With Vanta, Recidiviz expands state partnerships to safeguard lives and liberties

The company

Driving equity through better technology

Working to reduce the number of people in prison across the U.S. is an admirable—and incredibly difficult—challenge. Recidiviz has taken up this mission with vigor, modernizing outdated technology to increase the success of community re-entry and improve the criminal justice system across the U.S. In just six years, Recidiviz has partnered with 19 states, working with nearly half of the country’s incarcerated population. Their efforts have transitioned 244,000 individuals out of the system and saved states more than $1.3 billion.

Trust is an essential component of this type of work. “When we expand into a new state, we’re working on projects that affect people’s liberty and lives,” says Peter Henggeler, Information Security Officer at Recidiviz. “Our ability to show a strong security and compliance posture directly impacts our mission.”

‍

The challenge

Nineteen states, each with unique compliance requirements

Recidiviz partners with 19 state agencies that each enforce unique compliance requirements. Some states use federal standards like NIST 800-53, while others layer on unique rules or have highly bespoke processes. 

“It’s difficult enough to track three frameworks and see the overlap,” Peter explains. “With 19 custom regimes, compliance quickly gets overwhelming.” 

Recidiviz needed a way to centralize frameworks, cut manual audit work, and build trust with agencies faster—without infinitely scaling headcount to address growing compliance needs. 

{{quote-2}}

‍

The solution

Automation that works like an extra member of the team

To start, Recidiviz needed to achieve SOC 2 certification to open up new opportunities with state departments. But handling the process with just four people was out of the question. Peter and his team knew they needed a partner to take on some of the logistical (and mental) workload. 

Vanta became the backbone for managing SOC 2 and also layering on overlapping frameworks and mapping custom state-level controls. The team was no longer responsible for taking screenshots and manually uploading evidence—Vanta automated everything. 

Recidiviz chose Vanta for several key capabilities, including:

• Continuous monitoring: Background checks, training completion, access management, and branch protection all run automatically.
• Custom control management: Recidiviz can build and map controls for NIST 800-53 and other state requirements directly in Vanta.
• Vendor management: Vanta’s platform replaces spreadsheets, centralizing vendor inventories and risk tracking.
• Suggested controls and tests: Peter and his team receive guidance on which controls to implement for new frameworks.

There’s a lot of babysitting in compliance work, Peter says. Vanta offloads that by automating reminders and tracking for the team. They even used the Vanta API to build custom reminder emails for training, which dramatically boosted compliance rates for the company. 

‍

The impact

From compliance busywork to meaningful impact

At a startup, it can often feel like you’re constantly working to solve operational and inefficiency issues, Peter says—this is especially true in compliance. But with Vanta’s automation and a path for every framework, everything becomes intuitive. 

For Peter’s team, this means they have the time and space to focus on higher-value work. With Vanta’s automation acting as a full-time compliance hire, Peter now spends more time improving the company’s cloud infrastructure while his teammates focus on improving security operations and platform reliability. And with compliance mapped across frameworks, Recidiviz can expand into new states faster and with a higher degree of trust from partners. 

As the organization grows, Recidiviz plans to expand their use of Vanta’s custom controls and explore automated custom tests to align with NIST 800-53. This type of flexibility will be essential to their mission of improving the criminal justice system across the country. 

{{quote-3}}

‍