Webinar

Taking Compliance out of the Sales Cycle

Automate Processes to Close Deals Faster

July 21, 2020 9:00 AM

Compliance teams at B2B SaaS companies are spending up to 25% of their time being pulled into sales conversations when prospects request security and compliance documentation. Not to mention the time that Sales, Legal, and Engineering spend to coordinate and fulfill these requests. Imagine if you could skip all the run-around and radically reduce the amount of time it takes to provide prospects with the information they need to buy. Watch our webinar to learn:

  • The average time devoted to answering security questionnaires, and the impact on sales cycles.
  • The benefits of giving sales and customers self-serve access to required security documentation.
  • How security and compliance teams can start to measure their impact on growth.
  • A demo of Comply Rooms: a virtual data room you can use to circumvent these challenges and provide your customers self-serve access to security documentation.


Presented by

Rob deJuana-Matthews
Marketing
Frank Macreery
Co-Founder, CTO

Transcript

Rob deJuana Matthews (00:00):

All right. It looks like we are just at time, so I want to get started. Welcome everyone. I'm going to get started with some introductions. You've already met Rebecca and I'm Rob deJuana Matthews, Senior Product Marketing Manager here at Aptible and I'm joined by Frank Macreery, our Co-Founder and CTO. I'd like to welcome you to Taking Compliance out of the Sales Cycle. Thanks for taking time out of your day to join us.

Frank Macreery (00:35):

Thanks Rob for getting us started here and thank you all for joining. Many of you may be familiar with Aptible already, but for those of you who aren't, our mission here at Aptible is to build trust on the internet. At the heart of that is helping our customers to build trust with their own customers. What we're going to be talking about today is a very vital part of our entire mission. This is something that we also face every day ourselves. From the beginning of starting Aptible to the present, we have gone through countless cycles of needing to negotiate compliance and security details with customers, with our customer's customers.

Frank Macreery (01:12):

Everything that we're talking about today, it's not just what we're building for you, our customers, but it's something that we face on an ongoing basis, so the pain is very real. We'd love to share our experiences and get your feedback as well, so really looking forward to this conversation today.

Rob deJuana Matthews (01:29):

Thank you. And actually, as Frank said, we've gone through this a lot ourselves and also with our customers. We've found over the years that it's actually become more difficult as customers are asking companies to prove their security and compliance postures earlier. It used to be that enterprise companies would issue security questionnaires to other enterprise companies, but it's moved down market and so mid-market companies are getting dozens of hundred-question security questionnaires per week. Brand new startups are being asked to go through lengthy and expensive audit processes just to close their first deal. It's a little bit of an unpleasant process.

Rob deJuana Matthews (02:11):

In an ideal world, building customer trust is a simple conversation and it makes us all more secure, but Frank, you know this better than anyone, we don't live in an ideal world do we?

Frank Macreery (02:22):

No, not at all. Nothing is perfect and building customer trust is certainly not a one size fits all problem. There's a lot that goes into this, a lot of challenges, a lot of complexity. That's going to be what we're talking about today.

Rob deJuana Matthews (02:40):

I'm very grateful that you're here Frank because, and I will tell this to everyone, Frank knows more about customer trust than I could ever hope to learn or forget, so you're in very good hands today. Let's get started, but a few housekeeping bits. We're not going to just talk at you for 45 minutes, so at different points throughout the presentation, we're going to be issuing some polls and we want to capture your feedback here because we really want to know how you're dealing with this. We'll also have 10 minutes for Q&A at the end. So as we go along, like I said earlier, go ahead and put your questions in the Q&A tool so we can make sure to get to all of your questions. If we run long and don't, we will respond via email afterwards.

Rob deJuana Matthews (03:25):

But to cover the agenda, the current state of customer trust, we're going to go over that. We're going to talk about what better looks like, so what customer trust can be and how we're making it easier to build customer trust with Aptible Comply Rooms. We'll give you a demo. We'll have Q&A time at the end. To get started, the state of customer trust today. That's a result of the evolving state of security. Most of you work at SaaS companies. You know this, but one of the reasons why you're probably here today and the reason why we're having these problems with customer trust is that the cloud based delivery model has become the default.

