Thoropass

About Thoropass

Thoropass is the rare compliance vendor that owns both ends of the SOC 2 problem: the GRC platform you use to prepare for the audit, AND the licensed CPA firm that signs the audit report. Most of the market splits these roles (Vanta/Drata/Secureframe handle automation and refer you to a separate auditor like Schellman or A-LIGN). Thoropass argues that handoff is the friction.

Founded in 2019 and rebranded from Laika in March 2023, Thoropass is headquartered in New York with an EMEA hub in London. The firm has raised $98M across four rounds (most recently a $50M Series C led by Fin Capital in November 2022, with J.P. Morgan Growth Equity, Centana, and Canapi participating). It now serves 1,000+ organizations, completes 500+ audits annually, and was named to the Inc. 5000 for a second consecutive year in 2025 with 351% three-year growth.

The licensed audit firm is Laika Compliance, LLC dba Thoropass Assurance, registered with the AICPA and recently the recipient of an AICPA Peer Review “Pass” rating for the second time (December 2025). Thoropass is also a PCI QSA Company (QSAC) and an AICPA Authorized HITRUST External Assessor, claiming to be the first automated compliance solution to earn HITRUST assessor status.

The Platform + Audit Bundle

This is the core of Thoropass’s positioning. Three things follow from owning both sides:

Same auditor from Day 1 to the stamp. No transition meeting from your readiness vendor to a separate audit firm. The auditor who scopes your environment is the same one signing the report.

First Pass AI pre-screens evidence. Launched in January 2025, this AI layer programmatically checks evidence completeness and accuracy before it reaches the auditor. Thoropass claims this cuts secondary auditor requests up to 80% and reduces manual QA time by 95%.

Shared evidence across frameworks. SOC 2 + ISO 27001 + PCI + HITRUST use the same control set with one collection cycle. For companies pursuing two or more frameworks, this eliminates redundant evidence work.

The platform also supports companies who don’t want to switch GRC tools. Since 2025, the audit module is available standalone for customers already on Vanta, Drata, or Secureframe, and the platform offers “Our GRC or yours” interop.

Platform Capabilities (2025-2026 builds)

• First Pass AI (Jan 2025), automated evidence pre-screening
• Head Start for Access Reviews (Jan 2025), reuses prior review data, cuts review work by ~95%
• GenAI Security Questionnaire Automation, answers due-diligence questionnaires
• Multi-Product Workspace, manage multiple products/divisions with auto-mapped controls
• Trust Center (Sept 2025), public-facing compliance posture portal
• Risk Register and Risk Assessment
• Penetration Testing built into the platform
• 100+ auditor-approved integrations spanning AWS, Azure, GCP, Snowflake, GitHub, Jira, Okta, Slack, M365, and more

The Independence Question

The AICPA issued a Peer Reviewer Alert in December 2022 about self-review threats when compliance automation platforms also have audit affiliates. Thoropass has addressed this publicly: evidence flows through standardized APIs reviewed and approved by auditors before deployment, and the licensed CPA firm operates under AICPA Code of Professional Conduct standards. They’ve now passed two AICPA peer reviews with the “Pass” rating, the highest available.

This matters because the rest of the market sometimes raises independence concerns about platform-plus-audit firms. Two peer review passes (2022 and 2025) is the strongest counter-evidence available.

Compliance Frameworks

Direct audits Thoropass conducts:

• SOC 1 (SSAE 18 financial controls)
• SOC 2 Type I and Type II
• SOC 3
• HITRUST (i1 and r2 Validated Assessment & Certification, plus MyCSF authorized reseller)
• PCI DSS (RoC, AoC, SAQ via QSAC accreditation)
• HIPAA / HITECH assessments

Frameworks supported via platform + partner CB:

• ISO 27001, ISO 27018, ISO 42001
• CMMC Level 1, NIST CSF 2.0, NIST 800-53
• GDPR, CCPA, 23 NYCRR 500 (NYDFS Cybersecurity Requirements)

Thoropass markets coverage across 30+ frameworks total with control-mapping that lets a single evidence set satisfy several reports.

Worth noting what’s missing: no FedRAMP capability, no StateRAMP, no CMMC Level 2 C3PAO status. Companies targeting federal authorizations will need a 3PAO partner.

Leadership

Sam Li, Co-Founder & CEO. UVA Computer Science, Harvard MBA. Previously co-founder and CTO of Zinc Platform (YC-backed insurtech), with stints at Google, Goldman Sachs, and Cambridge Associates. Named a 2026 EY Entrepreneur Of The Year New York finalist.

Eva Pittas, Co-Founder, President & COO. Spent 20+ years at Citigroup as Managing Director of IT Risk & Control and Vendor Management for the Institutional Clients Group. Founded BRCG, a boutique fintech compliance consultancy, before Laika/Thoropass. NYU Stern.

Austin Ogilvie, Co-Founder & Executive Chairman. Background in data science and ML, previously at Alteryx.

Dicken Chaplin, CFO. Joined December 2022. Previously CFO at Turbonomic, where he grew revenue from $20M to $200M+, leading to a $2B acquisition by IBM.

