Case studies · Cole Finch
A startup legal tech company shares how partnering with Expel’s security experts enabled them to achieve SOC 2 compliance in their first year of business—while building enterprise-grade security on a startup budget.
Duration: 2 minutes
Format: Video interview
Featuring:
- Cheryl Wilson Griffin, Chief Operating Officer, Lupl
Additional resources
- Learn about Expel’s SOC experts and their approach
- Read about Expel’s managed detection and response (MDR) services
- Download the Gartner Market Guide for MDR
- Explore SOC 2 compliance solutions
Introduction
For startups and growing companies, achieving SOC 2 compliance represents a critical milestone—one that signals trust, security maturity, and readiness to serve enterprise customers. But the path to SOC 2 compliance can be daunting, especially for lean teams balancing rapid growth with stringent security requirements.
Cheryl Wilson Griffin, Chief Operating Officer at Lupl, shares how her legal technology startup achieved SOC 2 Type 1 compliance in their first year of business by partnering with Expel—delivering big company security with little company spend.
The SOC 2 compliance challenge for legal tech startups
Cheryl Wilson Griffin: The biggest benefit of working with Expel is the expertise that they bring to the table with technology and humans and marrying that in a very unique way that a lot of other organizations aren’t doing.
Hi, I’m Cheryl Wilson Griffin. I’m the COO here at Lupl, a legal technology startup. Lupl is a legal tech SaaS platform that allows lawyers, their clients, and other parties to work together on legal matters in a way that probably has not been done before.
We tend to have a lot of very sensitive information being housed either in Lupl or connected to Lupl. The key risks are really protecting that data and making sure that none of that gets out.
Why Lupl chose Expel for SOC 2 compliance
Cheryl Wilson Griffin: We decided to work with Expel because they are a growing organization like us, but one which is leading the way.
Expel’s 24×7 security monitoring helps protect all of our operations here at Lupl—whether that’s the company infrastructure or our hosted solution where our app lives. What that allows us to do is really step back and only look at those security alerts which are the highest priority and which Expel helps us identify.
Achieving SOC 2 compliance in year one
Cheryl Wilson Griffin: Expel has been critical to the maturity of our security program. In 2021, in our first year in business, we were able to finish a SOC 2 Type 1 audit, and Expel was foundational to that.
If we were to hire a team internally to support 24×7 security operations, we would probably need four to five people at least. Expel really allows us to offer big company security with little company spend.
The partnership approach to SOC 2 compliance
Cheryl Wilson Griffin: Partnering with Expel was absolutely the right decision for our team. I’m not sure another company could have put us in a better position in terms of our security program.
Key outcomes for SOC 2 compliance at Lupl
The partnership between Lupl and Expel delivered significant results for their SOC 2 compliance journey:
First-year compliance: Achieved SOC 2 Type 1 certification in their first year of business operations—a critical milestone for selling to enterprise legal clients.
Cost efficiency: Avoided hiring 4-5 full-time security personnel to provide 24×7 coverage, dramatically reducing operational costs while maintaining enterprise-grade security.
Expert-driven approach: Combined human expertise with technology to deliver security monitoring that aligns with SOC 2 compliance requirements.
Priority-based alerting: Filtered security alerts to focus only on highest-priority threats, allowing the lean internal team to work efficiently without alert fatigue.
Comprehensive coverage: Protected both company infrastructure and hosted application environments with continuous monitoring across all critical systems.
Security program maturity: Built a foundational security program that supports ongoing compliance and customer trust.
Frequently asked questions about SOC 2 compliance
Q: What is SOC 2 compliance and why does it matter?
SOC 2 compliance is an auditing standard developed by the American Institute of CPAs (AICPA) that ensures service organizations securely manage customer data. It’s essential for SaaS companies, especially those handling sensitive information, as many enterprise customers require SOC 2 certification before signing contracts.
Q: Can startups achieve SOC 2 compliance in their first year?
Yes. With the right partner and approach, startups can achieve SOC 2 Type 1 compliance in their first year of operations. Managed detection and response (MDR) services provide the 24×7 security monitoring and incident response capabilities required for SOC 2 compliance without requiring a large in-house security team.
