Built With MongoDB: Vanta Automates Security and Compliance for Fast-Growing Businesses

Organizations pay a high price for running afoul of regulations. Several eight- and nine-figure fines have already been issued for GDPR violations in the four years since the far-reaching privacy regulation went into effect. Although the biggest fines are reserved for the biggest offenders, small businesses and startups, which can least afford financial and reputational setbacks, have no choice but to take compliance seriously.

San Francisco-based startup Vanta knows what a challenge security and compliance can be for companies. Vanta co-founder Christina Cacioppo worked on Dropbox’s collaborative document project, Paper, when she and her team encountered resistance from the company’s legal team. From legal's perspective, the Paper project was jeopardizing compliance with Dropbox’s customer contracts. Cacioppo helped found Vanta to come up with a software solution to the compliance problem.

Vanta helps companies scale security practices and automate compliance for the most prevalent data security and privacy regulatory frameworks, including SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, and CCPA. The company's platform gives organizations the tools they need to automate up to 90% of the work required for security audits, and more than 1,500 customers have signed on since its founding in 2016.

Vanta is part of the MongoDB for Startups program, which helps early-stage, high-growth startups build faster and scale further, and has used MongoDB as its database of record since its inception.

Next-level security monitoring

Vanta launched in the wake of several high-profile data breaches. Although the company's founders understood that online security was becoming more important, they also knew how hard it could be for fast-growing companies to invest the time and resources needed to build a security foundation. So, they set about building a platform that could withstand not just today's threats but tomorrow's as well.

Robbie Ostrow, now engineering manager, was the first employee the company hired. "Historically, the way proving security worked was that a company would have an auditor look at its platform once a year and issue a piece of paper that says, 'you seem secure,'" Ostrow says. "We check all the same items that an auditor would check, but instead of checking 1% of it once a year, we check 100% once an hour."

Ostrow acknowledges how helpful MongoDB Atlas has been in ensuring state-of-the-art security practices. "As a security company, one thing that's really important is ensuring that our data is separate from everybody else's data and that we are not accidentally exposing random ports to the internet," Ostrow says. "One awesome thing about MongoDB Atlas is a feature called VPC peering, which allows us to take our virtual private cloud (VPC) and communicate with our database cluster while not exposing any cruft to the world."

Integration and scaling

According to Ostrow, Vanta’s decision to use MongoDB from the start has been critical to its success. "We originally chose MongoDB because it was a perfect tool with which we could prototype,'' Ostrow says. "But we also found that it's a great tool for production systems. And we don't really believe in MVPs for the sake of MVPs because they eventually end up becoming production systems. So luckily we chose MongoDB, which helped us prototype really quickly because we didn't have to build tooling and migrate it to another system. And then it ended up being a tool that was able to scale with us."

Once Vanta moved past an MVP, its growth was intricately tied to how fast it could integrate with other tools and build new features. "The key to the growth we've had is in the number of integrations we've been able to build and new features we've been able to add on top of those integrations," Ostrow says. "MongoDB has helped a lot to allow us to build and ship quickly without any downtime."

Vanta software engineer, David Zhu, agrees. "MongoDB makes it easy for us to model our data and access it in ways that are very flexible," Zhu says. "As a security company, we're monitoring a lot of different resources, and our understanding of those resources changes over time."

Flexible and familiar

As a company that prizes the ability to iterate rapidly, Vanta finds great value in the flexibility of the document model that underpins MongoDB Atlas. "We have a really strict code base," Ostrow says, "but the flexibility of the data model allows us to move quickly while still feeling safe about the changes we're making."

Getting the developer experience right is key to maximizing the productivity of a limited and costly resource. "Whenever we make changes or need to think about how we want to model our information," Zhu says, "MongoDB has the flexibility to let us make changes on the fly and speed up our development process."

Drew Gregory, a software engineer at Vanta, also highlights the benefit of familiarity when developing in Atlas. "MongoDB's API abstractions tend to feel like JavaScript and JSON objects," Gregory says. "We really enjoy trying to make our entire stack feel and look like TypeScript. So MongoDB, cosmetically, aesthetically, and even programmatically, feels like working with JavaScript the whole way down."

Zhu echoed a similar point: "Our technical stack is very straightforward. MongoDB slots right in. All of the data looks similar, and all engineers can work really easily across all aspects of our stack."

That familiarity is important at Vanta because it helps with recruiting efforts. "One thing I like to tell people I'm recruiting is that Vanta tries to move fast and not break too many things,'' Ostrow said. "Because we're a startup, we need to grow incredibly quickly. But we're also a security company that our customers depend on. And we want to make sure that, while we're able to ship features really quickly, we're not going to violate customers' trust while we're doing so. Hiring people who are able to do this and ensuring that the tools you're using are able to scale are really important."

To that end, Ostrow points out: "We're hiring quickly and looking for great new engineers. So get in touch if you're interested."

A program for success

MongoDB for Startups offers startups access to a wide range of resources, including free credits to our best-in-class developer data platform, MongoDB Atlas, personalized technical advice, co-marketing opportunities, and access to our robust developer community.

Ostrow credits the MongoDB for Startups program for helping Vanta with its Atlas deployment. "MongoDB sent us a consultant who was able to help optimize the way we were using it and gave us a report with excellent advice across the board," Ostrow says. "We still refer to that report all the time."

Are you part of a startup and interested in joining the MongoDB for Startups program? Apply now.