←back to thread

Excalidraw+ Is Now SoC 2 Certified

(plus.excalidraw.com)
233 points gmays | 4 comments | 24 Jun 25 01:54 UTC | HN request time: 0.001s | source
1. alberth ◴[24 Jun 25 09:58 UTC] No.44364472[source]
What’s the easiest way to get certified?

Is it to use something like Vanta/Drata? Are they any good?

replies(1): >>44364853 #
2. mlitwiniuk ◴[24 Jun 25 11:09 UTC] No.44364853[source]
You could even use google drive with set of spreadsheets and screenshot. The biggest problem is getting through requirements, understanding what they actually mean and having some sort of framework for writing policies. But once you past that, it's manageable. Vanta/Drata just make this easier.

Vanta/Drata are big players and they're charging big time for their platform. That's why I've started working on own startups, that's meant to disrupt this for SMBs - by making it waaay more affordable (for managing compliance, not attestation/certification itself, which we don't do).

replies(1): >>44365090 #
3. alberth ◴[24 Jun 25 11:44 UTC] No.44365090[source]
One thing I really appreciate about your site is the transparent pricing—something I haven’t seen on any other platform. It also seems surprisingly affordable, assuming I’m correctly understanding what’s included.

An unsolicited suggestion: it would be helpful if you could clearly walk through how your tool supports GRC compliance. I haven’t been able to find this kind of explanation on your site—or others.

For example, something like this:

Step 1: Select a Program – Choose the compliance framework you’re targeting (e.g., ISO 27001, SOC 2, etc.).

Step 2: Guided Evidence Collection – You’re taken through a step-by-step questionnaire outlining what evidence is needed.

Step 3: Pre-Built Templates – For each requirement, you provide example templates or guidance on what needs to be submitted or completed.

Step 4: Centralized Dashboard – All responses and documents are organized into one place that can be reviewed by an auditor.

Step 5: Auditor Handoff – Once everything is ready, you recommend a third-party auditor to complete the certification process.

It would also be helpful to clarify what’s included in your offering vs. what still requires external engagement (like paying for the actual audit).

Just sharing this in case it’s helpful—apologies if I’ve misunderstood the flow above, but hopefully this illustrates the kind of clarity that might help others too.

replies(1): >>44366280 #
4. mlitwiniuk ◴[24 Jun 25 13:52 UTC] No.44366280{3}[source]
That's a great suggestion, thanks! More or less it works like so, policy drafts are auto-generated by AI, you need to go through controls and provide the evidence. To support you better on this, we allow redoing their description with your context - and that helps a lot. On top of that we're able to generate some potential risks for you (as this part is also tricky to get started with). Now I'm completing business continuity planning (again - will get AI assistance) and then we need to add incidents - that should make us a complete platform and hopefully I'll be able to do Show HN post ;) Nonetheless - thanks again, we'll add how the process looks like to the landing page.