Skip to content
AskFlorence
Main Navigation ArchitectureFlorence AIAgentsMembersAgent PlatformValidationInfrastructure

Appearance

Sidebar Navigation

Overview

Home

Glossary

System Architecture

Consumer & Agent Flow

Florence AI

Overview

Principles

Runtime

Tool surface

Adding a tool

Tool registry

Knowledge: SBC scenarios & CSR

Voice

Evals & observability

Provider risk & portability

Outage playbook

Roadmap

Build plan

Agents

Overview

Workflows & pain points

Members

Overview

Medicaid coverage gap

Carriers

Overview

Marketplaces

Overview

Agency

Overview

Regulations

Overview

Agent Platform

Overview

Auth Architecture

MongoDB Permissioning

Compliance Model

Data Models

Data Sources

Overview

CMS Marketplace API

CMS dependency map

PUF Data

State Subsidies

SBE Ingestion Playbook

SBE State Watchouts + Decisions

CA Phase C/D Playbook

NY Phase C/D Playbook

Validation

Overview

Methodology

APTC Formula

California 2026

New York 2026

CAPS Formula

Scenario Results

Infrastructure

Account Inventory

AWS Setup Runbook

AWS Organizations

CloudTrail

GuardDuty

Security Hub

Config

CloudFront + WAFv2

Data sources & ingest

Phase 4 DNS

Change Log

Vulnerability Management

MongoDB Setup

Access Control

Data Classification

Documentation Hosting

Post-deploy Smoke

Development

Preflight (local CI mirror)

Testing strategy

Compliance

Overview (auditor entry point)

SOC 2 Control Mapping

HIPAA Control Mapping

CMS EDE Appendix A Mapping

Risk Assessment

Encryption Policy

Data Retention Policy

Privacy Impact Assessment

Consent Capture & Versioning

Incident Response Plan

Access Control Policy

Marketing vs. Portal Analytics

Vendor / Subprocessor Register

Dependency Vulnerability Policy

BAA / Compliance Evidence

Compliance-Automation Integration

Compliance-Automation Vendor Evaluation

Penetration Test Reports

Architecture

Portal entry handoff

Mobile app strategy

Deferred architecture decisions

Session cookie architecture

Share flows

Decisions (ADRs)

Index

0001 — Atlas project isolation

0002 — Append-only audit log

0003 — Narrow-scoped Mongo users

0004 — Cross-cluster Atlas PrivateLink

0005 — Delayed-job architecture

0006 — Mongo user simplification

0007 — Terraform owns ECS task def

0008 — E2E testing strategy

0009 — Self-hosted analytics + observability (superseded)

0010 — PostHog HIPAA Cloud (supersedes 0009)

Runbooks

Security Incident Response

Break-Glass Root Login

Onboard Team Member

Offboard Team Member

Atlas user provisioning

Deploy via Terraform (ENG-277)

Rollback via Terraform (ENG-277)

S3 data bucket migration (planned Phase 11)

Access Reviews

2026-Q2 Review

Session log

Index

2026-04-23 — Phase 10 DNS cutover

2026-04-22 — Phase 8 prod AWS mirror

2026-04-22 — Phase 7 Atlas VPC peering

2026-04-22 — Phase 6 CloudFront + WAF

2026-04-21 — Phase 5 staging go-live

2026-04-17 — Atlas staging

Briefs

Index

Member portal plan (ENG-187)

2026-04-16/17 handoff

2026-04-17 Atlas handoff

System briefing (2026-04-17)

Creative AdBundance proposal brief

Creative AdBundance analytics brief

ElevenLabs RN integration research

Policies

Overview

On this page

Compliance Automation Vendor Evaluation ​

Status: Decision deferred. Effective 2026-05-11. Owner: Taha Abbasi (technical fit) + Asad Khalid (procurement + cost). Decision target: July 2026 (alongside funding close + SOC 2 evidence window start). Current lean: Vanta — faster, more AI-native posture, more predictable HIPAA bundle pricing. Drata is the close-second on white-glove support + on-prem feel.

