CASE STUDY
ÉTUDE DE CAS

ROLLER runs compliance across 35 countries and three concurrent audits—without adding headcount

COMPANY
ENTREPRISE
ROLLER
LOCATION
EMPLACEMENT
Austin, Texas
INDUSTRY
INDUSTRIE
SaaS
PARTNER
PARTENAIRE
EMPLOYEES
EMPLOYÉS
~300
SOLUTION
SOLUTION

Automated Compliance, Third-Party Risk Management, Trust Center, Data Privacy, Customer Commitments, SOC 2, PCI DSS, ISO 27001

VANTA CUSTOMER SINCE
ANNÉES AVEC VANTA
2024
PCI DSS scope grew from 40 to 232 controls without adding compliance headcount

Vendor surface area scaled to monitor entire vendor ecosystem

Vulnerability triage cut from thousands of alerts to a handful of critical issues per cycle

"Compliance used to be a hurdle on enterprise deals, especially overseas. Now it's the reason we can say yes to them."

Shane Burnham
Director of Security and Compliance, ROLLER

TL;DR

  • Challenge: Three frameworks, 35 countries, and a manual compliance process that couldn’t scale—while global enterprise deals demanded security credibility that the team couldn't yet deliver.
  • Solution: ROLLER consolidated SOC 2, PCI DSS, ISO 27001, risk management, and Customer Commitments onto Vanta, replacing spreadsheets and manual reviews with a single system of record that could grow with the business.
  • ROI: Compliance is now a revenue driver. The team manages hundreds of vendors and pursues enterprise accounts across global markets that it couldn't have approached two years ago, with no added headcount.

The company

Cloud-based venue management for modern attractions

ROLLER is a cloud-based software platform built for entertainment centers, parks, and attractions. Its platform covers the core operational areas venues need to run and grow, from ticketing and point-of-sale to memberships and waivers for more than 3,000 venues across 35 countries. 

The challenge

Compounding complexity, manual processes—at a time when enterprise deals required more

ROLLER’s compliance program struggled to mature in lockstep with a business scaling across dozens of jurisdictions and increasingly complex enterprise customer requirements.

For example, as transaction volume grew, PCI DSS scope jumped from roughly 40 controls to 232. ROLLER also increasingly found that prospective enterprise customers wanted to see security credibility that the team couldn’t yet deliver.

What ROLLER tried first: Policies lived in Confluence, evidence came in as screenshots, and every vendor review landed on one person— entirely manual, with no way to distribute the load. Much of that evidence still lived in spreadsheets outside their core tools.

ROLLER's pivot point: An IDP integration surfaced hundreds of applications in active use against just 125 formally tracked. Roughly 96% of the vendor surface area had no risk assessment, no ownership, and no hygiene process. At the same time, enterprise prospects were demanding custom MSAs, jurisdictional data commitments, and SLA tracking that ROLLER had no system of record to absorb.

Why ROLLER chose Vanta: The team needed multi-framework scoping, automated vendor risk at scale, and compliance that could actually support enterprise deals. ROLLER chose Vanta for its integration depth with its existing stack—Wiz, Jira Service Management, Salesforce, Rootly, and its IDP—and for framework scoping that could apply distinct evidence, scope, and SLAs per framework without duplicating work.

{{quote-2}}

The Vanta impact

Scaling security without scaling headcount

ROLLER now runs three concurrent audits, manages a 3,100+ application vendor surface area, and tracks enterprise customer commitments across 35 countries—all with a 3-person team.

Here's how ROLLER deployed Vanta:

Vanta tools and solutions ROI
Multi-framework compliance and audit management: Vanta consolidates SOC 2, PCI DSS, and ISO 27001 in a single platform, applying distinct evidence, scope, and SLAs per framework — so the same control can carry different obligations under each without forcing the strictest rule across everything. ROLLER’s auditors work directly inside Vanta, leaving comments on policies in-platform.
  • Managed PCI DSS scope expansion from 40 to 232 controls without adding headcount
  • Eliminated spreadsheet-based evidence tracking for PCI
  • Team members required for compliance work reduced from 10 to 3
  • Estimated saved 2 FTE headcount by using Vanta
Risk management: Vanta handles third-party vendor risk through AI-powered assessments and continuous monitoring, filters vulnerability noise via the Wiz integration, and distributes enterprise risk ownership across business units — replacing a manual, centralized process with an organization-wide discipline.
  • Expanded vendor coverage to 125 tracked apps to 600+ without manual review overhead
  • The team moved from manual reviews to handling escalations only
  • Cut actionable triage from 2,000–3,000 alerts per cycle to a handful of genuinely critical issues
  • Risk management shifted from a security team function to a C-suite strategic discipline
  • Risk ownership distributed across finance, GTM, tech, and other business units, with each managing 3–5 risks within their control
Customer Commitments + Data Privacy (ROPA): ROLLER now tracks jurisdictional data commitments and customer SLAs in the same platform as compliance evidence, giving the team a single system of record for enterprise requirements.
  • Enabled credible pursuit of enterprise accounts requiring custom MSAs and jurisdictional data commitments
  • Directly supports deals with large multi-location operators
Trust Center: Trust Center gives enterprise prospects self-service access to ROLLER's compliance status and certifications, reducing security review friction during the sales process.
  • Reduces back-and-forth on security reviews during enterprise deals

Compliance has shifted from a growth constraint to a competitive differentiator, and the infrastructure is in place to absorb new frameworks and enterprise requirements as the business scales.

“We had strong security instincts from the start, we just didn't have the tooling to match. Compliance tracking and audits ran through Confluence, screenshots, and spreadsheets, which was labor-intensive and didn't scale as we took on more frameworks.”

Shane Burnham
Director of Security and Compliance, ROLLER
Shane Burnham
Director of Security and Compliance, ROLLER