Omada & Securance
SOC 2 for growing SaaS
SOC 2 Adventure
At first, Omada worked with US-based providers for their SOC 2 audits. While technically sound, these audits increasingly caused issues around planning and availability. As more customers started asking for a SOC 2 report, waiting several months became hard to justify and added pressure to commercial conversations.
As Luca Bellintani, CISO at Omada, explains:
“We had our customers breathing down our necks, they wanted the SOC 2 report, and delays of months were simply unacceptable.”
Choosing a European assurance partner
This led Omada to look for a European assurance provider and eventually choose Securance. What stood out was the combination of auditor expertise, responsiveness, and a practical way of working. An important factor was that the SOC 2 audit could be aligned with Omada’s annual penetration testing of their SaaS platform, also conducted by Securance. This avoided duplicate work and ensured that assurance and technical testing supported each other.
Evidence-based audit
The SOC 2 audit quickly proved its value. During the assessment, Securance identified gaps in how Omada handled security events, issues that had not been clearly visible in earlier audits. Luca describes what made the difference:
“The SOC 2 audit specifically helped us identify shortcomings in how we handle security events. It clearly highlighted gaps we hadn't noticed ourselves, providing actionable insights to improve our processes. For the first time, we had auditors who genuinely understood our environment.”
Luca also highlights the difference between SOC 2 and Omada’s ongoing ISO 27001 certification. ISO 27001 focuses more on processes and management systems, while SOC 2 is much more concrete. It looks closely at evidence, such as samples, logs, and documentation, to show how controls actually work in practice.
Another clear improvement compared to earlier audits was how internal controls were reviewed. In the past, Omada had experienced misunderstandings or controls that did not fully match the intent of the standard. Securance worked closely with the team to clarify and adjust controls so they accurately reflected both SOC 2 requirements and how Omada operates day to day.
The legal aspect of assurance also played an important role. Certifications like SOC 2 do not remove liability, but they do make responsibilities explicit and provide clear documentation. This can be critical if security incidents occur or questions arise later.
Looking back, Luca describes the audit as intense but efficient:
“It was very intense but quick, and we learned a lot. Our internal controls are now significantly improved and well-prepared for future audits.”
Today, Omada uses its SOC 2 report as a solid basis for customer trust, while continuing to strengthen its security practices with assurance that goes beyond compliance alone.