Leith Khanafseh, Managing Partner, Assurance & Compliance Products. Previously led infosec audits at Coalfire for major cloud service providers, plus Big 4 experience.

Chris Biero, Senior Director, Head of SOC. 10+ years in GRC across startups and Fortune 500 firms.

Pricing

Thoropass does not publish a rate card. Aggregated third-party data:

• Vendr median annual contract value: ~$30,728 (range $20,930 to $52,675)
• Small companies (under 50 employees, single framework): $20K to $40K/year subscription
• Mid-sized (50 to 200 employees): $40K to $90K/year
• Stated savings vs. traditional audit firms: 25-50%
• Marketing claim: “Zero cost overruns with fixed pricing”

Pricing model is annual subscription, custom-quoted, tiered by frameworks pursued, company size/complexity, and support level. The platform-plus-audit bundle is the most common engagement, but the audit module is also sold standalone for companies already on a different GRC tool.

Timeline

Thoropass markets “SOC 2 in weeks, not quarters” with 62% faster time to audit completion vs. traditional process. Customer-reported timelines back this up:

• Benefix: SOC 2 Type I and Type II within 8 days post-kickoff
• Cinchy: ISO 27001 in 4 weeks, SOC 2 in 2 weeks
• Capitalize: up and running in 2 weeks, audit “in a fraction of the time”
• Stylo: SOC 2 Type 1 from scratch in roughly 2 to 3 months

The firm reports 80%+ of technical control evidence is auto-collected via integrations, and the First Pass AI layer reduces audit overhead by ~80%.

Client Base & Testimonials

Named customers from public case studies:

• Capitalize (FinTech, retirement account rollovers)
• Benefix (health insurance / benefits platform)
• Cinchy (data integration / data fabric)
• Stylo (AI customer support)
• Wayleadr (workplace management)
• AcuityMD (medical device sales platform)
• Fundraise Up (nonprofit fundraising)
• dealcloser (legal tech)
• Kado (crypto on/off-ramp)

G2 rating: 4.7/5 across 435+ reviews, with 74.7% in the Small-Business segment.

Critical feedback from G2 reviews surfaces a recurring set of complaints: UI can be clunky, limited bulk-edit options, occasional integration breakage, and slower performance at scale. Buyers weighing Thoropass should pressure-test the workflow against their specific cloud stack before committing.

Who Should Choose Thoropass

Best fit:

• First-time SOC 2 / ISO 27001 / HIPAA / PCI seekers (under 200 employees) who want one vendor handling both the GRC platform and the audit
• Companies pursuing multiple frameworks who want shared evidence across SOC 2 + ISO 27001 + HITRUST + PCI in a single audit cycle
• Mid-market SaaS, fintech, and healthtech seeking 25-50% savings vs. traditional audit firms with fixed pricing
• Teams with limited compliance resources that benefit from the auditor-built scoping roadmap and policy templates
• Companies wanting HITRUST + SOC 2 together (Thoropass’s HITRUST accreditation is a real moat at this price point)

Not ideal for:

• Public companies or IPO candidates that need Big-4 brand on the audit report
• Companies pursuing FedRAMP, StateRAMP, or CMMC Level 2 (Thoropass does not have these capabilities)
• Enterprises with deep GRC customization needs at scale (platform feature set is narrower than Vanta or Drata)
• Buyers who want fully transparent published pricing before scoping

Recent Milestones

• Dec 2025: Thoropass Assurance earns AICPA Peer Review “Pass” rating for the second time
• Sept 2025: Trust Center launches as a public-facing compliance posture product
• Sept 2025: Named to Inc. 5000 for second consecutive year (351% three-year growth, ranked #1,246)
• Jan 2025: First Pass AI launches (AI-driven evidence pre-screening); audit module made available standalone for non-Thoropass GRC users
• Sept 2024: Expanded HITRUST partnership as MyCSF Authorized Reseller; launched ISO 42001, NIST CSF 2.0, 23 NYCRR 500 support
• 2024: Established London office for EMEA expansion
• March 2023: Rebranded from Laika to Thoropass
• Nov 2022: Series C of $50M led by Fin Capital

Bottom Line

Thoropass occupies a category of one in the SOC 2 market: the only company that ships a GRC platform AND signs the audit report. For first-time buyers pursuing multiple frameworks who value speed and fixed pricing over brand prestige, the bundle is compelling and the AICPA Peer Review track record answers the obvious independence question.

Where it gets tighter: if you already love your current GRC tool, the standalone audit module is a viable path, but you lose the workflow advantages that justify the bundle. If your buyers demand a Big-4 brand on the audit report, Thoropass is the wrong choice. And if you’re heading toward FedRAMP or CMMC Level 2 in the next 12-18 months, you’ll need a different partner anyway.

For early-to-mid-stage SaaS, fintech, and healthtech with one vendor needed, fast turnaround required, and predictable fixed pricing preferred, Thoropass is one of the most differentiated options in the specialist auditor market.