While certifications for security management practices like SOC 2 and ISO 27001 have been around for a while, the number of companies that now request that their software vendors go through (and pass) the audits to be in compliance with these continues to increase. For a lot of companies, that’s a harrowing process, so it’s maybe no surprise that we are also seeing an increase in startups that aim to make this process easier. Earlier this month, Strike Graph, which helps automate security audits, announced its $3.9 million round and today, Secureframe, which also helps businesses get and maintain their SOC 2 and ISO 27001 certifications, is announcing a $4.5 million round.
Secureframe’s round was co-led by Base10 Partners and Google’s AI-focused Gradient Ventures fund. BoxGroup, Village Global, Soma Capital, Liquid2, Chapter One, Worklife Ventures, and Backend Capital. Current customers include Stream, Hasura and Benepass.
Shrav Mehta, the company’s co-founder and CEO, spent time at a number of different companies, but he tells me that the idea for Secureframe was mostly born during his time at direct-mail service Lob.
“When I was at Lob, we dealt with a lot of issues around security and compliance because we were sometimes dealing with very sensitive data, and we’d hop on calls with customers, had to complete thousand-line security questionnaires, do exhaustive security reviews, and this was a lot for a startup of our size at the time. But it’s just what our customers needed. So I started to see that pain,” Mehta said.
After stints at Pilot and Scale AI after he left Lob in 2017 — and informally helping other companies manage the certification process — he co-founded Secureframe together with the company’s CTO Natasja Nielsen.
“Because Secureframe is basically adding a lot of automation with our software — and making the process so much simpler and easier — we’re able to bring the cost down to a point where this is something that a lot more companies can afford,” Mehta explained. “This is something that everyone can get in place from day one, and not really have to worry that, ‘hey, this is going to take all of our time, it’s going to take a year, it’s going to cost a lot of money.’ […] We’re trying to solve that problem to make it super easy for every organization to be secure from day one.”
The main idea here is to make the arcane certification process more transparent and streamline the process by automating many of the more labor-intensive tasks of getting ready for an audit (and it’s virtually always the pre-audit process that takes up most of the time). Secureframe does so by integrating with the most-often used cloud and SaaS tools (it currently connect to about 25 services) and pulling in data from them to check up on your security posture.
“It feels a lot like a QuickBooks- or TurboTax-like experience, where we’ll essentially ask you to enter basic details about your business. We try to autofill as much of it as possible from third-party sources — then we asked you to connect up all the integrations your business uses,” Mehta explained.
The company plans to use much of the new funding to staff up and build out these integrations. Over time, it will also add support for other certifications like PCI, HITRUST and HIPAA.