CASE STUDY
ÉTUDE DE CAS
Factory adheres to ISO 42001 and builds AI trust with Vanta
Factory looked to Vanta as the fastest way to SOC 2 and ISO 42001 compliance to demonstrate trust with enterprise prospects.
With Vanta, Factory was able to achieve compliance with ISO 42001 within four weeks, which helps them demonstrate trust in their AI practices.
By automating the requirements for ISO 42001, Factory was able to save hundreds of thousands of dollars in engineering salary.
“We’ve gone into every single deal thinking security would be the bottleneck, but thanks to Vanta, we’ve moved through these security processes a lot quicker than a lot of our peers, which has been a huge advantage.”
The company
Bringing autonomy to software engineering
Factory is on a mission to bring autonomy to software engineering. The San Francisco-based startup offers AI-powered systems called Droids that help organizations automate labor-intensive software development tasks, including code review, documentation, maintenance, and much more—empowering large development teams to build software faster and more efficiently.
Founded in 2023 and rapidly growing, Factory’s customer base largely consists of organizations with 200-1000 engineers. These enterprise organizations require that any vendor they work with, especially AI vendors, are taking the necessary precautions to secure their data. Thankfully, this was of no surprise to Eno Reyes, CTO and Co-Founder of Factory, due to his prior experience working at enterprise AI companies. He and his Co-Founder Matan Grinberg knew early on that in order to hit Factory’s revenue goals, winning trust in their AI practices would be essential.
Compliance with key frameworks emerged as the leading strategy for Factory to demonstrate their security posture to customers in a tangible way. After learning about the world of automated compliance, Factory found that Vanta integrated most deeply with their systems and had a shared vision of the future of trust—and soon after signing with Vanta, they became aligned to leading frameworks such as SOC 2, GDPR, and USDP.
The challenge
Demonstrating trust in enterprise AI
Factory became SOC 2 compliant due to the need from their early customer base. Enterprise customers within the United States were looking for proof that Factory was handling customer data safely—and being compliant with it meant that Factory could provide proof of compliance with the most widely requested standard. Eventually, customers also started to express interest in Factory’s policies around personally identifiable information, which led them to adopt data privacy frameworks such as USDP and GDPR.
The team at Factory knew that as an AI-native company, they had to demonstrate that the way they processed data was safe and secure. This meant that Factory had to be built with a security-first mindset, and so Factory began to invest in practices such as enhanced code safety, audit logging, and strict permissions enforcement. However, they needed a way to demonstrably prove to prospects they were implementing these practices without slowing down their sales cycles with security conversations.
{{quote-2}}
The solution
Continuous compliance and ISO 42001 certification with Vanta
In March 2024, Vanta announced support for the ISO 42001 framework, the first industry standard with the necessary guardrails to responsibly develop and use AI that can be certified by third-party auditors. After doing some research, the Factory team quickly realized the importance of ISO 42001 and how it was aligned with Factory’s long-term security vision. They decided to implement it knowing that it would help them demonstrate trust in their AI-based products.
Factory quickly embraced Vanta’s ISO 42001 solution and experienced an extremely smooth onboarding so that they could quickly become audit-ready. They found that Vanta’s cross-mapping of controls enabled them to re-use existing controls from the other frameworks they’ve already implemented—significantly shortening the timeline to become audit-ready. Factory also saw success with Vanta’s ISO 42001 automated controls, documents, and AI policy templates—all of which helped them better understand, build, and document their AI practices.
By utilizing Vanta’s real-time control monitoring, Factory was able to continuously—and effortlessly—monitor the state of their compliance with ISO 42001. Vanta’s hourly tests and automated evidence gathering allowed Factory to rest assured knowing that they could be transparent with their AI practices and continuously improve upon them—two key facets of ISO 42001. All in all, within four weeks of onboarding, Factory became one of the first companies to become audit-ready for ISO 42001.
“We would not be able to sell into the enterprise without compliance," says Eno. "It has made our job significantly easier to have a tool like Vanta to expedite the process.”
The impact
Increased operational efficiency and faster time to market
Since using Vanta, the Factory team has seen a meaningful reduction in the length of their sales cycles and the volume of security conversations. Using Vanta to prove compliance with SOC 2 and ISO 42001 has not only helped Factory close deals but also saved them hundreds of hours of work required to implement technical controls. “I’d estimate that it would’ve taken at least a couple hundred hours of work from two or three engineers—and these are AI software engineers in San Francisco. That would’ve translated into a huge amount of money. With Vanta, it only took us 30 hours,” says Eno.
Thanks to Vanta, the Factory team feels well-positioned for an AI-driven future as they grow and continue to sell into the enterprise.
{{quote-3}}