Show Notes

For B2B SaaS companies, keeping data safe and secure has become increasingly important. However, meeting compliances for privacy and security can be problematic and time-consuming. Fortunately, young startup Sprinto is bringing some much-needed relief to this pain point.

Sprinto co-founder and CEO Girish Redekar was a guest on this week’s episode of the Midstage Startup Momentum Podcast with Roland Siebelink. The two talked about Sprinto’s early success and a slew of other topics related to the startup world.

• How and why Sprinto created an end-to-end solution to the problem it solves.
• Why focusing on a specific niche was key to Sprinto’s early success.
• Why Sprinto’s value to its customers is in part due to its end-to-end approach.
• The business benefits of Sprinto using a functional programming paradigm.
• The two macro trends Girish sees happening in the SaaS space.
• Why founders should always take advice from other founders with a grain of salt.

Transcript

Roland Siebelink: Hello and welcome to the Midstage Startup Momentum Podcast. My name is Roland Siebelink and I'm an ally and coach and advisor to many of the fastest growing startups around the world, one of which is with us in our studio once again today, and it is Sprinto. And we have with us the co-founder and CEO Girish Redekar. Hello, Girish. Thank you for joining.

Girish Redekar: Hi, Roland. Thanks for having me.

Roland Siebelink: Absolutely. The first question is always the same. What does your company do? What makes you different? And who do you impact with what difference in the world?

Girish Redekar: Sprinto helps other B2B SaaS companies obtain security and privacy compliances at one-tenth the effort. In turn, this helps our customers actually accelerate revenue, close high ticket deals, and pass vendor security assessments with ease. Updating these compliances conventionally took months, but we do this by automating all the busy work involved, and that's how you get the benefit that you get. By nature, our customers are cloud-hosted B2B software companies. Conventionally, this used to be happening manually. There are a few other ways to do this, including some software-based tools. Where Sprinto is different is that we take a very end-to-end approach to this entire thing. We automate not just the implementation and the operation of the security program, but even the audits, which are the most dreaded part of this entire equation. I know this sounds like a gobbledygook of acronyms, but I'm sure that SaaS sales people have heard of these and perhaps dread these. And it usually means that the deal is going to take a while to close and Sprinto just helps you get these compliances out of the way so that you can focus on things that help you close some of these high-ticket deals. That's at a very high level what we do.

Roland Siebelink: Okay. I love it. That's a very good summary. Much better than sometimes what I hear from CEOs when I really have no idea what they're talking about, but this is awesome. You already mentioned your core customers are B2B cloud hosts software companies. The core buyer there seems to be a chief security officer, similar profiles. Some maybe are not quite an officer yet at that stage. How big would you say the typical client is? At what stage do they become worried about security compliance, passing audits, and things like that?

Girish Redekar: That's a great question. This honestly varies a lot. The person on the other side is sometimes the chief security officer or somebody in the information security seat. But often these are very young companies where this falls into the laps of the CTO in the company. These are companies of smaller sizes. Honestly, we've worked with companies that are really small - five employees or fewer, and they just need these compliances for their first pilot because they are an enterprise-first company and they just have to look into this, even for the first customers - right up to companies that are thousands of employees. We see quite a range.

Roland Siebelink: Can you tell us a little bit about the history of Sprinto? How did you come about? What gave you the idea? Who did you found it with? I want to hear everything.

Girish Redekar: This was a big incident. This is not my first SaaS company. Me and my co-founder at Sprinto, we ran a B2B SaaS company before this called Recruiterbox. We're both engineers, so we're both developers. We wrote a whole bunch of code at both Recruiterbox and Sprinto. But one of the things that happened in my previous bootstrap company was that we were a largely SMB business. No matter what you do, you're always going to get a few whales down your pipeline. You don't want to lose them; you want to convert.

Roland Siebelink: I was going to say, "Oh no, there's a whale coming." No company ever said that.

Girish Redekar: Exactly. It's extremely hard to let them go, even though they may not be part of your strategy overall. And specifically, at Recruiterbox, we were also trying to go a little bit more up market. And that's when we were coming across a bunch of these security questions and we were asked to become software compliant and so on and so forth. And we always kicked the can a little further down the road because this whole thing looked fairly opaque. We had no idea how to go about these things. At one point, we decided to bite the bullet and get this done. We went through this process where we hired a consultant and they would sit in our office and spend hours trying to understand the security posture, trying to get us to a point where we could actually get ready for an audit. Long story short, I wouldn't say it was a very pleasant experience. We ended up pushing a bunch of other engineering things down further along so that we could make space for this. And it turned out to be a lot of manual busywork at the end of the day. Fast forward, we exited the company. We took a year's break. And then we were thinking about ideas of what to do next. This was one of the half a dozen ideas that we were looking at fairly closely. And it helped to have some personal context to it about why this was painful. And we were researching that a little bit further to see if we were alone in this problem. And it turned out, when we spoke with a bunch of other fellow founders that this wasn't the case. The long story short is it came out of a personal pain point. We did some research to figure out whether this was a wide enough problem, and it turned out it was. I've been constantly surprised ever since by how widespread the problem really is. In that way, it turned out to be good.

