How Pigment kickstarted their vendor management and SOC 2 programmes

The company 

The end of spreadsheets: Pigment shakes up the business planning process

Pigment’s aim is to help companies make better decisions and adapt to change. Founded in  2019, their platform brings business data, processes, and people into one place, effectively eliminating silos. Pigment’s two founders were trailblazers already – Eléonore Crespo is a former financial analyst at Google and a successful investor, while Romain Niccoli is a serial founder and a technology expert. 

As a young business serving industry-leading companies like Figma, Klarna, and Poshmark, Pigment had a lot to prove, but their solution was an attractive one. Most businesses make critical strategic decisions based on inaccurate, incomplete, or siloed data. Pigment provides a single source of truth for their data, where all teams can easily collaborate in real-time and which is flexible enough to adjust to a complex, changing landscape. 

Pigment grew quickly, and to date has raised nearly $250 million in funding over five rounds. From its headquarters in Paris, it started signing large international deals almost straight away and now has over 200 customers across top brands.

‍

The challenge

Taking security practices from zero to 100 

By 2021, Pigment’s roster of clients was burgeoning, and they needed to meet customers’ compliance expectations while building out their own security infrastructure. Enter Quentin Berdugo, who was hired as Pigment’s Chief Information Security Officer. His first priority was to get SOC 2, the most sought-after security framework for SaaS companies.

“When I joined Pigment, certified security standards were a critical need to unlock sales opportunities," Quentin says. "Our salespeople were being swamped by security questionnaires that they were ill-equipped to answer. We needed to demonstrate the maturity of our security programme and reassure our customers that their sensitive financial data is safe in our hands.”

‍Quentin started by doing a deep dive into the security questionnaires that customers had submitted. This helped him to understand what to prioritise as he developed Pigment’s security roadmap – single sign-on (SSO), multi-factor authentication (MFA), and encryption were revealed to be important concerns. He also wanted to invest in further securing the company’s IT environment. 

‍

The solution

Using Vanta to get SOC 2, manage vendor risk, and establish trust

The engineering team had already purchased Vanta as Pigment’s Trust Management Platform, but they had yet to explore all of its capabilities. Once Quentin joined, he began to use the Vanta Agent on all company laptops for continuous compliance monitoring. He also connected Vanta with Pigment’s identity provider (IdP), which allowed him to identify gaps in the employee onboarding process.  

“It was really golden for me to have Vanta as my little helper. It had my back and would always show me where I missed something, thanks to its wide range of automated controls and integrations into the other systems Pigment maintains,” says Quentin. He soon hired two people on to the IT team to run operations and develop systems and one on to the security team to help him solidify policies and processes. But he still had ultimate responsibility for ensuring that Pigment’s security was on point.

{{quote-2}}

“When you realise you’re missing a policy, it’s super useful to start from a Vanta template to fill that gap. Rather than writing policies one by one or hiring a consultant, you have exactly what you need to kickstart your governance framework” says Quentin.

Quentin wanted to get SOC 2 as quickly as possible; Pigment had determined that it was a business priority. Prospective customers were asking for proof that their critical data would be protected, and SOC 2 would be tangible evidence of Pigment’s commitment to security. And, out of all the security standards, SOC 2 was the one that clients were most eager to see.

Vanta helped Quentin to give them what they wanted. Within a year, Pigment had both SOC 2 Type I and Type II attestations. “With Vanta, you’re not starting from scratch. You’re walked through the process step by step so you can bootstrap everything and then make it your own. It’s like a middleman between the auditee and the auditor. It saved me a lot of time and gave me peace of mind – we could be confident that we would be successful,” explains Quentin.

As Pigment has over 100 vendors, Quentin found that assessing their security credentials manually was time-consuming and disorganised. Vanta’s Vendor Risk Management (VRM) solution gave him a comprehensive overview of Pigment’s vendors, their risk profile, category, and security review status. He could review how each vendor had been automatically categorised as low, medium, or high risk, based on factors such as their access to sensitive data and key infrastructure. This allowed Quentin to focus due diligence on the vendors that need it the most. 

“We have an ever-growing and ever-changing list of vendors; we need to stay on top of them while having finite resources. Vanta helps us prioritise our risk management rationally," says Quentin. “Vendor Risk Management helps me stay on top of all of our vendors and see at a glance which ones need an updated review. I’ve also started using the Discovery tab to check whether any shadow vendors or shadow IT are being used within our company.”

Pigment naturally needs to demonstrate their own impeccable security credentials to their customers, and they use Vanta’s Trust Center to do it. Pigment’s centralised hub contains all of their relevant security information, including a live look into the state of their security controls which is easily shareable with clients and prospects. 

It has details of all the standards that they meet, including SOC 2, GDPR, and CCPA, as well as self-service answers to the most common questions raised by prospects and existing customers. Stakeholders can access the security documentation they need with a click, and any sensitive information is protected by granular access controls, click-through NDA, and watermarking.

By showcasing their security posture in real time, Pigment gets fewer incoming security questionnaires. Their sales cycle is also shortened. Their salespeople now have a one-stop shop interface that makes it easy to delegate security due diligence to the sales support team. 

“The Trust Center allows some of our prospects and our customers to complete their security due diligence in a self-service fashion," says Quentin. "They have all they need with its contents – in some cases, they don’t see the need to send in a questionnaire, ask more specific questions, or request additional documents at all. This is instrumental in scaling our business operations and avoiding unnecessary friction in the sales cycle. I suspect our customers are equally happy not to have to sit in a meeting to go over questions we could have anticipated.

‍

The impact

A hyper-growth phase with no signs of slowing down 

With Vanta, Pigment has kickstarted their security practice and achieved SOC 2 Type I and Type II in less than a year. And, they’re just getting started.

As the company invests in partnerships and channel sales to move upmarket, security scrutiny from prospects increases too. Pigment has big ambitions, and Quentin plans to use Vanta even more as he increases their security team and grows their security and compliance programmes.

As Pigment expands, Vanta will enable them to seamlessly monitor both existing and new vendors. It will also allow them to scale their quarterly access rights reviews and manage the privileges of everyone who interacts with their data and applications.

{{quote-3}}