Before partnering with SafeBase, the Instacart security team was constantly swamped with security review requests from retailers. There were three key parts of the due diligence process that took far too much time from the internal teams:
Large retailers in particular have stringent security requirements due to the millions of PII records that Instacart processes on their behalf.
In addition to the pre-sales process, the recent trend of major vulnerabilities and data breaches such as the Late 2021 Log4j incident meant the Instacart GRC team had to respond to a high volume of inquiries from retailers. Over the past couple of years, these types of industry-wide incidents have become increasingly common, and teams everywhere have been struggling to efficiently communicate their responses to customers. It is fairly common that vendor teams must respond to multiple emails from the same customer, craft responses from leadership, and in some cases, fill out entire questionnaires that focused solely on a recent incident. This process can be extremely time consuming and result in lost productivity, especially if the vendor never even used the affected software.
With these challenges in mind, the Instacart team reached out to SafeBase after interacting with another vendor’s Trust Center. The SafeBase team quickly helped the Instacart team to stand up their own Trust Center to enable retailers and prospects to quickly review Instacart’s security posture and to request access to common documents such as SOC 2 reports and SIG questionnaires.
The Instacart team saw immediate benefits. To start, they were able to drastically reduce the number of custom questionnaires by encouraging retailers to download the standardized CAIQ, VSA, and SIG questionnaires. For the sales team, sharing up-to-date documents such as SOC2 and PCI AOC took just minutes rather than hours or days. Sales teams no longer had to contact the security team to ask for the latest security documents. They could instead point retailers to the Trust Center, knowing that the security team keeps it up to date. On the legal front, the time to sign an NDA was drastically reduced from several hours via back and forth emails to a few minutes using SafeBase’s built-in Clickwrap NDA feature. The legal team was no longer bogged down with a backlog of custom NDAs to review.
The SafeBase and Instacart teams were able to quantify the reduction in time spent. From a sample size of 10 retailers, the Instacart team was able to do the following:
When Instacart applies this to 100 retailers per year and an assumption of 10 major industry-wide security incidents per year (a conservative estimate with the rate at which companies are being breached), they save about 5,000 hours per year! Assuming an average junior team member salary of $110K, this results in a savings of about $290,000 per year, or that of almost three full-time employees.
“In our first year with SafeBase, Instacart will save thousands of hours for Security, GRC, Legal, and Business Development teams. SafeBase’s automated NDA flow, public facing security portal, and trust center updates have saved countless emails from retailers and significantly reduced the volume of security questionnaires we are receiving as part of the vendor review process.”
In addition to time saved during the initial due diligence process, the GRC team was also able to proactively publish Trust Center Updates regarding critical items such as the Log4j vulnerability, which drastically reduced the need to write custom responses to retailers and demonstrated the team’s commitment to security and transparency. In fact, they were even able to upload a custom questionnaire addressing common questions around their response to this vulnerability, allowing customer-facing teams to refer concerned customers to one single location.
Instacart is just one of more than 100 companies that have successfully used SafeBase to streamline their security reviews, speed up the sales cycle, and build trust with their customers. At SafeBase, our goal is for companies of all sectors and sizes to be able to share their security posture transparently with the world.