Roland Siebelink: Excellent. Okay. Very good. And that's how Sprinto got started. I think it's usually a pattern of some of the best startups when they are built around the problem that the founders personally have experienced and when you can essentially hack around to find a better solution. It sounds like the traditional process is really manual, is essentially a consulting job where people sell you their expertise and help you check boxes essentially. How do you replace that with software?

Girish Redekar: That's a great question. I think the first good decision that we made in that process is we focused on a very specific niche. We only work with cloud-hosted companies. The way these compliance programs work, their implications or the way you meet the requirements are very different depending on the kind of setup you have. If you're a company which for whatever reason hosts data on its own premises or runs its own data centers - those are increasingly rare - if you're doing that sort of thing, the requirements of this program are very different. It's a very different thing if you're not a product company but a software services company, the requirements are different and so on. I think the first thing we figured is you narrow down on the problem, and then you can start looking at this in a very specific manner. The second thing that Sprinto does is we integrate with a bunch of tools and services that a modern technology company would use. Like a cloud-storage company would typically be hosted on AWS or Azure or Google cloud. We integrate with the services and help you maintain a security posture on these services. We'll integrate with your version control system that you will be using. Platforms like GitHub or GitLab or Bitbucket or any of those. We integrate with those as well. We'll integrate with your HRMS systems or whatever you use to maintain an identity system, whether that's Octa or any other HRMS system. The broad idea is that we integrate with a bunch of systems that you already use as a company.

Roland Siebelink: The standard stack for a B2B SaaS company, in a way?

Girish Redekar: Yes. And we have a very broad range of such integrations. And what we do with each of these is we've translated the auditor's requirements, which will be complex jargon and audit speak, and converted it to simple-to-understand business or technical requirements, which we implement via these integrations.

Roland Siebelink: Okay. You mentioned that one point of differentiation - a strong differentiation I would say - is that you also take care of that audit. Does that mean you interact directly with the auditors? And what does that mean for your business model? Does that mean you have a sizable services component next to just purely the software model?

Girish Redekar: That's a great question. We don't have a sizable services component. But this was one of the things that we look very closely at from the beginning of the business; we realized that auditors are first-class stakeholders in this entire equation. And we actually worked very closely with auditors in our early days. Our favorite pastime in the early days was to get ourselves audited. I think we got audited more than a dozen times. And the idea was to learn the ropes and understand what auditors really care about. The way Sprinto is actually built is that with each auditor that we work with, we understand the requirements and the requirements are actually embodied in our software. And the entire software is built on top of those requirements. What really happens as a result is each auditor can be a little bit specific about how they want to conduct their audit, how they want to receive the evidence, or how they want to catalog the evidence and format and so forth. And those are deeply intertwined with their internal processes. And Sprinto is unique in a manner that we have actually mapped out those exact requirements and these processes within our software. What that really means is while on the other side, the customers are doing very simple things, the auditors still get what they want, and it's nobody's manual job to do all the work around collecting all of this evidence, cataloging it, grouping it correctly, formatting it, and then showing it to the auditor and then figuring out that everything is okay or not. That's happening in software. We spent a ton of time and effort to make sure that this happens in an end-to-end manner. And that's really what really gives the value.

Roland Siebelink: Okay. It's almost like a loose coupling architecture that you set up where the client can build their side of the report and then you can produce it in whatever kind of format the auditor wants to see it?

Girish Redekar: Yeah. Somewhat like that. And that's really the powerful thing about the software. You could change your auditor tomorrow and voila.

Roland Siebelink: That was going to be my next question. Great minds think alike here. That's awesome. Talk to me a little bit about what does this mean for the business model. On what basis do you price? What is most attractive to your customers? Is it a subscription versus a one-time fee? How do you typically go about that?

