How Fern (YC W23) achieved SOC 2 compliance in 8 weeks with Vanta Quick Start

The company

Stripe-level SDKs and Docs for your API

Although APIs power the internet, they can be difficult to work with, as they are often untyped, unstandardized, and out-of-sync across multiple sources of truth. Fern (YC W23), seeks to change all that by helping engineering teams create easy-to-use and well-documented APIs.

Co-founders Danny Sheridan and Deep Singhvi were working at Amazon Web Services and Palantir respectively. They realized they had created internal tools to address generating Software Development Kits (SDKs) and developer documentation (Docs). The two recognized that any software company with a public API, especially those that did not have the same engineering resources, could benefit from offering a best-in-class developer experience. Thus Fern was born.

Fern offers type-safe SDKs (client libraries) in the most popular languages as well as Docs, helping make developers successful when writing an API integration. By avoiding handwriting SDKs and building their own docs website, companies can focus on building robust APIs. By generalizing a solution for thousands of companies, Fern makes it easy for engineering leaders to land on a ‘buy’ decision when doing a build versus buy analysis. 

Fern’s customers range from startups like Vellum, Cartesia, and Beehiiv, to growth-stage companies including Square, Webflow, and LaunchDarkly.  Danny and Deep, who lead a small and nimble team, turned to Vanta to help them gain SOC 2 compliance as well as implement controls that let management sleep better at night. 

‍

The challenge

Getting ahead of the security review conversation to win deals

The Fern team is currently focused on distribution and scaling up, serving 100+ customers with the goal of quickly reaching 1,000 and moving upmarket. To scale and sell into enterprise companies, Danny and his team wanted the security review portion of their sales process to take little time and effort. “We wanted to make security a one-time communication process as we grew,” said Danny. “We didn’t want to waste time in email threads back-and-forth with security teams.”

Danny talked to other Y Combinator founders who advised that the company become SOC 2 compliant proactively before prospects began asking for it, as it would be required by many customers. As a result, the team decided to pursue SOC 2 Type II certification. They also felt the pain of filling out extensive security questionnaires for customers and recognized how much time and resources the process required. 

“It’s counterintuitive to become SOC 2 compliant before you get asked by a prospective customer. As a founder, your job is to look around corners. I had no doubt that we’d get asked for the industry-standard SOC 2 report, the only question was when," says Danny.

‍

The solution

Compliance automation that accelerated SOC 2

Danny talked to other Y Combinator founders about automated compliance and many recommended Vanta, also a Y Combinator company. The team heard about Vanta from other Y Combinator founders who recommended getting SOC 2 Type II compliance from the get-go.

{{quote-2}}

Danny saw a post about Vanta’s Quick Start offering within Bookface, Y Combinator’s founder community, which pairs Vanta with leading service partners like VioletX to gain SOC 2 compliance as quickly as possible. Given their urgent timeline to become compliant, Quick Start “seemed like SOC 2 on easy mode”, and was particularly interesting to the Fern team. 

As Danny and his team explored the platform, integrations were top of mind, as well. They needed a reliable and robust Rippling integration as well as coverage for as many of their 85 SaaS tools as possible.

Thankfully, Vanta was able to provide the Fern team with an automated compliance solution that could help them accelerate the process of achieving SOC 2 Type II compliance while also streamlining security questionnaires. 

The Fern team saw that Vanta’s Quick Start offering would help them accelerate the process of achieving SOC 2 Type II compliance with outside help. By partnering with Vanta and VioletX, Fern became audit within 8 weeks. “VioletX answered all our questions, set up a private Slack channel, and acted as our vCISO—which all contributed to quickly getting ready for our audit,” said Danny.

Fern also decided to engage with a Vanta-approved auditor, Advantage Partners, to complete the audit process required for SOC 2 compliance. As a result, Fern was able to secure SOC 2 Type II compliance within five months of purchasing Vanta.

“Vanta had a smooth onboarding and implementation process without any quirks, which is unusual in software. They also had deep integrations with popular tools like Linear, Notion, Slack, AWS, and 1Password which were easy to set up," says Danny.

‍

The impact

Positioned to win deals and prioritize security while saving time

The team sees Vanta as the backbone of their security program as they strive to grow fast. 

For a small, nimble startup short on time, partnering with Vanta has helped immensely. The Fern team is saving 5 hours per week, or 200 hours per year, on compliance tasks and answering security questionnaires.

Because of Vanta and SOC 2 Type II compliance, Fern has redefined what security looks like for the company as a whole, as SOC 2 Type II provides guardrails to define what good security looks like. They’ve changed how they onboard employees as they now provide security awareness training and require MFA and background checks.

{{quote-3}}