Rob deJuana Matthews (04:07):

It used to be that it was on-prem or hybrid and that made security questions easy to answer. It's, "This is what we do with our environment. This is how we secure it," and your data never leaves the system, so it's always secure. All the important stuff is here. That's no longer the case. Everything is in the cloud and companies have really had no choice but to adopt it. While that has made amazing opportunities for SaaS companies to sell into the enterprise and distribute software to larger companies and to a much larger audience without having to increase their footprint, it has introduced a very heavy responsibility to prove trust. That's moved downmarket very quickly hasn't it Frank?

Frank Macreery (04:56):

Yeah. Definitely. You see smaller and smaller companies closing deals with larger and larger enterprise companies. That is the miracle of the cloud that Rob was talking about, but it also means that these companies who are buying cloud software from smaller and smaller vendors have to not only prove the value of the software that they're buying, but understand the risk that it imposes to all of the data and especially for valuable software that is being used by these companies to handle some of their most sensitive data; customer records, sales data. This can be a pretty intensive process and understandably so. Some of the things that customers will want to understand are how the data is being secured, how encryption is being managed, how access controls are being enforced across the workforce at the vendor to make sure that no personnel are inappropriately accessing information.

Frank Macreery (05:56):

The way that customers try and get answers to this question is a combination of different strategies. They might refer to a SOC 2 report that the vendor has. They might have custom questionnaires that they ask. They might use a standardized questionnaire framework like CIIQ or SIG, but ultimately, each customer has very specific requirements, specific concerns about their own data that, as part of getting through the sales cycle, they need to negotiate and understand with any vendor they work with.

Rob deJuana Matthews (06:35):

Vendors have actually started trying to streamline this process by leaning on sharing security posture and proving their compliance. They're trying to tell their security stories and show that they've achieved certifications. The way that they're doing that is through trust pages. Now, this is Slack's trust page. We're showing you because it's a great trust page, but customers that we've talked to who have pages like this say it answers about 40 to 60% of the questions that they're going to get. Even though you've taken the time to put this all together and you've talked very specifically about how you handle data and how you train your team and how you secure things, you're still going to have anywhere from 40 to 60% of your customers saying, "I need to ask you more specific questions."

Rob deJuana Matthews (07:30):

You get into a situation where you have a process that you have to deliver. This is where we want to ask the first question. How many people are involved in distributing security documentation at your company? While you answer that, Frank, do you want to tell us more about what is going on here?

Frank Macreery (07:51):

Yeah. Sure. I think one thing that was surprising for us to find out ourselves going through this process and also learning from our customers is just how complex the problem of sharing security documentation can be. We're talking about sharing SOC 2 reports, trust packets that consist of white papers, pen test reports, security questionnaire responses. It seems like something that should be relatively easy to handle, but it's not for a variety of reasons. Different customers need customized trust packets. Sometimes legal needs to get involved to negotiate NDAs and even redline NDAs. Engineering sometimes needs to get involved, usually sales engineering, to safeguard documents either by watermarking or by sending them via secure mail. By the end of the process, you've got a lot of teams using a lot of tools, taking up a lot of time just to distribute trust packets.

Frank Macreery (08:50):

I think Rob has a more detailed breakdown of what this process looks like for some of our customers.

Rob deJuana Matthews (08:56):

Yeah. It's about 11 steps to be honest. You start off before anyone requests anything, prepping that security packet that Frank was talking about. You're pulling all this information together so that you can really get it out quickly, but that still takes time. From what we've heard from surveys and questions that we've asked customers, it's about five days is an average to put that together and then you move into the sales cycle where the prospect is requesting a document. It goes to the sales team who will put it into Salesforce or an email and say, "Hey, can we get this documents for this customer?", which kicks off legal to prep an NDA. Just for the sake of argument, we're going to say that it goes into DocuSign. They get that ready and they send it to sales and say, "Okay, get the customer to sign this," and the customer sends it back to sales.

Rob deJuana Matthews (09:56):

But here, you have a lot of variability in time because a customer might look at it and sign it and say, "Cool," and that might take a day, two days, but sometimes customers want a redline. You go back and forth between the customer, sales and legal to make sure that everyone's happy before it gets signed. And then once it is, it goes back to legal. They record it and they say, "Okay, now you can send out the documents," but that's not it. So now, the watermarking that Frank was talking about has to happen. Sometimes that will go into a Jira ticket for engineering to do or sometimes compliance or even as some of our customers have it in procurement, this needs to happen, but the document needs to get watermarked and then it gets sent back to sales, who can send it to the prospect.

