 audit readiness in about 5 weeks. They completed the audit following 4 months of observation, completed within a month of kickoff. Additionally, Happay became GDPR compliant during the same period.
Armed with the SOC 2 Type 2 audit report, Happay has successfully catalyzed sales and closed multiple enterprise deals.
The uptick in sales and renewals aside, as an infosec leader, Gourav is thrilled about having a lean and streamlined compliance practice, supported by Sprinto’s technology and experts. “A large portion of security compliance involves operations and administrative work. Sprinto adds the most value by automating this process end-to-end,” notes Gourav. “The team behind Sprinto is equally commendable. They problem-solved with us every step of the way, going over and above some days. That gave me a lot of faith,” he adds.
With Sprinto embedded in its operations, Gourav believes Happay is adequately equipped to launch new compliances with minimal friction. Sprinto gives an instant assessment of Happay’s readiness for other security standards through common control mapping, which enables quick and informed actions as needed. “Because you can see it, it is easy to act on it,” remarks Gourav.
My job was to turn compliance from a project into a function that exists at all steps of Happay. Sprinto has helped to realize this.