Drata Compliance Accelerator Program

Statement of Work

Program Goals & Limitations

The Compliance Accelerator Program does not include:

• Full audit readiness for any compliance framework
• Support completing security questionnaires
• Acting as the customer’s security or compliance team
• Control gap remediation

Only tasks explicitly listed in the project plan are included in scope.

Post-Program Support

Upon completion, Trava can offer:

• DIY guidance for continued progress
• Retained service options to support audit readiness and ongoing compliance

Project Planning

Trava will lead structured project planning to ensure a clear, efficient implementation of Drata aligned to the customer’s compliance goals.

This includes:

• Defining program scope and timeline
• Aligning on selected compliance frameworks
• Establishing expectations for roles, responsibilities, and milestones

Outcome: A clearly defined implementation plan that accelerates progress and minimizes delays.

Gap Analysis & Risk Assessment

Trava will conduct a Drata-based gap analysis using available integrations and selected compliance frameworks to identify gaps and improvement areas.

This includes:

• Reviewing and confirming scoped frameworks (e.g., SOC 2 and others as applicable)
• Establishing a baseline view of compliance readiness
• Conducting a lightweight, introductory risk assessment to support framework requirements and inform next steps

Customer Responsibility:

• Provide responses to discovery and scoping questions

Integrations

Trava will verify that core systems are properly connected to Drata and that required compliance data is flowing correctly to support evidence collection and monitoring.

Systems reviewed may include:

• Background check providers
• Cloud infrastructure (e.g., AWS, GCP, Azure)
• HRIS platforms
• Identity providers (e.g., Google Workspace, Microsoft 365)
• Version control systems (e.g., GitHub, GitLab)

Trava will review data flow and confirm key information is populating as expected.

Customer Responsibilities:

• Troubleshoot or resolve API or integration issues
• Confirm appropriate access permissions
• Validate accuracy of third-party data sources
• Support manual mapping of individual data points where required

Policy Creation

Trava will help establish a core set of up to 10 security policies, mapped to applicable controls and frameworks within Drata.

Scope includes:

• Creation and mapping of 10 core security policies
• One review iteration to address clarification questions or comments
• Review of existing customer policies as they relate to the program, with recommendations provided in response to specific questions

Out of Scope:

• Statements of Applicability (SOA)
• ISMS documentation
• System descriptions (unless separately scoped)

Customer Responsibilities:

• Review and confirm policies accurately reflect current business practices
• Create procedures or policies for frameworks not covered by this program
• Manage internal approvals and employee acknowledgment of policies

Roles and Ownership

Trava will provide guidance on establishing ownership within Drata to ensure accountability across vendors, policies, and controls.

This includes:

• Advising on appropriate ownership based on job functions
• Supporting assignment of owners for vendors, policies, and controls
• Guidance on configuring access levels in Drata to align with responsibilities

Customer Responsibilities:

• Assign specific users within Drata
• Adjust internal roles or responsibilities as needed
• Monitor effectiveness of ownership assignments over time

System Description

If an auditor-provided system description template is available, Trava will upload it to the appropriate location in Drata.

If not, Trava will guide the customer using a simplified system overview approach aligned with industry best practices.

Vendor Management

Trava will support initial vendor setup and demonstrate vendor risk assessment processes.

This includes:

• Adding up to 15 vendors to the Drata vendor module (including Drata)
• Completing one example vendor security review, typically for the customer’s cloud environment
• Guidance on maintaining vendor records and mapping vendors to controls in Drata

Customer Responsibilities:

• Conduct full security reviews for all remaining vendors
• Build custom vendor workflows or scoring models if required
• Validate vendor documentation accuracy
• Perform ongoing vendor management after implementation

Personnel Setup

Trava will verify that personnel data is properly synced and configured in Drata and identify gaps that could impact compliance monitoring.

Areas reviewed may include:

• MFA enforcement
• Background check completion
• Multi-domain or multiple email environments

Trava will provide guidance on resolving identified issues to support audit success.

Customer Responsibilities:

• Manually update user records where needed
• Configure identity provider or HRIS integrations
• Manage ongoing personnel monitoring post-implementation

Company Security Practices

Trava will review current endpoint security and training practices and provide best-practice guidance.

This includes:

• Reviewing endpoint management approaches (e.g., MDM, Drata Agent, or manual evidence)
• Confirming security awareness training practices are in place

Customer Responsibilities:

• Deploy or configure endpoint management tools
• Create or customize security awareness training
• Enroll users and track completion status

Auditor and Vendor Recommendations

Trava will provide recommendations and introductions to:

• Auditors
• Penetration testing providers
• Other vendors required to support compliance goals

Customer Responsibilities:

• Take introductory calls
• Procure and contract with vendors

Tabletop Exercise

Trava will provide:

• A tabletop exercise plan
• Supporting policy templates
• Guidance for the customer to run their own exercise