Purpose ​

Capture the side-by-side evaluation of compliance-automation platforms so the procurement decision in July 2026 starts from a real artifact, not from scratch. Required because:

  • SOC 2 Type II evidence collection without a platform is a meaningful manual burden — 100+ controls, weekly evidence pulls, per-control auditor handoffs.
  • HIPAA continuous-compliance gets the same lift.
  • CMS EDE Phase 3 / MARS-E 2.2 is NOT pre-mapped by either vendor — the underlying NIST 800-53 R4 Moderate baseline IS pre-mapped, which gives us ~70-80% inherited coverage.

Candidates evaluated ​

VendorConsideredWhy
DrataYesMarket leader; pre-positioned IAM role stubs in AWS; well-aligned with AWS-heavy stack
VantaYesMarket co-leader; reportedly broader integration ecosystem + faster AI-native iteration
SprintoNo — out of scopeSmaller US footprint; less proven on EDE / HIPAA scale
SecureframeNo — out of scopeComparable feature set to Drata/Vanta but no compelling differentiator for this stack

Side-by-side comparison ​

AxisDrataVanta
Startup-tier base price (1 framework, ~50 FTE cap)$9-15K/yr (Foundation)$10-15K/yr (Core)
SOC 2 + HIPAA bundle (AskFlorence Year 1)$22-28K/yr$15-25K/yr
HIPAA add-on volatility (reported)Reports of 167% jump from SOC 2-onlyMore predictable bundle pricing
AWS connectorFirst-class, deep coverageFirst-class, deep coverage
MongoDB Atlas connectorFirst-classFirst-class
GitHub connectorFirst-classFirst-class
Google Workspace connectorFirst-classFirst-class
HubSpot connectorStandard CRM connectorStandard CRM connector
EDE Phase 3 / MARS-E 2.2 pre-mappingNOT pre-mapped (manual either way)NOT pre-mapped (manual either way)
NIST 800-53 R4 Moderate inheritance from AWS FedRAMPInherited via AWS connector evidenceSame
White-glove onboarding supportStrong (cited advantage for ≤5-person teams)Lighter touch, broader UX strength
AI-native postureStandardStronger — more agentic features, faster iteration cadence (user-cited criterion)
Audit-firm preference / familiarityBoth equally well-known to typical SOC 2 audit firms (Prescient Assurance, A-LIGN, Schellman)Same
Pre-positioned AskFlorence assetsDrataAutopilotRole IAM role deployed in all 4 accounts (placeholder trust, never used)None — would rename existing role at signing (15-min Terraform change)
Switching costNone of consequence today; rename + trust-policy swapSame (mirror cost if switching Drata→Vanta later)
Risk to AskFlorence specificallyHigher HIPAA-jump risk per reported customer experiences; needs negotiation for bundle pricingNeed to confirm AskFlorence-specific quote vs the bundled-startup tier

Pricing in context (Year 1 = July 2026 → July 2027) ​

Line itemEstimateNotes
Platform subscription (Drata or Vanta)$20-28KSOC 2 + HIPAA bundle, startup tier (~50 FTE cap) — actual will land after both vendors quote against real scope
External pen test (Bishop Fox / Trail of Bits / NetSPI tier)$15-40K one-timeCommissioned July 2026 alongside SOC 2 vendor sign; report by Q4 2026
SOC 2 Type II audit fee (Prescient Assurance / A-LIGN / Schellman)$5-15KAudit fires at end of evidence window — Q3 2027
Total Year 1~$40-83K

Year 2+ steady state: ~$30-50K/yr (platform + recurring audit fee + lighter pen test cadence — re-test on major architectural change rather than annual full re-test).

These are reference ranges from 2026 public data (Vendr marketplace, PriceLevel, Sprinto cost guides, Cavanex SOC 2 cost report). Actual quotes will vary 20-40% based on real scope and negotiation; we should expect bundle discount of 30-40% for SOC 2 + HIPAA together vs separately per the public benchmarks.