Q: How does MDR support SOC 2 compliance requirements?
MDR services help organizations meet multiple SOC 2 Trust Service Criteria, including continuous monitoring, incident detection and response, log management, and security event documentation. Leading MDR providers offer the transparency and reporting necessary to demonstrate compliance to auditors.
Q: What’s the difference between SOC 2 Type 1 and Type 2?
SOC 2 Type 1 evaluates the design of security controls at a specific point in time. SOC 2 Type 2 evaluates how effectively those controls operate over a period (typically 6-12 months). Most organizations start with Type 1 and progress to Type 2.
Q: How much does it cost to build an in-house SOC for compliance?
Building an in-house security operations center typically requires 4-6 full-time security analysts to provide 24×7 coverage, costing $400,000-$600,000+ annually in salaries alone—not including tools, training, and management overhead. MDR services provide equivalent coverage at a fraction of the cost.
Q: What security controls are required for SOC 2 compliance?
SOC 2 compliance requires controls across five Trust Service Criteria: Security (required for all), Availability, Processing Integrity, Confidentiality, and Privacy. Key requirements include access controls, encryption, security monitoring, incident response, vulnerability management, and change management.
SOC 2 compliance best practices for startups
Organizations pursuing SOC 2 compliance can learn from Lupl’s successful approach:
Start early: Begin building security controls and monitoring capabilities from day one. Waiting until you need SOC 2 certification creates unnecessary delays and technical debt.
Partner strategically: Evaluate whether building in-house security capabilities or partnering with an MDR provider makes more financial and operational sense. For most startups, MDR delivers better outcomes at lower cost.
Focus on continuous monitoring: SOC 2 requires demonstrable security monitoring and incident response. Ensure 24×7 coverage across all systems, applications, and infrastructure.
Document everything: Maintain thorough documentation of security policies, procedures, and incident responses. Auditors need evidence that controls are designed properly and operating effectively.
Prioritize efficiently: Not all security alerts require immediate attention. Work with your MDR partner to establish clear prioritization criteria so your team focuses on genuine threats.
Plan for Type 2: While Type 1 certification is an important milestone, enterprise customers increasingly require Type 2. Design your security program with this progression in mind.
Leverage expertise: SOC 2 compliance involves complex technical and operational requirements. Partner with organizations that have deep compliance experience and can guide you through the process.
The business value of SOC 2 compliance
For startups and growing companies, SOC 2 compliance delivers tangible business benefits beyond security:
Customer trust: SOC 2 certification demonstrates commitment to security and data protection, building confidence with customers and prospects.
Enterprise sales: Many enterprise customers require SOC 2 compliance before evaluating or purchasing SaaS solutions, making it a revenue enabler.
Competitive differentiation: SOC 2 certification sets companies apart from competitors who lack formal security validation.
Risk reduction: The controls required for SOC 2 compliance also reduce the risk of data breaches, downtime, and security incidents.
Operational maturity: Pursuing SOC 2 forces organizations to formalize security processes, policies, and procedures—building a foundation for scale.
Investor confidence: SOC 2 compliance signals operational maturity and risk management, making companies more attractive to investors and acquisition targets.
The future of SOC 2 compliance for growing companies
As cybersecurity threats evolve and customer expectations increase, SOC 2 compliance has become table stakes for B2B SaaS companies. Organizations that achieve compliance early gain competitive advantages in sales cycles, customer trust, and operational efficiency.
The partnership between Lupl and Expel demonstrates that SOC 2 compliance is achievable for startups and growing companies without building large security teams or spending enterprise-level budgets. With the right MDR partner providing continuous monitoring, expert analysis, and documented security controls, even first-year companies can achieve the compliance milestones necessary to compete with established players.
For legal tech companies like Lupl—and any organization handling sensitive customer data—SOC 2 compliance combined with robust security operations isn’t just a checkbox. It’s a competitive advantage that enables growth, builds trust, and protects what matters most.