Girish Redekar: Great question again. The thing to understand is that the inherent nature of these compliances are themselves recurring. So this is not a Sprinto construct. Whether you want to be SOC2, ISO, or any of these things that are compliant, you need to run this program on a continuous basis and you need to give yourself an audit at least on an annual basis. As a result, Sprinto is inherently a subscription product. We typically do annual subscriptions for all our customers. That's quite simply the way the business model works.

Roland Siebelink: Very good. Okay. And how did you find the pricing level that was most attractive? You don't have to mention exactly what it costs here. But I'm more looking at what you do to experiment with pricing levels? Have you found variation among customers? A lot of the founders listening to this podcast want to hear more about prices, so that's where I'm digging in a little bit.

Girish Redekar: It's a great question. I honestly think that we are in the process of still understanding how to price this correctly. We have something that works right now. And Sprinto is priced today, it depends on the complexity of your compliance program that you are building. It turns out that most of these compliances are fairly holistic, which means that they have implications on pretty much all your employees. The employee size of the company is usually a rough indicator of the complexity of your compliance program. We use that as a typical proxy of how large or complex your compliance program is going to be. It changes with the size of the company is the rough indicator. It doesn't change linearly, but it changes with the size of the company.

Roland Siebelink: Let's talk a little bit about the traction so far. When did you get to market? Whatever number you're comfortable sharing, of course. But where do you see your customers? How fast is it growing? Whatever you can share.

Girish Redekar: A bit of history. Like I said, we spent a ton of time in the beginning working this out with the auditors, trying to understand how exactly this process works. And we launched - I won't say launch, we actually put out a website - I think about eight months ago. In a short period, we have actually started acquiring customers. We've grown very rapidly. We are already at hundreds of customers. We've raised a Series A from Elevation Capital and Accel. Okay. Happy about getting a bunch of really good SaaS investors on the board as well. That's where we are.

Roland Siebelink: Hundreds of customers, that's very impressive, Girish. Where do you find these customers or how did they find you?

Girish Redekar: Today, we have customers all across the world. In The US, we have a few in Europe, Israel, Australia, India, a bunch of places. Most of our customers are just inbound. We just put out a website and we've just been trying to keep up with the demand since. That's roughly how it is. We have a growth team in place now to start actually building out the engines to do this in a very specific manner.

Roland Siebelink: Where are you investing most of your new resourcing? Is it mostly still products and engineering or are you really focused on building up your go-to market? People always want to hear a percentage.

Girish Redekar: I think it will be about 50-50 today. We're basically firing on all cylinders there. I think we have a really exciting product roadmap ahead. We are investing a lot in our product and R&D and our engineering function. And at the same time, we are very ambitious about our growth plan. We are also investing in our growth as well.

Roland Siebelink: Okay. And for the CTOs listening to this podcast, I always want to ask, can you talk a little bit about your stack? What's the typical technologies that you're looking for engineers for?

Girish Redekar: I think the most distinguishing thing for any engineers or CTOs out there who are listening to us, the unique thing about architecture at least - and the way is different that we are doing it this time compared to what we did last time - is we are a very functional core base. What I mean by that is in contrast to an object-oriented code base. This was a bit of a learning curve, honestly, for me as well when I was writing code early on. But we are really reaping the benefits of writing it in that manner. Functional programming is really cool. I would encourage those who haven't really looked at it yet to have a look at it. It's really good.

Roland Siebelink: And for those like me who aren't engineers but have heard of functional programming, what would you say is the key business benefit of moving to a functional programming paradigm over object-oriented programming?

Girish Redekar: I think the most important thing about business software is really to be able to fit the scenarios of your customers. Business software tends to get very complex and you don't know upfront what scenarios you're going to come across as you grow as a business. You have some hypothesis, but you don't know everything upfront. What really happens with a bunch of business software is that you end up doing a lot more changes to it than you originally anticipated. All your first ideas are shit. Everything you'll begin with, those things will almost automatically change. And what functional programming really forces you to do is to build these very, very simple machines that you can put together to do complex things. And as you learn more things, moving these things around or composing them in different ways is a lot simpler when you use functional programming than when you use object-oriented programming. What that really means as a business benefit is that it allows you to stay nimble and to actually react to your market and their needs when they come. It's not going to be a scenario where you learn something new, there's a new feature you want to build, and you're staring at this big gray factor that's telling you that it's going to take weeks. It doesn't work like that with functional programming if you've done it well. I think that's the biggest advantage to me, both as a programmer and as a business owner of this way of programming.

