Rewind fast-forwards SOC 2 compliance with automated evidence collection

Woman holds her credit card as she shops online with a tablet computer

Rewind protects SaaS businesses by backing up their data. They’ve backed up over 70 billion data points for top SaaS apps, including Shopify, BigCommerce, GitHub, Intuit QuickBooks Online, Trello, and others in over 100 countries. 

While Rewind already has solid security, as proven by their impressive list of clients, the company wanted to achieve SOC 2 compliance and avoid endless spreadsheets and folders.





  • Need for a formal security program that doesn’t rely on spreadsheets
  • Manually manage over 100 external applications



  • A streamlined and consistent way to provide audit evidence
  • Track employee access through an onboarding and offboarding tool
  • Allow control owners to manage their own responsibilities



  • Completion of SOC 2 Type-1 and Type-2 compliance
  • A streamlined program using one tool for policies, evidence, and tracking
  • Advanced security process that eliminated manual work and errors


Moving away from spreadsheets toward a centralized security program

Lacking a formal security program, Rewind relied on spreadsheets and folders to track everything related to security. 

For example, Rewind uses over 100 external applications and manually monitoring user application access became time-consuming.


"We needed a centralized way to manage our internal and external audits as well as governance, risk, and compliance tasks,"

Megan Dean, the Information Security and Risk Compliance Manager


Efficiency in compliance across multiple teams and roles

The onboarding and offboarding modules were huge differentiators from the competition. Being a remote company and using about 100 external SaaS applications, Rewind has no physical infrastructure. Tracking access to these external apps is critical.

In addition, employees who have been through audit processes before noticed more efficiencies in their tasks since implementing the software. For example, control owners can manage their own responsibilities rather than spend time chasing individuals.


"It’s always a challenge when shifting processes and procedures to a new way of working. Having a tool that makes these processes easier for our control owners is a big deal,"

Megan Dean, the Information Security and Risk Compliance Manager


A streamlined end-to-end process, customized for Rewind’s security needs

In October 2021, Rewind successfully completed the SOC 2 Type 1 audit; and in March 2022, they completed their SOC 2 Type 2.

Dean identified three ways a centralized security program helped achieve these results:

  1. End-to-end audit preparation, automated evidence collection, and a formalized control review with auditors
  2. Streamlined processes for user access requests, reviews, access modification, and de-provisioning
  3. Policy authoring and approval and employee review tracking is now completely centralized and managed 

Centralizing all SOC 2 tasks in one place has been an enormous success. Not only do the onboarding and offboarding modules used to track user app access make things more efficient, but automated evidence-gathering from external systems, like AWS (Amazon Web Services) and JAMF, has helped the team too.


"Leveling up our security game was most important to us," said Dave North, VP of Cloud Operations at Rewind. "As a data backup company, we have a lot of customer data we’re custodians for. We want to do everything we can to ensure this data is as secure as possible,"

Megan Dean, the Information Security and Risk Compliance Manager

You may also like


Third-Party Risk

5 Ways to save time when assessing third parties for privacy and security risks webinar

Join our webinar and learn how to save time and streamline third-party risk assessment throughout the TPRM lifecycle.

October 25, 2023

Learn more


Third-Party Risk

Live demo: Building your third-party risk management program with OneTrust

Explore how OneTrust can help you build an efficient third-party risk management program that streamlines manual processes and uncovers hidden risks.

September 28, 2023

Learn more


Third-Party Risk

Live Demo EMEA: How OneTrust can help advance your third-party risk management program

Join us for a live demo of OneTrust's third-party risk management solution and see how it can help automate and streamline your TPRM program.

September 19, 2023

Learn more