CASE STUDY
ÉTUDE DE CAS
How Duolingo achieved ISO 27001 while saving 12+ hours per week on their security program
Rather than relying on manual spreadsheets, Duolingo trusts Vanta as its single source of truth, creating a streamlined approach to security.
Duolingo is saving hundreds of thousands of dollars and up to 12 hours per week thanks to Vanta’s trust management platform.
With Vanta’s Vendor Risk Management solution, Duolingo is able to streamline the vendor review process and flag key security findings through Vanta AI.
“Everything is in Vanta—automated tests, manual tests, policies, vendor security assessments, and more. This is wonderful as it helps us express our posture to external parties and communicate our program internally.”
The company
Proving compliance for the Duolingo English Test
Duolingo is a language learning company whose mission is to develop the best and most accessible language education worldwide.
Alongside its consumer-facing product, the company offers the Duolingo English Test (DET), a digital-first exam designed to assess the language skills of non-native English speakers. Accepted by many prestigious universities worldwide, including top institutions in the US, UK, and Canada, the DET improves global accessibility and affordability in English proficiency testing.
The test-taking program is contracted directly to government programs and universities, whose teams care deeply about protecting their community members’ private information. As a result, the Duolingo team must provide evidence for how they handle test taker data to prospects and customers.
The mission for Mandy Matthew, Lead Security Risk Program Manager at Duolingo, and her team was clear: achieve the ISO 27001 certification for DET to help Duolingo win more deals.
The challenge
A manual process lacking a source of truth
Having already achieved SOC 2 Type 1 with Vanta, Duolingo was familiar with the platform and knew the value it could provide. However, as they sought to achieve ISO 27001 certification for the DET, they faced a familiar challenge—a manual process with disparate information spread across various documents and spreadsheets.
Without a single source of truth, achieving ISO 27001 would be time-consuming and challenging. This was especially true as the team knew they’d need to communicate effectively with third-party auditors.
“Our process was extremely manual and we did not have a single source of truth that we could point to for all of our compliance information policies. It was also difficult for me to easily describe our posture to auditors and other third parties," says Mandy Matthew.
Mandy also knew that the complexity of the control language would pose a challenge. “One of the hardest things about getting compliance certifications is mapping the language of the controls, which can be wordy and overly complicated,” she said.
The solution
A trust management platform to scale compliance and streamline vendor security reviews
Achieving ISO 27001
Mandy and her team turned to Vanta to achieve ISO 27001 certification knowing that the platform would help simplify and expedite the entire process, as well as streamline communications with outside auditors.
Vanta helped Duolingo find an auditor that was already well-versed in the platform. The single source of truth that Vanta provided created a shared language with auditors and streamlined the experience for the DET team to communicate, provide evidence, and ultimately reach their ISO 27001 certification in 2024.
Mapping controls was also easier than expected. “Vanta translates all control language into automated and manual tests that are easy to explain and easy to provide evidence from both the engineering and the compliance side,” says Mandy.
Best of all, Mandy and her team have confidence in their program staying compliant. With Vanta’s continuous controls monitoring, Mandy can go into Vanta at any moment and see if anything falls out of compliance and receive clear steps and guidance for correction.
{{quote-2}}
Saving time with Vendor Risk Management
In order to stay compliant and reduce risk, the Duolingo team needs to ensure that their vendors are also secure. After all, the data practices of their vendors are a key factor in the company’s overall risk profile.
With Vanta’s Vendor Risk Management, Duolingo is able to manage risk across all of their in-scope vendors. Rather than spending countless hours on each review, the team is able to upload their vendors’ latest documentation and leverage Vanta AI to quickly parse what’s important. From there, the team is able to identify risks, map risks in accordance to their own risk profile, and determine which ones need remediation.
“We use Vanta for Vendor Risk Management which helps us immensely," says Mandy. "The AI feature pulls out the most important details so that we don’t have to spend time combing vendor documentation word for word.”
The impact
A unified security and compliance program that saves time and money
Thanks to Vanta, Duolingo has been able to achieve SOC 2 Type I and ISO 27001 compliance, paving the way for business development and bigger deals. They’ve said goodbye to their spreadsheets and hello to a single source of truth.
Duolingo did not need to spend hundreds of thousands of dollars with a professional services partner or have to hire additional employees to achieve its compliance goals. Additionally, Mandy saves 12 hours per week of her own time, which gives her substantial time to focus on other essential tasks.
Duolingo’s partnership with Vanta has created a unified security and compliance program that streamlines internal processes, simplifies vendor risk, and proves to customers that using the DET is secure.
{{quote-3}}
