Boston, MA — November 14, 2025 — CompliRun today announced a $4.2 million seed round. The funding will be used to expand the platform's integration library, improve ISO 27001 evidence depth, and hire two engineers focused on evidence collection reliability.
What This Funding Is For
CompliRun was founded on a specific observation: the most expensive part of a SOC 2 audit is not the audit itself — it is the weeks of manual evidence gathering that precede it. Most SaaS companies spend 6–8 weeks before each audit pulling screenshots, exporting configuration reports, tracking down access review sign-offs, and organizing them into a format an auditor can navigate.
The platform CompliRun built addresses this by connecting directly to the integrations teams already use — AWS, GCP, Azure, GitHub, Okta, Jamf, and 31 others — and pulling evidence continuously. By the time an audit begins, the evidence room is already populated. Teams that switched to CompliRun report audit prep time decreasing from 6 weeks to 4 days on average.
This seed round extends that capability in three specific directions.
Expanding the Integration Library
Currently, CompliRun covers 35 integrations. The most common gap for enterprise customers is in the HR and endpoint management category: BambooHR, Workday, and Microsoft Intune are the most frequently requested integrations not yet available. The integration expansion roadmap also includes Salesforce (for customer data mapping under SOC 2 Confidentiality criteria), Snowflake (data warehouse access controls), and HashiCorp Vault (secrets management evidence).
New integrations follow a specific development standard: each integration maps its collected data to the relevant SOC 2 Trust Services Criteria and ISO 27001 Annex A controls automatically. The Snowflake integration, for example, will pull database role assignments and query access logs, mapping them to CC6.1 (logical access) and CC6.3 (least privilege) evidence requirements.
Deeper ISO 27001 Evidence
The current CompliRun platform covers the technical controls in ISO 27001:2022 Annex A well — particularly the Technological controls theme (A.8.x). The organizational and people controls have had lighter tooling support. The ISO 27001 expansion will add structured evidence collection for:
- A.5.7 (Threat Intelligence): tracking subscribed threat intelligence sources and documenting review cycles
- A.5.23 (Information Security for Use of Cloud Services): supplier security documentation linked to cloud provider SOC 2 reports
- A.6.3 (Information Security Awareness Training): training completion tracking integrated with HR systems
- A.8.28 (Secure Coding): SAST tool result ingestion and mapping to secure coding standard controls
The goal is to make ISO 27001 Annex A coverage in CompliRun complete enough that a company going into their ISO 27001 certification audit has all required evidence in the platform — not just the technical controls, but the full control set.
For companies already using CompliRun for SOC 2, the expanded ISO 27001 coverage reduces the additional effort required for ISO 27001 certification. Based on current control overlap, the incremental ISO 27001 work for an existing CompliRun customer is approximately 40% of the effort required to set up SOC 2 from scratch.
Evidence Collection Reliability Engineering
The two new engineering hires will focus on a problem that compounds as customer environments grow: evidence collection jobs that fail silently. When an integration credentials rotate, when an API rate limit is hit, or when a cloud account permission changes, CompliRun's collection jobs may fail — and if the failure is not surfaced clearly, teams may not notice that evidence is missing until an auditor asks for it.
The reliability work addresses this with three improvements: observable collection status (every integration shows its last successful pull date and next scheduled collection), automatic remediation for common failure modes (credential rotation alerts, permission gap detection), and collection gap alerting (if evidence for a specific control has not been collected in the expected window, the compliance dashboard flags it).
This is less visible than new integrations or framework coverage, but it directly affects the accuracy of what the evidence room contains. An evidence room where every item has a verified collection timestamp is meaningfully more defensible than one where collection may have silently failed.
Where CompliRun Is Today
CompliRun launched in early 2023 with the SOC 2 Type II use case for cloud-native SaaS companies. Current platform metrics:
- 94% of SOC 2 Type II evidence requirements covered automatically across supported integrations
- Average audit prep time for customers: 4 days, compared to 6 weeks industry average
- 47 minutes average time for a new customer to connect their first integration and see initial gap report
- 35 supported integrations across infrastructure, identity, endpoint, code, and monitoring categories
ISO 27001 was added as a framework in mid-2024. The current ISO 27001 coverage is strong for the Technological controls theme and the most common People and Physical controls. The seed funding brings it to complete coverage.
From Michael Tanaka, CEO
"The compliance tools market has a lot of platforms that help companies get audit-ready once a year. What we built is different: it runs between audits. Evidence collection happens daily, gaps are flagged before they become findings, and the evidence room is current whenever an auditor asks — not assembled under deadline pressure. The seed round lets us complete the integration library and the ISO 27001 depth that enterprise customers need to replace their manual workflows entirely."
Pricing and Availability
CompliRun is available now on three plans: Starter ($499/month) for companies beginning their first SOC 2 program, Growth ($1,499/month) for teams with active audit cycles or dual SOC 2 and ISO 27001 programs, and Enterprise (custom pricing) for multi-environment or multi-subsidiary deployments. All plans include the full integration library and evidence room.
The expanded ISO 27001 controls and new integrations from the seed round will roll out on a monthly release schedule beginning in Q1 2026. Existing customers will receive new integrations and ISO 27001 controls within their current plan at no additional cost.
For questions about the funding or the product roadmap, contact contact@complirun.com.
Background Reading
For context on the compliance monitoring problems CompliRun addresses, we have written in depth on several related topics:
- Why Annual Audits Create a False Sense of Compliance Confidence
- Configuration Drift Is a Compliance Problem
- Anatomy of a SOC 2 Evidence Room
- ISO 27001:2022 Annex A Controls — What Changed
- Access Reviews Are the Compliance Task Nobody Does Well
See the current CompliRun platform
Connect your first integration and see your compliance gap report in under an hour. No payment required to start.
Request a Demo