Rob deJuana Matthews (10:43):

It's like, "Okay, this is done right?" Well, no. The prospects also view it because a lot of time has elapsed. Now, they might have moved onto something else. You have to followup with them to make sure that they've reviewed it. They can say, "Yeah, we'll move on to the next step." That's quite a bit, so I'm not going to spend too much time here, but these numbers that we've together are a result of a survey that we took of B2B SaaS companies between 50 and 5,000 employees. What we saw was that it was taking about 16 days to get through this process. That's business days, so that's three weeks to go through this entire process. You think it's simple. You're like, "Yeah, sure, let's do this," but it ends up introducing a lot of time in the sales cycle.

Rob deJuana Matthews (11:33):

The question is, "Okay, well, we'll do that. We have to do it, but what's the opportunity cost? What are spending here?" Really, it's just taking time away from other teams doing the things that they need to do. For sales, it's actually really important. It's that you're losing some time to the closing process. You're not closing deals. Sales also isn't able to go out and hunt and get those new customers in. For legal, we already know they're very busy trying to just make things happen. Security is trying to make sure that you are secure and can answer those questions well. Customer success who's slowed down renewals. It's slowing down their ability to actually support customers and onboard. For your teams, you're maybe not able to spend time on your audits, maintaining your compliance, making sure that the people are trained properly.

Rob deJuana Matthews (12:36):

One of our customers recently told us that they stack their audits. They will do ISO 270001 and SOC 2 at the same time. That doesn't leave a lot of time when they're answering questions and getting evidence to the auditors for them to go through this process. It's really hard for them because it slows down the sales cycle or they slow down their audit process. This is a pretty big thing. I'm going to go really quickly into the poll. 50% of you said that you have one to two people distributing security documentation right now. Only 7% said there's more than 10. This gets painful and I think that this is why you're here because we're talking about either just you or you and one other person trying to take care of a lot.

Frank Macreery (13:41):

As you grow, it's important to all parts of operations, but especially with what we're talking about here. We've talked to customers who have to distribute security documentation to hundreds or thousands of different customers per year. In order to make that work efficiently, you have to understand the impact of what you're doing. If you are relying on a cobbled together system of different tools, people, processes like Rob described earlier, it can be really hard to understand exactly how your efforts with compliance and specifically around distributing security documentation help move the ball forward with sales.

Frank Macreery (14:23):

This can actually lead to this dangerous misconception that we hear, which is that some companies see compliance as a cost center. They can see the money that they're spending on audits and on hiring the compliance team and they don't always see the results. That's definitely not how we think about compliance. We think that compliance is an enabler, it is a profit driver and compliance can be a very effective tool in moving the business forward and closing deals. When you have a process in place that shows you exactly how compliance is helping to win deals and in what ways, that's information that you can use to share that knowledge with your team, with executive management, with the board in order to paint a picture of exactly how compliance is helping to win deals. It's not really possible to do that when you have this fragmented approach.

Rob deJuana Matthews (15:18):

Let's take a few minutes and talk about numbers. I said earlier, we took a survey of B2B SaaS companies between 50 and 5,000 employees. This is what is we got back. It's kind of shocking, not in that you're spending time doing it because we know that, but the scale of it, right Frank?

Frank Macreery (15:39):

Yeah, absolutely. The thing thought that struck me is, again, distributing security documents seems like it should be simple, responding to security questionnaires. You can see how that could become complex, but what we found in surveying teams of different sizes is that they're actually spending just as much or even a little bit more time on distributing security documents. That plus the overall magnitude of this was pretty surprising.

Rob deJuana Matthews (16:03):

If you look at these numbers, these are per month. That's a work day a week for some teams. If there's just one or two of you doing this, it shows how it's very hard to get work done, but this also doesn't... I mean, it scales, but it doesn't in a sense scale [inaudible 00:16:25], which is really hard because we're now breaking it down by team size. We asked like, "Hey, what are your team sizes and how much time are you spending on each of these things?" At a team size of two to four, these teams are spending 50 hours combined on this. But as you grow in your businesses, [inaudible 00:16:53] that's great, but if you have a team of five to 10, if you have five people, you're doing 100 plus hours per month on each, so 200 hours.

Rob deJuana Matthews (17:05):

One of the things that I think is important to talk about, Frank, and you've said this before when we've talked about it, is that as the company scales, you expect that you'd be able to handle this better, but your compliance team doesn't scale at the rate of your sales team right?