Decision criteria (weighted) ​

CriterionWeightDrataVantaNotes
EDE Phase 3 coverage25%Equal (manual)Equal (manual)Neither pre-maps EDE; both inherit AWS FedRAMP evidence
AWS + Atlas + GitHub + Google Workspace connector quality20%EqualEqualBoth are first-class on all four
Total Year 1 cost20%Higher (reported $22-28K)Lower (reported $15-25K)Bundle-discount negotiation matters more than published tier
AI-native / iteration cadence15%StandardStronger (per user-stated criterion)Long-term operating ergonomics
White-glove onboarding support for a 3-person team10%StrongerLighter touchImportant for first audit; less important Year 2+
Switching cost from pre-positioned IAM role5%Zero (already named for it)15 min (rename DrataAutopilotRole → ComplianceAutopilotRole or VantaConnectorRole)Not load-bearing on the decision
Audit-firm familiarity5%EqualEqualBoth well-known to typical SOC 2 firms

Current lean ​

Vanta based on:

  1. Lower expected Year 1 spend at typical AskFlorence size — $15-25K vs Drata's $22-28K for the SOC 2 + HIPAA bundle, and more predictable bundle pricing (less HIPAA-jump volatility).
  2. AI-native posture per user-stated criterion — faster iteration cadence + more agentic features matter more than white-glove for a team operating with AI-assisted compliance practice.
  3. No meaningful switching cost from the Drata-named IAM stub (15-minute rename).

Drata stays as a close second because:

  • White-glove support is real for a 3-person team's first SOC 2 audit
  • The Drata-named IAM role is already deployed and provisioned
  • If Vanta's actual quote comes in materially higher than reference range, Drata snaps in cleanly

Procurement plan (July 2026) ​

When funding closes and the procurement conversation opens:

  1. Both quotes — request from Drata + Vanta against AskFlorence's actual scope (FTE count, framework list, integration list, evidence-window timing). Reference ranges above are starting points, not commitments.
  2. Negotiate the bundle — SOC 2 + HIPAA together gets 30-40% off vs separate per public benchmarks. Make the bundle explicit in the quote ask.
  3. Confirm EDE-mapping support — neither vendor pre-maps EDE Phase 3, but ask each how their platform supports manual mapping. The answer affects practical Year 1 operating cost.
  4. Confirm AWS connector depth — specifically: does the connector evidence (a) IAM roles + permission sets, (b) KMS CMK rotation, (c) Secrets Manager encryption, (d) CloudTrail org-trail, (e) Security Hub findings, (f) Config snapshots, (g) GuardDuty findings? Both should be yes; verify.
  5. Confirm MongoDB Atlas connector depth — specifically: does it evidence both project IDs (prod + staging)? Both should, but the cross-cluster posture is unusual enough to verify.
  6. Sign one — commitment around July 2026 post-funding close.

At signing:

  • File the signed contract in docs/infrastructure/evidence/ per vendor register discipline
  • Update compliance-automation-integration.md to reflect connected state
  • If Vanta: rename DrataAutopilotRole → ComplianceAutopilotRole (or VantaConnectorRole), update trust-policy + ExternalId, commit Terraform change. Re-import to state if Phase 3b has completed.
  • Configure connectors in priority order per compliance automation integration
  • Begin populating the automated-vs-manual control register

Revisit triggers ​

Re-open this evaluation if:

  1. Vanta quote comes in materially worse than reference (e.g. >40% above the $25K Year 1 ceiling) — pivot to Drata
  2. Drata releases AI-native parity with Vanta — re-weight the AI criterion
  3. Either vendor adds EDE Phase 3 / MARS-E 2.2 pre-mapping — re-weight EDE criterion significantly (current 25% is treated as equal because both are manual)
  4. AWS adds a first-party compliance-automation service that meaningfully covers SOC 2 + HIPAA + EDE in the AWS-native stack — re-evaluate whole landscape

Reference ​

  • Compliance Automation Integration — connector list + onboarding plan
  • Vendor / Subprocessor Register — vendor BAA discipline (applies once vendor signed)
  • Public pricing references (2026): Vendr / PriceLevel marketplace benchmarks, Cavanex SOC 2 cost report, Sprinto vendor pricing comparisons
Pager
Previous pageCompliance-Automation Integration
Next pagePenetration Test Reports

AskFlorence Internal Documentation. Not for public distribution.

AskFlorence

Internal Documentation

Access restricted. Not for public distribution.