Case study · 15 min read
How a 58-person SaaS uses AethelLayer with Google + Notion
SOC-2 Type II, a part-time compliance lead, and policies scattered in Notion. In six weeks SOC-2 tracking hit 91%, GDPR map was live, and legal escalations ran in Slack like finance already did.
Fintech-adjacent SaaS, 58 employees, ~$16M ARR, SOC-2 Type II. Google Workspace, Notion wiki, dedicated security engineer plus external counsel.
Executive summary
At 58 people they were big enough for auditors to care and small enough that compliance was still a side job for several people. Policies lived in Notion, access reviews slipped, and DPA renewals stacked up. After indexing Notion and connecting Workspace, SOC-2 completion went from 74% to 91%, GDPR map was customer-ready, and Legal escalations used the same Slack approval queue as finance.
Background
They were eight months into SOC-2 Type II with one security engineer, a part-time compliance lead, and counsel on retainer. Enterprise deals asked for GDPR artifacts and subprocessors lists that took days to assemble. Access reviews for 58 accounts across eng, G&A, and contractors lived in spreadsheets. Vendor DPAs for cloud, analytics, and AI tools clustered around product launches. The CEO wanted "what slipped this week" without a 90-minute Legal monologue.
The challenge
Compliance scale broke the informal system. Notion was audit-ready but execs could not query it. Reviews missed owners when people changed teams. Legal firefights happened at T-3 days, not T-14. They needed cited internal answers and a weekly rhythm that matched how finance already ran approvals.
Key pain points
- SOC-2 evidence scattered; status slides rebuilt before every auditor call
- GDPR map stale; Sales lost days on enterprise security questionnaires
- 8+ vendor DPAs renewing in the same quarter as feature launches
- Legal escalations separate from finance approvals; execs ignored email chains
Before AethelLayer
- SOC-2 at 74% with unclear owners on 19 controls
- Access reviews in Sheets; 23% late in last cycle
- Legal updates via email; no shared queue with COO or CFO
- Risk Radar unused; tasks created after customer or auditor pressure
After AethelLayer
- Notion security and privacy DBs indexed; answers cite page titles and URLs
- Workspace calendar feeds brief with review meetings and hire start dates
- DPA renewals draft at T-14; GC approves in #legal-exec on Slack
- SOC-2 matrix and GDPR map in dashboard; synced to Monday brief and board risk slide
Implementation timeline
Wiki and control baseline
Week 1- ·Notion integration scoped to security, privacy, and vendor pages
- ·Indexed 240+ pages; RAG smoke tests with counsel in the room
- ·Imported SOC-2 control set; assigned owners for 58-person scope
Workspace and inventory
Week 2- ·Google Workspace connected for calendar and group context
- ·Built system inventory from integrations for GDPR map v1
- ·Mapped security review cadence into weekly brief template
Renewals and reviews
Weeks 3-4- ·Five DPAs flagged at 14 days; three escalations approved in Slack same week
- ·Access review nudges via Risk Radar; late rate dropped in mid-cycle check
- ·SOC-2 completion 74% to 86%; gaps had named owners and due dates
Enterprise-ready artifacts
Weeks 5-6- ·GDPR map exported for two enterprise RFPs without custom Legal projects
- ·SOC-2 hit 91%; remaining items scheduled before auditor window
- ·Monday brief risk section read by CEO, COO, CFO, and GC in #exec-team
Workflows in production
Vendor DPA at scale
Trigger: DPA expiry within 14 days (8+ vendors/quarter)
- 1Risk Radar drafts escalation with owner, vendor tier, and Notion cite
- 2Posts to #legal-exec; GC approves or assigns counsel
- 3Monday brief tracks open vs closed renewals for exec scan
Policy Q&A for deals
Trigger: Sales or exec asks Risk Radar (Slack or terminal)
- 1RAG pulls retention, subprocessors, AI use, and access policies
- 2Answer includes Notion links for security questionnaire reuse
- 3Gaps become compliance tasks with owners
SOC-2 weekly standup
Trigger: Brief + compliance dashboard
- 1Highlights controls below threshold and overdue tasks
- 2Bumps compliance risk on Operations Score for exec attention
- 3Board risk slide pulls same numbers as auditor workbook
Strategic approach
- Indexed Notion first because auditors and Sales already trusted it.
- Used Workspace for rhythm, not as another policy store.
- Aligned DPA and access review work with Slack approvals finance already used.
- Aimed weekly compliance signal at #exec-team, not a separate GRC login.
What changed in practice
SOC-2 rose from 74% to 91% in six weeks with owners on every open control. Auditor prep calls shortened because evidence links lived in one place.
GDPR map from connected systems let Sales answer two enterprise RFPs in days, not weeks.
Five critical DPAs renewed on schedule after T-14 alerts; zero weekend Legal fire drills in the pilot window.
Access review on-time rate improved from 77% to 94% in the next cycle.
GC cut about four hours per week on exec updates because the Monday brief carried compliance by default.
Metrics
| Measure | Before | After |
|---|---|---|
| SOC-2 control completion | 74% | 91% in 6 weeks |
| Access reviews on time | 77% | 94% |
| DPA renewals at T-14 | Ad hoc | 5/5 in pilot quarter |
| GC exec prep time | ~5 hrs/week | ~1 hr/week |
74% to 91%
SOC-2 with owners at 58 FTE
GDPR map
RFP-ready from live inventory
Slack legal
Same approval habit as finance
Lessons for similar teams
- Past 50 employees, assign control owners early or SOC-2 slides lie.
- Sales needs exportable artifacts, not another wiki tour.
- Put legal in #exec-team briefings or compliance stays invisible until audits.
“We're big enough that auditors expect discipline and small enough that nobody wants another portal. The brief tells us what slipped, with links to the pages we already maintain.”
“I get risk, runway, and hiring in one Monday read now. That matters more at fifty-plus than another dashboard.”
Composite narrative based on Private Pilot patterns; details are illustrative.