Frank Macreery (17:20):

Yeah. No, absolutely not. What happens is the number of deals is what's really driving this number up in the demand for answering these questionnaires and responding to document requests. As your sales teams grows, as the business grows, this is going to keep growing. What we've seen is that the size of the compliance team that's responsible for satisfying these customer trust requests doesn't grow quite as fast, so you need to do more with less and that can be challenging.

Rob deJuana Matthews (17:55):

To talk about the challenges, thank you for that segway, these people that we've talked to during our survey said that some of their challenges with this are... well, 62% of them said that understanding what is being asked and responding in kind is their biggest challenge and also said that... 62% also said that tracking down compliance documentation in multiple tools was a huge challenge. Those make sense. The one that's interesting to me is that 41% said keeping answer repositories up-to-date was their biggest challenge. I wanted to talk with you about this Frank because there are a couple of companies that, well, a lot of companies now, are starting to collect the answers to security questionnaires.

Frank Macreery (18:47):

Yeah. It makes sense right. So if you're getting similar questions over time and if you're getting a questionnaire with hundreds of questions, you don't want to be answering them fresh every time. Most companies do start by doing that for the first few, but then you develop answer banks that you can pull from. You try to use standardized questionnaire frameworks, like Cake or SIG, but keeping the answers up-to-date can be really challenging because usually they don't live in the same place that you're using to store your security controls, so there's drift and that can lead to mistakes or just a lot of headache trying to keep the two systems in sync.

Rob deJuana Matthews (19:29):

We'll talk about that a little later, but walking back an answer that someone had to give because it was in the repository but out-of-date is the worst feeling in the world. The answers to the next poll have come in. 8% of you said that you spend 51 to 100 hours a month on security document distribution. I'm sorry. 46% actually said 10 or fewer, which is interesting. That's good and that means that you're at that early growth stage so you're getting out ahead of this, which is really nice, but we're still seeing a fair few of you that are spending above 25 hours a month on this. Well, we'll get there.

Rob deJuana Matthews (20:23):

I want to make a couple of call outs here. One of the companies that we talked to said that they answer about 400 security questionnaires per year. That's 33 a week. This is a team of three, so that's 11 requests per person, per week. I don't know how they get any work done. The head of security at a large project management company told us that, four person team, they spend 100 hours a month distributing security documentation and that their biggest challenge is coordinating the back and forth with sales. You're starting to see at a certain stage of business, this becomes huge and you still don't have a very large team. We dug into that a little bit and we talked to a couple of customers who told us that there's a flow for them. We've come up with what we call the security satisfaction funnel. It goes like this.

Rob deJuana Matthews (21:31):

The customer asks the sales person, "What do you do for security?" The sales person says, "Here, check out our trust page." For 50% of those customers, they say, "Great. That answers my questions. I'm ready to move forward." The other 50% say, "I need more." They're like, "Okay, cool. Here's our trust packet." 30% say, "Okay, that satisfied me. I'm good to go," but there's still 20% who are going to ask you to answer security questionnaires. That, depending on how many customers you have, can be wild. To further put that in perspective, another company that we talked to has a similar sanctification funnel, but they have 80,000 customers. 30% request a trust packet, that's 25,000 customers. 10% want a custom response. You're like, "Hey, 10%. That's not bad. That's actually a good percentage." Yeah, I thought so too and then I just quickly did the math. I was like, "Oh, that's 8,000."

Rob deJuana Matthews (22:39):

If you think about a year, that's 154 a week. You need a compliance platoon, not a compliance team to do that. But this is what it looks like now. This is what traditional is. But what could it be? Well, what customer trust can be is completely different from the numbers that we just talked about where the amount of work is outpacing your team. It's a system where no matter what you're doing and no matter how big your team is and no matter how your growth trajectory is going, you're able to speed up the time that it takes to get to giving the customers what they need, but also reduce the amount of time that your team spends doing it and reduce the number of hands in that process. It's this. It comes from having a single portal where you store and share your documentation. Your team goes in and they upload the documentation once and then they update it as they need to.

Rob deJuana Matthews (23:40):

Sales has the ability to take a link and send it to any prospect or customer who asks, "Hey, I need to see these documents." That, instead of taking weeks, takes minutes. A customer says, "I'd like to see these," and it's in their hands. They can execute a NDA and view the documents immediately, so there's no longer an amount of time where they can go off and do something else and get caught up in something else and now your sales process is even longer. It's really quick and it takes a lot of the cruft out. This is just the speed of the business now. As you ease the route to documentation, you bring down the time to close. It makes sense right? Well, we had another question for you. How many days does it take for your team to go through the process of document distribution? As that comes up and you answer it, I'm going to go through a few more benefits of this new state of customer trust.

