ElectricFish is a climate tech company developing and deploying fast EV chargers that double as backup generators for commercial and municipal sites. Its vision is to modernize the centuries-old electricity grid and eliminate the transportation sector's carbon footprint.
“SOC 2 compliance or any sort of compliance seems like this very obscure thing to attain and, especially for a smaller company, standing before an auditor can seem really scary. But Secureframe demystifies compliance and holds your hand through the entire process, which is exactly what you want—especially for the first audit that you do.”
Abhishek Vinchure, Senior Machine Learning Engineer at ElectricFish
Jump To
ElectricFish develops and deploys fast EV charging stations using distributed energy infrastructure powered by advanced machine learning software.
As the climate tech startup started handling more and more customer data and exploring opportunities with the utilities sector, software compliance became a necessity.
“We were exploring deals with utilities, and there was one utility prospect specifically that mentioned their IT team requires SOC 2 Type 2 compliance,” says Abhishek Vinchure, Senior Machine Learning Engineer at ElectricFish. “This was one of the first utilities that we explored selling a unit to, but we foresee that most utilities in the United States will have similar requirements.”
Since this utility prospect paused discussions until ElectricFish could provide a SOC 2 Type 2 report, ElectricFish realized this would be a recurring blocker in the utility sector.
ElectricFish saw SOC 2 as both a necessary step for moving into this market and a valuable way to formalize its internal processes.
“We’re a lean startup without a dedicated CISO or information security team so some core software processes weren’t formalized or didn’t exist yet,” says Abhishek. “So one of our other main goals was to make sure that we are doing things like the rest of the industry, and have some sort of third-party check on our software.”
As a small team, they knew automation was the way to go. While the team had seen billboards for Secureframe, Vanta, and Drata, Vince Wong, co-founder and COO of ElectricFish, reached out to other founders for recommendations and this word-of-mouth led them directly to Secureframe.
“I put the ask out to some founders at traditional SaaS startups because I figured they would know best, and multiple recommended Secureframe. These were founders that I trusted, so I took their recommendation quite seriously. It wasn't a done deal at that point, but I told our team to basically investigate,” Vince explains.
Competitive pricing, a solid platform, and a sales and success team they felt they could trust sealed the deal.
“We met with a CSM, an account manager, and a Solutions Engineer who set up a demo for us. The software looked great and I think the price was very competitive so we signed a contract a couple weeks later,” Abhishek says.
For a lean startup, automating as much of the evidence collection process was imperative.
“I wanted to make sure that all of the vendors we use were represented on Secureframe—GitHub, Azure, Jira, for example. During onboarding and throughout, these vendor integrations were seamless,” Abhishek recalls.
The automated tests and clear guidance in-platform further simplified the process, making each SOC 2 test and next step clear even when the vendor’s documentation wasn’t.
“Each test had a very comprehensive guide on exactly what to do for each vendor, especially for Azure. There were a lot of times where the documentation that Azure provided was not really that useful, but the documentation Secureframe provided on how to pass that test was,” Abhishek explains.
If he did have any questions, Secureframe’s support team was highly responsive.
“When I first looked at some of the tests, I wasn't sure how I would pass them, because I haven't done SOC 2 compliance before. But Secureframe’s documentation for each test was very in-depth, and if I had any questions, I reached out to my CSM, Zach, and he messaged back immediately with an answer or flagged it with support and they finished it very quickly.”
Dozens of policy templates further simplified and sped up the audit readiness process.
“I think there's 23 or 24 different policies that we had to create for SOC 2, and it was really useful having an already compliant policy framework to use. That saved a lot of time for me,” Abhishek says.
Working with one of Secureframe’s audit partners streamlined the final step, so when the auditor requested clarification, ElectricFish could point to items in Secureframe and keep things moving.
“The auditor we went with was one of the recommended auditors with Secureframe, so it felt like there was a lot of built-in integration with the platform from their end,” Abhishek recalls.
Not simply trying to check-the-box for SOC 2, ElectricFish used Secureframe to improve their internal processes, particularly around vendor risk management.
