Base Power brings affordable, reliable energy to homeowners through backup battery solutions that offset outage risk and reduce energy costs while supporting power grid stability. 

As the company began to scale rapidly and look to expand its footprint beyond Texas, meeting the security expectations and building trust with utility partners became a critical business priority. That meant getting SOC 2 compliant, and fast, with limited IT resources. 

The company's growth trajectory was steep, and headcount was increasing quickly. At one point during this rapid growth period, a small team managed all of IT while working toward SOC 2 Type 1 compliance.

To keep up with the number of new users and growing IT and compliance demands, Base Power needed scalable, automated processes. So they implemented Secureframe.

"Any time that we can automate anything or make it easier, that's the solution we want to put in place," says T.J. McGraw, IT at Base Power. "Before I joined the company, we got Secureframe onboarded because we needed a better solution than all of the manual things that are normally required with audits."

T.J. joined the IT department when the company decided to pursue SOC 2 Type 2 compliance.

The impetus for compliance wasn't a customer mandate, exactly. As Base Power began working with new partners, RFPs and security questionnaires became increasingly burdensome for the small IT team to keep up with. They knew that SOC 2 compliance would both simplify the RFP process and signal credibility to the broader industry.

“The way that we're growing and trying to form partnerships and move outside of Texas, it's definitely a badge of honor to show that we have SOC 2 compliance and there are fewer security questions asked," T.J. explains. "So that was a big part of the decision, just trying to plan for future growth."

To unblock this next stage of growth, Base Power wanted to get SOC 2 compliant quickly, but T.J. was brand new not only to the company but also to Secureframe. His background was in IT and operations management and he had a master's in cybersecurity, but he had no prior hands-on experience navigating a SOC 2 audit through the platform. 

“Secureframe made it so easy for me to onboard and hit the ground running,” he said.

T.J. didn't have time for a lengthy onboarding process. From his first day using Secureframe, he found the platform self-intuitive and dove straight into work thanks to out-of-the-box integrations with tools like Google Workspace and Jira automatically pulling evidence across Base Power's existing tech stack and working seamlessly.

"I could just basically look at the dashboard, and I knew what to click on and where to go, and the more that I used it, the easier it got," he recalls.

That dashboard became the operational backbone of Base Power's compliance program. At a glance, T.J. could see exactly where the company stood: how many tests were failing, what had changed since the day before, and what needed attention.

When there was a spike in failures one day, for example, T.J. quickly clicked into the failing tests, diagnosed the cause (new users had been onboarded but their MFA hadn’t been activated yet), and took action (marking those as not active yet).

"The dashboard was probably my favorite part, just being able to consolidate everything in one place and have it guide the work, " he says. “ At a glance, I could say, okay, we have more failures than we had yesterday, so let me click into this and see what just happened and where I need to go from there."

Thanks to the evidence tab associated with each failing test, T.J. didn’t have to guess about the source of a problem. He could see exactly where Secureframe was pulling its data and why a test wasn't passing, and then take that information directly to the team responsible for remediating it.

“It was very easy to be able to tell what is failing the test with all the software that's currently integrated into it, and then assign tasks. So we could just take that information, provide it to the right people, remediate it or mark it out of scope if it was out of scope. It was very easy,” he said.

The task assignment and management functionality proved especially important for work that required the involvement of software engineering teams. T.J. could assign remediation tasks in Secureframe, communicate the context clearly, and track progress, all within the platform. 

"It was great to be able to assign those tasks out to different teams,” he explains. “I'd say, ‘Hey, I assigned these tasks in Secureframe to you, can you look at these?’ This is why it's showing it's failing. And then they'd look and say, ‘Oh, this repo is supposed to be out of scope’ and we could mark it as such, for example.”

When it came to the audit itself, Base Power worked with an audit firm they had an existing relationship with. The only back-and-forth was about items that lived outside the platform (such as documentation for users who had been terminated) so overall it was a painless experience for T.J. 

"Everything specifically through Secureframe was great. Our auditors had access to everything they needed through there, and they were able to pull all the data needed for the audit," T.J. says.

Base Power completed its SOC 2 Type 2 audit starting just weeks after T.J. joined the company. Because of Secureframe’s deep automation and usability, he was able to serve as the primary SOC 2 project manager while simultaneously managing the full scope of a growing IT department.

The impact on the business was tangible almost immediately. As Base Power began engaging more seriously with partners across the country, the SOC 2 report became a meaningful part of nearly every due diligence process and new relationship.

“We have gotten some extra partnerships since the SOC 2 compliance, and I think a lot of that is because of SOC 2,” T.J. explains. "We had been kind of waiting until we got SOC 2 to really start reaching out to other clients and possible partners, because we knew that was going to be something they asked for.”

“We don’t exactly have direct competitors, but everybody else that has a partnership or has a client as a utility partner has SOC 2 compliance because that's a very secure industry. So it's definitely something I would say is needed at the bare minimum.”

While it doesn't eliminate every security question in an RFP, it meaningfully simplifies the conversation and signals that Base Power takes data protection seriously, which is critical to break into the utility sector more. 

“As we're doing more and more RFPs with all these different electric providers, there's all kinds of security questions in there, and it's very easy to show them that we're SOC 2 compliant, so here's our report, then just answer the rest of the questions from there.”

Beyond external credibility and assurance for new partners and clients, the compliance process strengthened Base Power's internal security posture. Security practices that had previously been informal or not in place yet were implemented and strengthened as a direct result of the audit readiness process through Secureframe.

“We were able to identify all of the flaws that we had, and remediate those because there are some things that we identified by collecting the evidence and connecting it through Secureframe that we wouldn't have necessarily flagged before. Like MFA, long, complex passwords, things that just needed to be updated or needed specific settings changed.”

MFA enforcement, strong password policies, and a culture of security awareness are now embedded in how the company operates as a result.

"I think the biggest benefit of going through this exercise is being more secure by the end of it,”  T.J. says. “Not only did we achieve compliance, but our internal security is now much stronger.”

Looking ahead, Base Power is using Secureframe to map what’s next as it continues scaling toward enterprise and federal opportunities. The team is considering frameworks like ISO 27001, the NIST Cybersecurity Framework, an AI framework, FedRAMP, and more down the line.

"We want to use Secureframe to see where we are now, where we need to be, and kind of plan a roadmap for how to get there," T.J. says.

For a company growing as fast as Base Power, having a platform that can grow with them isn't just a convenience. It's a strategic advantage. And for a lean IT team that already achieved SOC 2 Type II compliance, that roadmap is already well underway.