15Five, a performance management software company operating in the HR tech sector, sought to scale its security and compliance operations while maintaining customer trust and aligning with regulatory frameworks like SOC 2 and contractual requirements from enterprise clients. The engagement focused on maintaining audit readiness, enabling continuous improvement, and embedding security and privacy practices across development and operational processes.
SOC 2 Type II Maintenance
The engagement included end-to-end ownership of the SOC 2 Type II maintenance program. This involved year-round control execution tracking, risk-based remediation guidance, and quarterly audit evidence collection aligned with the company’s defined control set. Additionally, control coverage was regularly reviewed to ensure ongoing alignment with SOC 2 trust service criteria.
As a result, 15Five maintained audit readiness throughout the year, enabling seamless third-party attestation and minimizing internal resource strain. The team gained clarity on control responsibilities and evidence expectations, which improved coordination across departments and reduced delays during the formal audit.
Trust Portal
A dedicated Trust Portal was designed and deployed to transparently communicate the company’s security posture, data handling practices, and compliance status to customers and prospects. It included real-time document access under NDA, dynamic FAQs, and structured disclosures for audit reports, security architecture, and privacy commitments.
This reduced repetitive due diligence requests from sales prospects, shortened procurement cycles, and reinforced trust with stakeholders during contract negotiations.
Automated Vulnerability Management via Snyk
The vulnerability management lifecycle was automated using Snyk, covering open-source dependencies and container images. Initial baselining and configuration ensured effective integration with existing code repositories and CI/CD processes. Policies were tuned for relevance, avoiding alert fatigue and focusing remediation on exploitable risks.
This automation significantly reduced manual overhead in the engineering team, accelerated vulnerability resolution times, and improved alignment with SOC 2 and customer security expectations.
CI/CD Security Automations via GitHub Actions
Security tasks were embedded into the CI/CD pipeline using GitHub Actions. These included secrets scanning, policy-as-code validation, and real-time compliance checks before deployments. Each integration was calibrated for low false positives and operational efficiency.
Engineering teams were empowered to catch misconfigurations earlier, reduce rework, and ship secure changes faster. Security became a proactive part of the development workflow rather than a post-deployment bottleneck.
Contractual and Technical Compliance
A comprehensive compliance review was conducted across customer contracts, data processing addenda, and relevant product features. Gaps between contractual obligations (e.g., breach notification timelines, audit rights) and technical capability were identified and addressed through updated processes, documentation, and platform configurations.
This alignment ensured that commercial agreements were enforceable in practice, reducing legal risk and enhancing credibility with enterprise customers during security reviews and contract renewals.
What was the business impact?
Through a unified and risk-prioritized approach, the company achieved year-round audit readiness, minimized contract friction, and accelerated sales through transparent communication. The combination of engineering automation, structured compliance governance, and external transparency enabled 15Five to scale trust alongside product growth, with minimal disruption to its development velocity. These outcomes were enabled by expert services provided by Up Secure.
15Five Success Story