What do you like best about the product?

There are many aspects of the application that I like, I will break these down into sections and are based upon the user experience of one individual looking to get a startup company through SOC2 type 1 and 2 compliance. My background is not in any way compliance-focused in these matters.

- Sales Pitch
This was good and gave me a lot of information on the type of compliance we are looking for and indications of the upfront costs for many systems we would have to implement into our company. Knowing this gave me a good benefit that there was nothing hidden or a lack of surprises while our company goes on this journey.

- Support team
The Support team has been great, as someone who is more in the Quality Assurance sector than compliance officer, they have been more than helpful in guiding me through the journey of SOC2, I have been assigned a dedicated customer representative to answer any questions, but have also been grateful for feedback to help improve the application. Where questions they couldn't quite answer due to the difference on how auditors would approach a situation, they were more than handy in providing information until we obtained an auditor.

-Start and Setup
Connecting the various company systems to Drata was easy and painless, for reference we were using Google Workspace for employee administration, Github for both code repository and ticket management and AWS for our infrastructure. All were set up within minutes (if you have the right permissions in said applications to grant access for Drata)

-Frameworks
For the package that we went with first, we concentrated on SOC2 type 1 and 2, but also have the option of another compliance framework to choose from which we have yet to choose. These include ISO 27001 v2013, GDPR, HIPAA and PCI DSS although other frameworks might be available, this is just the view of other frames that I could also look to do.

The Framework details page is broken down into handy sections to do with certain aspects of SOC2 type 1. Security, Availability, Processing Integrity, Confidentiality and Privacy. Clicking into each control will advise what sections of the SOC2 framework it belongs to and provides a description of said control to help you better understand it. In the Framework section, you can also choose to mark in or out of scope said controls.

-Dashboard
The dashboard screen is a handy quick glance at where you are sitting in terms of your chosen control. It has handy areas to show how many controls are failing and a button to take you to the relevant area (Monitoring) to investigate further the failing controls, the overall % of tests passed and also a quick general view of the company overall.

-Monitoring
The monitoring page is the main bread and butter of the application from the user's perspective. This is the section that shows you all of the failing tests, what to do to fix them and to retest the failing controls. It can be broken down into sections: policy, monitored in Drata, Device, infrastructure, identity provider, version control and developer tools. This is handy so you will know who to approach in your company to fix the failing controls. When clicking on a failing control, the information provided is great. it shows you the offending account, storage or other things that is affecting it. There is a help document for that specific control to assist in fixing it as well as a button to retest the failing control.

-Personal
This is another main area of the application where I ended up spending a majority of my time, attempting to moan at my fellow co-workers into doing the necessary tasks to complete compliance. The page is great and easily shows what is left to be done, and is very satisfying when all of the ticks are green. The Drata app that is downloadable onto workstations making collecting evidence automatically about OS version, anti-virus installed and other things made it super easy.

-Policy Centre
The policy centre was handy to create and set policies with either we didn't have or thought we needed. In some cases, we imported our own for ones we already had in place, and the handy tool to create them made it easy to have a simple policy put in place. Great auditing on it, ownership and editing capabilities.


-User Account
This was easy for the staff to log in to Drata and see simple steps on what they needed to do. reviewing the policies, enabling MFA on identity provider, installing the agent, changing computer settings and completing the security training was easy.

What do you dislike about the product?

Although there are some dislikes with the platform, I have found these dislikes to be very minimal in terms of daily use

- Framework
Although the frameworks are set up to have all of the controls in place unless you speak to an advisor and or your auditor you are unsure which is mandatory and what is best practice. Making this clearer would be beneficial for smaller companies who are looking to obtain this certification without having the resources that bigger companies have to put in best practices rather than what is actually required.

- Risk Assessment
After completing the risk assessment Drata personnel are required to create the risk document for you removing the automation of the platform. After speaking with them this is something that is already in the process of being automated and was just not available to me yet.

- Setting Up Auditor
Setting up the auditor caused some confusion in the platform over the placement of dates and information. This process looks like it was created from the perspective of an auditor and a singular auditor in what they would do rather than going to check a range of auditors who might approach auditing a client differently from them, rather than taking the approach from the perspective of an end-user on the platform. The process in place is making the processes more manual for the customer rather than the auditor or automating the process completely. When explained the reasons for said processes this caused further questions as the clarity of the process made even less sense. After speaking to my customer engagement rep about this, I actually got put through and spoke with the product team who were very enthusiastic at taking my feedback to improve this further. Due to my end-user confusion, I hope that they take the feedback and look to make improvements or changes in this area as the platform is for the end-user first to make it easy for them and using technology to adjust things in place to make it easier for auditors to get the evidence they require.

- no mobile device readiness
being a super small startup, the technology we use is appropriate for the personnel in the company. Our CEO doesn't use a desktop or workstation but an IPAD, Currently there is no iPad support in place to even access the site for going through the personal checks like accepting policies and completing security awareness training.

What problems is the product solving and how is that benefiting you?

The ability to obtain the evidence required for auditing. Before and for a singular person, the task looks like a mountain. With the platform, this has made it so much easier to do the certification.

Recommendations to others considering the product:

You can either to it the hard way, or spend the cash and make it easy!

What do you like best about the product?

This Platform is easy to set up and also, incorporates your contractors and vendors.

What do you dislike about the product?

You must have Policies in place for our employees and contractors to mandate they fully comply. Otherwise, they have to manually enter evidence. Its always better when the employer decides what all employees and contractors must do.

What problems is the product solving and how is that benefiting you?