Rob deJuana Matthews (24:44):

Effectively, you eliminate two big issues. You eliminate human error and you eliminate followup. As we all know in the traditional model with all these different departments, everyone has their own way of managing work and communicating and they have their own processes for taking care of everything that needs to be done day-to-day. That slows everything down and introduces a lot of uncertainty, so you end up spending time following up, saying, "Is this still moving? Where are we?" Or sometimes sales will send a message saying, "The customer's getting annoyed because we asked for this a week ago and they still don't have it." When you go to a single source where it's very instant, that's all gone, but you also get rid of the mistakes that happen just because, well, we're human. You don't end up getting a security questionnaire because someone forgot to send a compliance packet. You don't have to walk back an answer because someone copied and pasted something out of the repository that was old.

Rob deJuana Matthews (25:43):

You don't have the mistakes that happen as a result of humans being human in communicating. It's now automated and quick and simple. One of the other benefits that you get out of this is that you lighten the load of customer success. This one actually surprised us when we found out. But with a single portal where they can share documents, CS can let customers opt in to updates. If customers can subscribe to any new information for a specific framework that they care about and your CS team doesn't have to spend time figuring out which customers they should send an email blast to for an update, they share the link once and the customer can self serve to any automatic updates that the team sends out in the future.

Rob deJuana Matthews (26:33):

It's really cool because the CS team gets to engage one time with the customer, but the customer gets a tailored experience for the life of their engagement with your company and that improves CS's brand without adding a ton of work. The poll is closed and I want to discuss that really quickly. 30% say that it takes about five days, one to five days to take your company through the process of document distribution, but 36% said about six to 10. It was 21% who say 11 to 15. Frank, what do you think about these numbers?

Frank Macreery (27:20):

These are some big numbers, so I'm excited to show how we can bring that down to a different unit, i.e. minutes or hours.

Rob deJuana Matthews (27:28):

We talked about a couple of benefits, but how does this new state of customer trust benefit the compliance team? Well, we talked about how compliance is a growth driver, now you can measure the impact that compliance is having on business growth. You can get insight into which certifications your prospects value most. You get to say, "Companies in the healthcare vertical." They don't really ever view HIPAA, I guess it's table steaks, but they are all viewing HITRUST and that's important. You get to see if companies are viewing your security white papers rather than your SOC 2 report and you get to show which certifications are actually driving sales or which ones that you don't have are being requested so you can invest in them.

Rob deJuana Matthews (28:15):

Essentially, you get the data to prove that compliance is a growth driver rather than a cost center. All of that comes from what we've built, Aptible Comply Rooms, which is a data room solution for you, B2B SaaS teams who need to close deals quicker and who need to give customers self serve access to confidential security documentation to make their load a little lighter, but also who want to know, "Hey, how am I actually impacting the business and how can I show that I'm doing a good job?" To show that, I'm going to turn it over to Frank for the demo.

Frank Macreery (28:53):

Thanks Rob. What I'm going to show you now, I'm pretty excited to show it, is just how in a few minutes you can set up a self service trust portal so you can upload the documents that your customers need, give a custom portal experience to each one of them, send out invitations to the portal and then view how your customers are engaging with it. In order to do this, I'm going to share my screen first of all. I'm going to start from the very beginning of signing up for Aptible Comply Rooms.

Frank Macreery (29:28):

To sign up, you just need your name, email and a password. No credit card required. In order to verify your identity so that we can safely assign your room to you, we're going to need to click on a link in an email to verify your email address. As soon as you've done that, it's one step to set up organization in Comply. You need to provide an organization name so we can label your room. You have the option of picking target compliance frameworks that you are working towards. I don't actually know what those are right now, so I'm just going to decide later. I'll click finish to set up the room.

Frank Macreery (30:11):

I'm immediately dropped into my view of the room. Right now, there areno documents here. It's a clean slate for me to add. In the top right, I can see a progress bar showing my progress towards fully setting up the room and I can see all of the steps that I would need to take to set up the room. The first thing that I'm going to do is to set a Non Disclosure Agreement. Like many of you, we restrict access to these documents. There's sensitive information in all of our trust packet documents and we don't distribute them except under NDA or some other Confidentiality Agreement.

