Thoropass Helps Capitalize Rapidly Achieve SOC 2 Compliance with End-to-End Solution on AWS

Capitalize strives to make saving for retirement easy. The Fintech startup, launched in late 2020, helps customers seamlessly transfer their 401(k) retirement accounts from their employers to new retirement savings accounts, digitizing a formerly manual process. “We help people consolidate and manage their money in one place, instead of having multiple accounts from different jobs,” says Chris Phillips, co-founder and chief technology officer of Capitalize.

Because Capitalize collects personally identifiable information (PII) through facilitating retirement fund transactions, the company needed to comply with SOC 2, a process that examines service providers to determine that they are securely managing 3rd party data, like PII, to protect information and ensure privacy. Compliance with SOC 2 is usually a requirement during software as a service (SaaS) procurement. “SOC 2 compliance is important to us because its set of standards provides independent verification that we have all the appropriate processes and procedures in place, both for customers and our partners,” Phillips says. “We also knew we needed to be SOC 2 compliant to secure new customers and close larger deals.”

However, Capitalize didn’t have the time or resources to complete SOC 2 compliance on their own. “We’re an early-stage startup company, and we don’t have the luxury of full-time staff to manage these processes,” Phillips says. To overcome this challenge, Capitalize wanted to find a technology company to provide a compliance framework and technical support throughout the process.

Capitalize was already running its development and production IT environments on Amazon Web Services (AWS), including Amazon Elastic Compute Cloud (Amazon EC2) instances and Amazon Simple Storage Service (Amazon S3) for data storage. Capitalize also uses Amazon CloudWatch for system monitoring and AWS CloudFormation to manage compute resources. “We are a cloud-first company, and we wanted to find a solution that would integrate with the AWS services we had in place,” Phillips says. The company discovered Thoropass, an AWS Partner that provides a compliance automation platform built on AWS. “We saw that Thoropass would provide a technology platform to manage the compliance process in a sustainable and scalable way,” says Phillips.

Thoropass is part of the AWS Global Security & Compliance Acceleration (GSCA) Program and GSCA’s SOC 2 Accelerator for Startup initiative. Through the SOC 2 Accelerator initiative, end-to-end bundled compliance solutions are offered to customers via AWS Marketplace. The Thoropass SOC 2 bundle provides a complete compliance and audit solution and incorporates DuploCloud, a DevOps solution.

Capitalize worked with Thoropass to complete a SOC 2 audit using the Thoropass compliance automation platform. The solution integrates with AWS services and allows auditors to automatically pull evidence without the customer needing to take screenshots. “Our platform is designed to streamline the whole compliance process,” says Olivia Trieu, senior customer success manager at Thoropass. “We do the audit preparation and conduct the audit for the SOC 2 report documentation, while using a set of monitors that check to ensure the AWS environment is fully compliant. A customer like Capitalize submits its evidence on our platform automatically, and then it can test the evidence and send any follow-up questions within the platform.”

During the compliance process, Capitalize also implemented Amazon GuardDuty, a threat detection service that monitors AWS workloads for malicious activity. “During our work with Thoropass, we were introduced to some AWS security features we weren’t running, like Amazon GuardDuty, to have a better view into our security,” Phillips says.

Leveraging the Thoropass compliance automation platform, Capitalize benefited from a quick onboarding process and a guided gap analysis. As a result, within the span of two weeks, Capitalize successfully implemented a customized compliance program, leading to a significant reduction in the overall time required to complete the audit and attain SOC 2 compliance. “The timeline for the average SOC 2 engagement is up to two months and up to 6 months if the customer uses a traditional audit firm,” Trieu says. “Our compliance solution streamlined the entire process with its AI-infused automation and key integrations (like AWS). So, Capitalize was able to manage their entire compliance journey within a single platform and eliminate the need for spreadsheet-based and manual email follow-ups. As a result, we helped Capitalize achieve compliance faster than normal and with far less friction than a traditional audit experience.”

Phillips adds, “With Thoropass’s seamless audit experience, we were able to get the audit done in a fraction of the time it took than when I was working with bigger institutions.”

Attaining SOC 2 compliance allows Capitalize to provide assurance to both customers and partners ensuring comprehensive protection of their data. “Working with Thoropass to achieve SOC 2 compliance has been extremely helpful in demonstrating to our customers that we take security seriously and we have the appropriate policies, procedures, and controls in place that protect their data,” says Phillips. “This gives our partners and customers the confidence to work with us to facilitate their financial transactions.”

Although Capitalize is a small business, it has been able to win business with much larger enterprises due to its SOC 2 compliance attestation. “Even though we’re a startup, working with Thoropass to gain SOC 2 compliance has allowed us to ‘punch above our weight’ and work with partners of greater size, scale, and tenure,” says Phillips. “We recently announced a new partnership with a large-scale public company, and we’re looking at similar opportunities. Demonstrating our compliance has been very beneficial in facilitating serious discussions and relationships with bigger companies.”

• Achieves SOC 2 compliance faster than the typical 2-6 months

• Demonstrates a commitment to security and data protection

• Closes deals with larger companies