We are meeting our yearly 12-month compliance posture

Recommendations to others considering the product:

I recommend DRATA for any organization needing to meet its compliance requirements.

What do you like best about the product?

Drata has made it so simple to capture and provide evidence for SOC2 and ISO270001 controls. With their autopilot (continuous) monitoring it is even easier to see your controls and their status in action. Their integration with AWS, Azure, Github etc enable them to monitor most of the controls on continous basis.

What do you dislike about the product?

To be honest this product made SOC2 auditing and (ISO27001 certification controls) like a breeze. We are almost ready for the upcoming SOC2 auditing and based on our previous experience it feels a lot simpler and easier this time. A couple of suggestions have been passed on to Drata.

What problems is the product solving and how is that benefiting you?

Collecting evidences for SOC2 auditing has always taken a significant amount of time but with Drata's integration with Cloud providers such as AWS, Azure, Github (Source Controls) and many more have made the evidence collection process simpler. For us Drata app is source of truth for auditing and for the evidences.

What do you like best about the product?

The way the software holds your hand throughout the process is impressive. There were so many elements of our SOC2 journey that would have been missed if we had not been using Drata.

What do you dislike about the product?

The software is sometimes not intuitive for navigation.

What problems is the product solving and how is that benefiting you?

This is now our platform for compliance. We plan on doing additional frameworks after we complete our first. Knowing that I'm working on the right policies and right controls takes most of the guesswork out of getting compliant. Plus we now have a repository for all of our policies that anyone in the company can get to for reference.

What do you like best about the product?

The policy center makes it incredibly easy to fine-tune and publish policies. The connection to Google Workspace ensures that all of our employees are tracked and updated when policies change. The workstation client does a great job of ensuring basic compliance can be met. Drata onboarding support has been superb.

What do you dislike about the product?

One of the recommended vendors did not return our message. This isn't really Drata's fault, per se, but it was a small disappointment.

What problems is the product solving and how is that benefiting you?

We have a short-term problem that we have already solved -- convincing a partner that our path towards a secure environment meets their requirements. The long term problem of passing a SOC 2 audit is underway and Drata makes the roadmap super easy to follow.

What do you like best about the product?

Easy to get going and set up. Connecting core systems in 15 min and getting visibility on what I need to resolve for the audit.

What do you dislike about the product?

There is an annoying "refer customers" banner. I will and I have. Please remove the banner from my dashboard

What problems is the product solving and how is that benefiting you?

We are going for a SOC2 Type 2 audit for our SaaS platform. We are using Drata to understand what we need to get done before kicking off the audit process.

What do you like best about the product?

Provides one place for policies, active monitoring, and other artifacts needed for SOC-2.

What do you dislike about the product?

Some of the capabilities of select integrations need to mature more (e.g. fine-tuning of evidence pulled, what is/isn't monitored, etc)

What problems is the product solving and how is that benefiting you?

The active monitoring of endpoints is a platform feature that has proven beneficial.

What do you like best about the product?

I've been working at growth-stage SaaS startups for a decade and have never found another platform like Drata. The technology this team built for automating compliance goes beyond what's on the market today from the other providers claiming they make achieving compliance easy. Drata also has an awesome team of humans helping to project manage the journey to achieving SOC 2, HIPAA, ISO 27001, or whatever framework of requirements you're working with.

What do you dislike about the product?

It will be interesting to see how Drata continues to innovate on its platform considering this is becoming a crowded category. But there isn't much to dislike about Drata when you're working with such a great squad. Just go on social media to see all the shoutouts they're getting from other companies they helped to achieve compliance.

What problems is the product solving and how is that benefiting you?

The way that Drata makes it easy to project manage the compliance process, and has architected a platform to support it, makes working towards SOC 2 much easier than having to go through the process manually.

Recommendations to others considering the product:

Forget Vanta. Go with Drata.

What do you like best about the product?

There are a lot of vendors to choose from for SOC 2 automation. We chose Drata because their team has former auditors and their CEO Adam understands there is much more to SOC 2 than just checking the box for compliance. We decided to use Drata for our security and compliance automation tool to help with SOC 2 and get advice from their experts.

What do you dislike about the product?

It doesn't support serverless frameworks which is much more difficult to snapshot evidence than just a typical EC2. This makes the evidence and data collection back to manual processes for us.

What problems is the product solving and how is that benefiting you?

SOC 2 compliance automation. We are using Drata to organize our data and get our compliance evidence package as automated as possible. They have a ton of expertise on the subject and seem to be very knowledgeable about the process.

Recommendations to others considering the product:

SOC 2 expertise is a priority and they gave us a lot of guidance around the technical controls in SOC 2.

What do you like best about the product?

Drata has offered us top-notch customer service so far. Many vendors can help with SOC 2, but Drata stood out with their warm customer service. They were very flexible when dealing with requests, provided transparent info during sales calls and have made a small team like ours feel welcome. Thanks Ali and Ashley for the regular help with onboarding and prompt responses to our requests.

What do you dislike about the product?

Nothing so far. Still in the process of getting SOC 2 but it looks like Drata has all bases covered. I have suggested some improvements to their documentation - to add videos to explain the product better.

What problems is the product solving and how is that benefiting you?

We are in the process of getting SOC 2 certified. We have connected our cloud infrastructure and other resources to Drata and are monitoring it for security.

Recommendations to others considering the product:

I'd recommend Drata for their customer service and transparent dealing during Sales calls. Most products in this market are similar, so customer service is an essential point of differentiation.