.svg){kind=logo}
.png)
When you're a Y Combinator-backed company with 500+ customers and growing fast, compliance can't be an afterthought. It has to move at the same speed as the product.
Floworks builds AI-powered sales agents that handle prospecting, email outreach, LinkedIn engagement, and meeting scheduling for B2B teams. Their platform processes sensitive customer data — contact information, email conversations, CRM records — at scale. Enterprise buyers expect proof that this data is protected.
Floworks had already gone through a SOC 2 engagement with a previous GRC platform. But when renewal came around, the team decided it was time for something better.
Why They Switched
Floworks had been using a popular GRC tool for their SOC 2 program. The platform got the job done, but the experience left gaps — particularly around integrations, evidence collection, and hands-on support.
At renewal, instead of re-signing, the team evaluated alternatives. What they wanted was simple:
- A platform with strong, working integrations — not ones that looked good on a features page but didn't deliver
- Better evidence collection that actually reduced manual work
- A team that would stay involved, not just hand over a dashboard and disappear
Sarthak Shrivastava, Floworks' CEO, had already been in touch with the ComplyJet team. When it was time to make the switch, the decision was straightforward.
What Made It Different
Floworks signed a long term contract with ComplyJet covering SOC 2, ISO 27001, and GDPR — three frameworks under one platform, one price.
The onboarding was fast. Ritesh Kumar, Floworks' CTO, took point on the technical setup. Within the first week, he had connected the core infrastructure:
- AWS for production and security controls
- GitHub for source code and development workflows
- Google Workspace for identity and team collaboration
From there, the team moved quickly through the foundational work:
- Policies generated with AI — not blank templates, but drafts mapped to their actual environment and frameworks
- Employee onboarding and training kicked off across the team
- Vulnerability scanning connected through GitHub, with ComplyJet helping scope repos to filter out noise from unused code
That last point mattered. Floworks initially saw 83 open vulnerabilities flagged on the dashboard — a number that looked alarming but was inflated by old, out-of-scope repositories. ComplyJet's GitHub scoping feature let them remove unused repos from the compliance scope, bringing the real picture into focus and letting Ritesh prioritize what actually needed fixing.
The Three-Way Collaboration
One thing that stood out in Floworks' setup was how naturally the work split across the team.
Sarthak handled the organizational and business side — vendor reviews, board governance documents, and strategic decisions. Ritesh owned the engineering tasks — infrastructure hardening, vulnerability remediation, and integration setup. And ComplyJet filled the gaps — platform guidance, policy generation, MDM setup, and keeping the whole process on track.
Everything ran through a shared Slack channel. Questions got answered in hours. Blockers got cleared the same day. No tickets, no waiting.
Where Floworks Stands Today
Floworks is deep into their SOC 2 Type 2 readiness work. Here's what's been accomplished:
- All core integrations connected and monitored (AWS, GitHub, Google Workspace)
- Security policies drafted and adopted across SOC 2, ISO 27001, and GDPR
- Vulnerability scanning active with proper repo scoping
- Infrastructure security tests being worked through systematically
- Employee training and onboarding in progress
The team is building toward audit readiness across all three frameworks simultaneously — not sequentially. That's the advantage of doing multi-framework compliance on a single platform: the work compounds instead of duplicating.
From Screenshots to 365 Days of Continuous Monitoring
Here's the part that changes everything for Floworks going forward.
With their previous vendor, evidence collection was largely manual — screenshots, spreadsheets, point-in-time snapshots stitched together to tell a compliance story. It worked for the audit, but it was tedious and left gaps between evidence collection points.
With ComplyJet, Floworks now has continuous monitoring running across their entire environment. When it's time for their SOC 2 Type 2 renewal, they won't be scrambling to gather screenshots. Instead, they'll walk into the audit with 365 days of continuous monitoring data — automated, timestamped, and mapped directly to their controls.
That's a fundamentally different conversation with an auditor. Instead of "here's a screenshot from last Tuesday," it's "here's a full year of evidence showing our controls never stopped working."
For a company handling sensitive customer data at scale, that shift — from periodic proof to continuous proof — isn't just more efficient. It's more credible.
Why This Matters
Floworks' story highlights something a lot of fast-growing startups face: your first compliance vendor might get you across the line, but that doesn't mean they're the right partner for the long run.
Switching platforms at renewal feels like a risk. But for Floworks, it was the opposite — it was a chance to upgrade from a checkbox exercise to a system that actually works with their engineering team.
For YC-backed companies scaling quickly across enterprise customers, compliance needs to be a system, not a side project. Floworks is building exactly that.
Looking Ahead
Floworks is on track to complete SOC 2 Type 2, ISO 27001, and GDPR readiness. With continuous monitoring running and a compliance infrastructure designed for multi-framework coverage, they won't need to restart when the next framework comes up — they'll just add it.
When enterprise prospects ask about security, Floworks will have three frameworks worth of proof — built on a platform they trust, by a team that actually shows up.
