New York, New York
SOC 2, HIPAA, Continuous Monitoring
Nayya is a software platform that helps employees make better choices about their insurance plans.
In order to provide end users with personalized enrollment guidance, the Nayya Platform accesses health information such as insurance claim history, employer healthcare plan data, employee health records, and more. The sensitive nature of this information means strong security practices are critical - and proving this security posture to potential customers is imperative.
SOC 2 Type II and HIPAA compliance are particularly important to Nayya because a SOC 2 Type II represents the gold standard of security compliance for SaaS companies, and HIPAA compliance ensures protection of all the personal and identifiable healthcare information accessed by the Nayya platform.
Like many of our customers getting their first SOC 2, Nayya got to the “1-yard line” of a sales cycle with two large insurance companies when key stakeholders requested a copy of Nayya’s SOC 2 report. Together, Nayya and these stakeholders decided to move forward with an agreement with a commitment from Nayya to turn around a SOC 2 report within three months.
Akash Magoon, Co-Founder and CTO at Nayya, sought a solution that would lift most of the burden from their engineering team and streamline both the SOC 2 and HIPAA audit process — without hiring a full-time security and compliance professional to join their small team. After connecting with a trusted adviser, Akash was introduced to Vanta.
The team got started with Vanta and audit partner, The Cadence Group, to conduct a three-month audit that would result in a SOC 2 Type II and HIPAA Compliance.
With a background and knowledge of data security, most of the technical aspects of the SOC 2/HIPAA processes were fairly painless. Most of the work was spent dialing in new processes for people management. Using Vanta’s customizable policy templates, Nayya put rigorous access and authentication restrictions in place and developed recovery and mitigation plans.
Nayya’s audit period ran from September 15 to December 15, and in January they got their SOC 2 report to the insurers who had originally requested it - as well as a number of new interested clients.
Nayya estimates that with their SOC 2 report & HIPAA-compliant status, they were able to shorten the procurement process with new prospects by half and ultimately help more customers make better healthcare decisions..