“I went through every single risk in the risk register—there's more than a hundred—and analyzed them with our company in mind. It was really good to integrate that into decision-making for how we choose vendors. For example, if I'm choosing a smaller vendor and there's a risk that I've already triaged as vendor lock-in, then maybe I won't go with that vendor. That was very useful,” he explains. “That wasn't a requirement for the SOC 2 audit—that was more of us learning how to make better decisions as a company.”
Because of this visibility, the ElectricFish team carried over some risk-based decision making to their hardware scope as well.
“The Secureframe platform was very comprehensive. It seemed like there was no stone left unturned,” Abhishek notes.
With Secureframe and their audit partner Zero Day, ElectricFish was able to complete their SOC 2 audit work in less than two months. Without them, Abhishek estimates it would have taken at least 19 weeks as opposed to the seven it took him to get set up in Secureframe before the audit window and address auditor requests at the end of the window.
“If I were to do this manually, that would require me going to every single vendor and then looking at every single test that applies to that vendor, and then looking at the online documentation for that vendor and scoping through Stack Overflow and things like that. I think I would have spent probably every week during the audit period, which is around three months, doing that. So it would have added 12 more weeks,” Abhishek estimates.
Once the SOC 2 Type 2 report was finalized, ElectricFish sent it over to the utility prospect that had paused their months-long sales cycle earlier in the year.
“Within the same afternoon of sending over the completed report, the utility replied enthusiastically and restarted diligence,” Vince says. “It was basically night and day.”
Beyond reopening that deal, SOC 2 gave ElectricFish a competitive edge in a market where few energy companies have similar software compliance.
“Many of our competitors don’t have SOC 2 compliance. So as an energy company, especially an EV charging company, undertaking compliance really bolsters our software so we can say we have legit standalone software capabilities as well as hardware capabilities,” Abhishek adds.
ElectricFish is hopeful that their SOC 2 report will help them break into this new sector and unlock opportunities with similar prospects.
“There are other electric utilities that we are also targeting, and we're hopeful that we can use this achievement to assuage any concerns they have around our data handling and IT infrastructure,” Vince explains.
Undergoing the SOC 2 process has already given the ElectricFish team peace of mind by filling key gaps in their security program, including backup and restoration, onboarding and offboarding, and other critical controls.
“We learned a lot about compliance and improved a lot of our inside and outside processes, especially with software. How do we make sure that we have backups of our data and our computers, for example? Those processes didn't exist before,” Abhishek says. “If there was some sort of cloud outage before Secureframe, we probably would have lost that data, but now we won't. That's just one example.”
Strengthening their operational maturity and resilience in this way will be key to engaging with more stringent customers in the government as well.
“As we start scaling up and selling to more stringent customers like the federal government, they care a lot about the company that's handling their data. We handle a lot of electricity data—specifically, site load data—which might directly inform other people how much electricity a company is using at any given moment. Our batteries are also very critical electrical assets, so they are prone to cyber attacks. So it's very important that these assets and data are kept under really good measures,” Abhishek says. “This is definitely just the start of our cybersecurity journey.”
Having achieved SOC 2 Type 2 compliance and formalized their internal processes with Secureframe, the ElectricFish team has newfound confidence in how they approach security and compliance moving forward.
“Secureframe just kind of holds your hand through the entire process in a way that's necessary—especially for smaller companies that don't have an entire IT infrastructure. Essentially, for the past four months or so, Secureframe really enabled us to have an IT department.”
After experiencing firsthand how smooth the process was, ElectricFish is now one of the startups recommending Secureframe to others that want to achieve enterprise-grade compliance and security.
“SOC 2 compliance or any sort of compliance seems like this very obscure thing to attain and, especially for a smaller company, standing before an auditor can seem really scary. But Secureframe demystifies compliance and holds your hand through the entire process, which is exactly what you want—especially for the first audit that you do. When you're investing a lot of money into that audit, you want to make sure everything goes very smoothly and that your deals that have been blocked by this audit are going to be unblocked in the fastest and most efficient way possible without any hurdles,” Abhishek says.