Frank Macreery (30:53):

Rooms supports two different ways to send an NDA. If you're already using DocuSign, like we are, and you already have a template with a signing role, you can install the integration with DocuSign. This will log you in. Or if you're already logged in, it'll just happen automatically. You can click to choose any of your DocuSign templates that a signing role. I'm going to go ahead and choose our NDA that's in DocuSign. When I do that, every single customer who accesses our room is going to go through our DocuSign flow. This means that it's a full e-signing solution. If they want to redline and you have that supported with your DocuSign template, all that functionality will be supported in the room's workflow as well.

Frank Macreery (31:44):

We also support a simpler Clickwrap NDA. To use that, I would just go back and manually add text used for my Clickwrap. We provide you with some default text here, a general confidentiality notice that you can use our inline markdown editor to edit to your liking. Once you've gotten it into a state that you want, you can just confirm and now you have a simpler Clickwrap NDA. We'll show you in a little bit what this looks like from the customer's perspective. It's definitely not as full featured as a DocuSign integration, but in some cases that can be beneficial. It's just a single click for the customer to accept. It doesn't allow them to redline. In many cases, this might be a desirable flow.

Frank Macreery (32:31):

Now that I've set up an NDA, I'm going to go ahead and start adding documents to the room. The first document that I'm going to add is our SOC 2 Type 2 report. This might be a common one for many of you as well. This is kind of the heart of the trust packet and it is the most commonly requested document for us. I'm going to give it a title so that it appears properly labeled in the room and I'll subtitle it with the reporting period for the report. I have the option of restricting access to this document. I'm not going to choose that now because the SOC 2 report is actually something that we include in all of our trust packets.

Frank Macreery (33:14):

Once I save that, it appears here in the room. I can preview it, so I can see it with the watermark. This one is my email and a timestamp showing the document protection capabilities and I can make sure it looks right for the customer. I can also upload new versions. So if we get a new SOC 2 Type 2 report, I can simply update it here, save. And when I do so, I now see a version history within the document. Only I see these two versions. The customer will see just the current version. We have the power of version. We can see the version control history in the room activity and the customer just sees the latest one.

Frank Macreery (34:01):

I'm going to go ahead and add two more documents just to show how we can use Access Groups to restrict access and create customized trust packets for every one of our customers. The next doc that I'm going to upload is our pen test report. This is not something that we distribute to every single customer. There's more sensitive information here. Generally, we would only distribute this upon specific request or for customers of a large enough profile. In order to restrict access here, I'm going to create a pen test access group. What this does is it makes this document accessible only to users who are in that access group. Right now, I see an indicator that zero users will have access to this document. That's just because I haven't invited anybody yet. This would be updated based on the number of users who are a member of this access group.

Frank Macreery (35:04):

I'm going to go ahead and save that. I can see that at any time. I can filter down by access group to see just the documents in that group. The final document that I'm going to upload is our HITRUST Validated Assessment. This one is not going to be part of our default trust packet either for a different reason. It's not because it's more sensitive, it's just because it's not relevant to every customer. We would only distribute this to healthcare customers. Other customers outside of healthcare would not be interested in our HITRUST assessment. I go ahead and I created a new access group for HITRUST. I save and now I have three documents here divided into these access groups with the SOC 2 report being available to everybody.

Frank Macreery (35:57):

I'm almost ready to share this room with my first customer. But before I do that, I'm going to do a little bit of customization to my room. Instead of the default green, I'm going to style it with my own color and I'm going to upload a logo. So now, this logo and the accent color will appear in this room and in any email invitations that my customers receive. At this point, I'm fully ready. I'm going to invite the first customer to the room. In order to do that, all I need to do is provide an email address for the customer and select the access groups that they should be a part of. For this particular customer, I'm going to invite them to our pen test group since we've decided that they should see that. But because they're not a healthcare customer, we won't add them to the HITRUST group. I go ahead and send that invitation.

Frank Macreery (37:00):

On the access tab, I can see all the details of this invitation. I can see the status of whether it's been accepted. I can revoke access. You might do this after a period of time or if the customer is no longer a customer. You can re-grant access. You can resend the invitation. And finally, if you choose to, you can bypass the NDA. What this means is it will allow the customer to access your room and all of the trust packet documents that they're authorized to without having to execute an NDA. This can be useful if you're already a separate e-sign solution or the customer has an NDA in place already and you don't want to make them go through that flow again.

