Rewind protects SaaS businesses by backing up their data. They’ve backed up over 70 billion data points for top SaaS apps, including Shopify, BigCommerce, GitHub, Intuit QuickBooks Online, Trello, and others in over 100 countries. 

While Rewind already has solid security, as proven by their impressive list of clients, the company wanted to achieve SOC 2 compliance and avoid endless spreadsheets and folders.

Highlights

Challenges

• Need for a formal security program that doesn’t rely on spreadsheets
• Manually manage over 100 external applications

Solutions

• A streamlined and consistent way to provide audit evidence
• Track employee access through an onboarding and offboarding tool
• Allow control owners to manage their own responsibilities

Results

• Completion of SOC 2 Type-1 and Type-2 compliance
• A streamlined program using one tool for policies, evidence, and tracking
• Advanced security process that eliminated manual work and errors

Moving away from spreadsheets toward a centralized security program

Lacking a formal security program, Rewind relied on spreadsheets and folders to track everything related to security. 

For example, Rewind uses over 100 external applications and manually monitoring user application access became time-consuming.

Efficiency in compliance across multiple teams and roles

The onboarding and offboarding modules were huge differentiators from the competition. Being a remote company and using about 100 external SaaS applications, Rewind has no physical infrastructure. Tracking access to these external apps is critical.

In addition, employees who have been through audit processes before noticed more efficiencies in their tasks since implementing the software. For example, control owners can manage their own responsibilities rather than spend time chasing individuals.

A streamlined end-to-end process, customized for Rewind’s security needs

In October 2021, Rewind successfully completed the SOC 2 Type 1 audit; and in March 2022, they completed their SOC 2 Type 2.

Dean identified three ways a centralized security program helped achieve these results:

1. End-to-end audit preparation, automated evidence collection, and a formalized control review with auditors
2. Streamlined processes for user access requests, reviews, access modification, and de-provisioning
3. Policy authoring and approval and employee review tracking is now completely centralized and managed 

Centralizing all SOC 2 tasks in one place has been an enormous success. Not only do the onboarding and offboarding modules used to track user app access make things more efficient, but automated evidence-gathering from external systems, like AWS (Amazon Web Services) and JAMF, has helped the team too.