Roland Siebelink: That's an excellent explanation. I've been delving into functional programming and trying to get a little bit of an insight like that. And this is the best way I've heard it explained so far, especially since we know that fast growing SaaS companies often do land in this analysis-paralysis territory where nothing can be changed anymore for fear of breaking the house of cards. That's probably some experience you may have had in one of your previous startups as well. With this functional programming base and all your architecture being wonderful, and a great team, how big can this grow, Girish? Where do you see your big ambitions 10 years down the road?

Girish Redekar: Some background to that in the sense that I am really, really excited about the space, in general. I think there are two very large trends that are going on in the world. And these are irrespective of Sprinto or anybody else. I think that the first thing to recognize is that - I think it was Marc Andreessen who said that software is eating the world. I think we all acknowledge it now and we agree to it. I think what's really also happening is that SaaS is eating software. I was reading a report recently and SaaS is growing at 18% CAGR. Something that's growing that fast, that's doubling every four years, that's not something you can ignore. The second macro trend that's really happening is that SaaS fundamentally means that my data is on your servers. I increasingly want some assurance that you're keeping this data safe and secure. And this used to be something that the fortune thousands used to worry about a lot more if you were looking at this a decade ago. But those demands are percolating downstream. This is no longer something that the people in the ivory towers worry about. This is something that's happening. It's constantly becoming more and more downstream. Today, if you're doing five-figure SaaS deals, you are likely going to get asked - in one way or the other - something about, "Hey, show me something to tell me that you're going to keep my data safe and secure." This takes various forms. Whether that's security questionnaires or some of these compliances or various other ways of doing that. I honestly feel that - in one way or the other - it's going to be important for SaaS companies to be able to demonstrate that they are going to keep their customers' data safe. And compliances is the way to do that today. And it's increasingly important for SaaS companies to do this proactively. Just to take a step back again, there are two major trends that are happening in the world - macro trends. The amount of SaaS is increasing and the fraction of SaaS companies who need to become compliant with one of these security compliances or have a security program, that fraction is also increasing. What that really means is we are at a point where there's a great inflection point in the amount of security compliances that are being sought. And we see this with anybody in the space, whether we speak with auditors, we speak with other players like testing providers and other places in the security space, it's very palpable. On that background, I think we are at the right place at the right time. It's about execution right now. The ambitions are pretty large. We believe this is a massive, massive opportunity and it's just about executing it right. Honestly, the way we look at it internally - our internal vision and our goal is to increase the GDP of B2B SaaS. That's really how we look at it. That sounds lofty, but that's where we want to be. If we would have gotten B2B SaaS to a point where we've actually increased the amount of B2B SaaS, we would love to be there.

Roland Siebelink: That's awesome. I really love that as a vision of the purpose behind the company. The stuff that gets you out of bed every morning - or every evening in your case - to run the company with so much passion and energy. Very good. Girish, this is not your first company you mentioned, so you must have had a lot of entrepreneurial learnings over the years. If you're talking to founders that are a little bit behind you, maybe on their first project, may just be at the stage of finding product-market fit, what would be your key advice? One key learning you would convey to them?

Girish Redekar: I honestly don't believe in entrepreneur advice. I feel that a lot of these learnings are highly contextual. I could say a few things that are personal learnings for me. But without the context in which they actually happened, they don't mean much. This will be a great bite-sizes quote and it'll sound great but it's not really useful. I'm sorry to disappoint on that.

Roland Siebelink: No, I think this is a great insight in itself. Every advice is contextual and you may just pick up something from a founder that is totally not applicable to you, right?

Girish Redekar: Yeah, I honestly don't know how to give a good answer to that.

Roland Siebelink: Okay. Fair enough. Girish, when people are listening to this podcast and they want to find out more, where should they go? What should they download? And how can they help Sprinto most?

Girish Redekar: Do give us a visit. We are at sprinto.com. Check us out, let us know if we can help you with any of your security compliances. I'm personally at [email protected], feel free to drop me a line, happy to chat about anything related to growing your business, especially if you're in a B2B SaaS space. I'm happy to share my notes, and have done a couple of these things. For what it's worth, happy to share my experiences and help you out if I can.

Roland Siebelink: That's awesome. For those investors that are excited and want to talk to Girish, I'm happy to provide an introduction as well, of course. Thank you so much, Girish Redekar, the co-founder and CEO of sprinto.com. It was an honor to have you on our show.

Girish Redekar: And thanks for having me, Roland. I really enjoyed this.

Roland Siebelink: Thank you so much. Thank you everyone for listening. And we'll have the next founder with us on the Midstage Startup Momentum Podcast next week. Thank you, everyone.

Roland Siebelink talks all things tech startup and bring you interviews with tech cofounders across the world.