Frank Macreery (37:46):

Now I'm going to logout and I'm going to show you what this looks like from the customer's perspective. So going back to my email, I have an email here that is styled with the logo that I set with the accent color and with a single button to accept the invitation and access Aptible's room. Again, I just a name and a password. I'm dropped right into this vendor's tab that will include this Aptible invite and in the future, it can include other vendors who have invited me to their rooms. I go ahead and I click to view the room. Immediately, I'm prompted with an NDA that we had set earlier. I read through the NDA. I have to click to accept. I confirm. As soon as I've done so, I'm greeted with this customized trust packet that's just the documents that I was set to have access to.

Frank Macreery (38:52):

I see the SOC 2 report, the pen test report since I was granted access to that. I don't see the HITRUST report because that wasn't part of my custom trust packet. I can download any of these documents. When I do sign, now it's watermarked with my email, as expected, and timestamped. While I'm doing all of this, Comply is tracking engagement with the room and tracking all the activity. So that if I were to log back in as the original vendor that was setting up the room, I would see a full dashboard of metrics. In order to show you what this looks like, I'm going to login as a vendor that has shared a few more documents.

Frank Macreery (39:37):

The first thing that I see as a Room's customer logging in is this Document Performance Dashboard, where at a glance, I can see how many downloads there are for each of the documents I've shared. I can also see activity across all the accounts. By account, I can see how many downloads there have been. I can see when the most recent download is. I can view account activity in greater detail. Filter. Sort. This can be very useful as your list of customers grows. And really, so at a glance, I can understand exactly how well each my documents is performing, which of my customers are engaging with them most. If I'm a sales rep, I can know exactly when a customer has downloaded a document and I know when I can more forward with the process.

Frank Macreery (40:27):

Hopefully this gave a little bit of insight into how Rooms can help you set up a custom trust packet in a self serve portal in just a few minutes and then repeatably share that with all of your customers over time. I guess as a closing note, I want to highlight that this piece that we showed today, Comply Rooms, it's just one piece of the overall puzzle of Comply. Speaking to that trust funnel that Rob showed earlier, the funnel going from a trust page, to the trust portal, to vendor questionnaire responses, those are actually all parts of the Comply platform. We provide the ability to create a public trust page, funnel that into a trust portal and then also respond to vendor questionnaires, all in the same application. Hopefully this was usefully. Hopefully there may be some good questions about this. If you have any questions about the platform or Rooms specifically, I would love to cover them in the Q&A. Thank you.

Rob deJuana Matthews (41:46):

All right. Thanks Frank. We actually have some questions that have come in. One of them is do you recommend users have access to Rooms for life or do you recommend for a period of time?

Frank Macreery (41:59):

That's a great question. If you give an access for life, that can enable ongoing updates about new SOC 2 reports or other updates to documents in the trust packet that they've received. Generally, what we do is we grant access to all of our existing customers for life. We send them an invite and then we don't revoke it. For prospects, we don't revoke access, but some customers do. We're actually soon shipping a feature to be able to send out a time based invite for the use case. That's in the product quite yet, but will be there I believe sometime in August; the ability to send out an invite, have it be time based expiry, so that can be very useful in the sales process, not only because you revoke access if the deal doesn't close, but also because it forces urgency in the process.

Rob deJuana Matthews (42:57):

I've got another question here. How does document versioning get handled in Rooms? Do customers see all the versions and pick from them or are they presented with the proper version?

Frank Macreery (43:09):

That's a great question. They only see the current version. If there are prior versions or if you upload a version in error, the customer won't see those. They only see the latest version. You as the Room owner, as the vendor, you get to see all the prior versions. You can also see... So in terms of NDA versioning, from the access tab, you can see the specific version of the NDA that the customer executed. In that NDA column, you can click on the link and it will show you the exact text that they agreed to in case you have changes in your NDA over time.

Rob deJuana Matthews (43:47):

So Frank, speaking of NDAs, there's a question here. Is there a benefit of having the customer resign the NDA?

Frank Macreery (43:54):

Legally, most likely not, unless it is different terms. In our case, we have an MNDA for our customers that's broader than the NDA that we use for Rooms. You might have noticed that for Rooms, we use a simple Confidentiality Agreement, which is a lot lighter weight than a Mutual NDA. The benefit there is the Confidentiality Agreement requires less redlining. There's no mutuality to it. It gets our customers access to the documents they need with less friction from their legal team. That would be a benefit to having the second document. That said, if they already have a more encompassing Mutual NDA in place, there's not really too much of a benefit to resign. And in fact, if you use the DocuSign integration for example, depending on how your billing is set up, you might have to pay extra for a second envelop signing of the same document.

