Drata helped us manage our SOC 2 compliance by automating the monitoring of our infrastructure, but overall, the platform didn't work effectively at all. Being fairly new SOC 2 compliance, understanding how the platform worked was really difficult to use. In particular, their UI shows many false positives, indicating that requirements are taken care of even when they're not. This makes it really difficult to manage and understand where we were in the process without being a compliance expert myself. A specific example of when the UI gave us a false positive is that there were several controls within the Drata platform that were completely monitored, such as ensuring that our databases are encrypted at rest. However, there are other controls that are a combination of monitored controls and manual evidence required, and they don't show that secondary requirement at all, even though it's what an actual auditor would require. Using Drata to understand the full scope of what we needed to accomplish and what we needed to provide evidence on was unsuccessful. I went back and forth between the auditor a dozen times and talked to the Drata team multiple times about trying to sort that out to ensure I actually had a punch list of things to do so that they understood the scope of what we needed, but couldn't get there. We eventually tried to cancel the subscription, but they refused, despite the platform not providing the value they promised. We attempted to get their Slack integration working so that we would be notified in real-time of any monitoring issues that were out of compliance, but ultimately, we couldn't get that to work. Drata has impacted our organization negatively, as it made the whole compliance process more complicated and cost me significant time. The complications with Drata extended the entire process by about six months and cost me probably 10 hours a week while we were still trying to get Drata to work, totaling about 40 hours of my time. I think Drata could be improved by changing it so that it reports the actual status of the controls and are more proactive about helping organizations at our stage of business get to compliance.