Rob deJuana Matthews (44:54):

Cool. Thank you. I've got another question here. Can our potential customers edit or redline documents in the Room? Are those versions tracked?

Frank Macreery (45:03):

That is a great question. Right now, the documents that are shared in the rRom, so the NDA can be redlined if you're using the DocuSign integration. The documents in the room themselves, those can't be edited or interacted with with the customer themselves. That said, this is a really... I'm very, very glad that you asked this, Melanie, because this is part of our roadmap for what the two way trust portal experience will be. This is on our roadmap to be able to exchange agreements and documents between customers and vendors within Comply, within the trust portal. On the idea there's a lot of documents that are exchanged as part of vendor risk assessments, not all of them are just static documents. A lot of them are agreements that have to go back and forth.

Frank Macreery (45:57):

We do want to be able to support that case. That's not part of what's in there right now though.

Rob deJuana Matthews (46:04):

I've another one. Can auditors also benefit from Rooms?

Frank Macreery (46:11):

Potentially yeah. That's a very good question. You can use rooms to share documents with any parties. I could see a situation in which you'd have a set of documents that you would want to share with your auditor. I would note that what comes more immediately to mind is the GRC functionality of our Comply platform where we have an entire set of product functionality for collecting evidence, both manually and through our automated integrations with SaaS systems and then a tool for importing evidence requests from your auditor and then automatically or manually assigning evidence items to those request lists. So basically, if your auditor sends you an evidence request list, you can import that into Comply. You can either add evidence manually or use the evidence that already exists and is automatically collected by Comply and quickly fill out those auditor request lists. That's the specific thing that comes more closely to mind.

Frank Macreery (47:25):

But in case I'm misunderstanding the case of why one would want to use rooms for an auditor, I'd love for whoever asked that to just followup in the Q&A and I can re-answer.

Rob deJuana Matthews (47:37):

Okay. As we're waiting for that, our sales team lives in Salesforce so my team has to work there as well to make the process smoother. Does this integrate with Salesforce?

Frank Macreery (47:50):

The short answer is not yet. I know I see Kyle among the panelists, so we've got this plant in there, but I don't think Kyle actually asked this question.

Rob deJuana Matthews (48:00):

No, he didn't.

Frank Macreery (48:01):

I mention it because we do have this on our roadmap. Logistically with a Salesforce integration, the functionality that we have in mind is two way. From Salesforce, your reps will be able to directly invite their contacts or accounts or opportunities to the room with a single click from that page in Salesforce. They don't even need to change their workflow. They don't need an account in Comply to be able to do this. In terms of the reverse interaction, all of the metrics that we're collecting, the activity and engagement data from rooms, will be feeding back into Salesforce as activities on these opportunities and contacts. We'll provide canned reports that you edit to your liking so that you can take engagement data, downloads, logins from your customers into your room and tie those back to things that live in Salesforce, like revenue renewals.

Frank Macreery (49:04):

The way that our release of the Salesforce integration will work is we're planning to release it as a connected app first. This is based on how the Salesforce app marketplace works. There's a formal app marketplace that takes a period of several months to be released on. If anyone in this webinar is interested in being an early user of that initial connected app release, before this makes it on to the official Salesforce store, all of the functionality will be completed the same, security will be the same. But if you're interested in that, that will be available much sooner and we would love to talk with you.

Rob deJuana Matthews (49:46):

Cool. Thank you. We have followup. They said you answered the question. They were wondering how companies being audited can leveraged rooms to share docs or items that auditors requested through rooms.

Frank Macreery (50:01):

Cool.

Rob deJuana Matthews (50:03):

That looks like it for the questions. I guess we've answered everything we can. All right.

Rebecca (50:13):

Fantastic. Yeah, go ahead.

Rob deJuana Matthews (50:17):

I was just going to say, once again thank you for joining us and taking your time out of your day. If you have any other questions, you can definitely get in touch with us. We are always happy to answer any. Rebecca, Frank, anything more?

Frank Macreery (50:34):

No. Just thank you so much. I really appreciate everyone who joined, a lot of familiar names in the participants. I look forward to chatting with all of you. If we have chatted yet one-on-one, hope to continue this conversation later.






Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form. Please try again.