11 October 2023

Compliance is broken. Conveyor is fixing it, one product at a time.

We feel incredibly fortunate to have the opportunity to lead Conveyor’s 12.5M Series A round, joined by Maverick Ventures and prominent security and SaaS angel investors.

“I know the pieces fit, cause I watched them tumble down” - Schism, Tool


Global Enterprise Governance, Risk and Compliance (GRC) is a +$40 billion market, growing at a compounded Annual growth Rate (CAGR) of ~13%. It is also fundamentally broken and highly fragmented.


The growth in this industry is driven by increased regulation, across different geographies and industries, stemming from legislation and industry standardization bodies. Proactive enforcement from agencies has increased the stakes for corporations to comply with GRC regulations and forced organizations to create accountability charters – leading to increased spend on suppliers in order to meet these standards. GRC software has made significant strides in recent years, as Enterprises software sprawl (On-premise, Cloud, SaaS), required buyers and vendors alike to meet compliance goals in highly complex environments.


Historically, GRC vendors focused on enterprise-wide policies within the siloes of an organization, all while assuring via a combination of software and services (consulting, security reviews, pen-testing) that the governing policies for enterprises are consistent, and comply with such requirements. Traditional vendors which dominated this market included IBM, SAS, RSA-Archer, ServiceNow, SAP, Microsoft, FIS and Thomson Reuters. The main sub-categories in GRC include:

o   Compliance Management: Making sure organizations are compliant with governing law (geographical, industry)

o   Risk Management: evaluating potential risks (internal tools, external tools; on-premise, cloud ; Supply chain / vendors)  

o   Audit Management: Audit trail log creation and querying

o   Policy Management: Organizational GRC policies creation, orchestration and enforcement of such policies


As the type of software consumed by Enterprises sprawled, governing bodies started standardizing the compliance frameworks and requirements which software vendors need to comply with in order to service customers. For example, software vendors were increasingly required to comply with SOC2 certification in order to service enterprise customers. 


As a result, a wave of new GRC vendors emerged, beyond those who help Enterprises make sure their own software meets GRC standards, namely solutions helping independent software vendors and SMBs automate an otherwise laborious and services heavy compliance certification process (SOC2 Automation, HIPAA Automation).

In addition, a delineation emerged between vendors in the GRC space who are servicing buyers (Enterprises requiring data and software that evaluates third-party vendors, supply chain software vendors, etc.), and GRC vendors who are servicing vendors (first-party software).


Security and trust organizations within Enterprises started implementing compliance and security reviews as a critical step in vetting, and onboarding new Software and SaaS vendors who sell into their organizations. Initially, this practice was mainly used by the largest cloud software providers, however, over time, it trickled into the broader enterprise market, and has now become a key sales practice across a wide variety of sectors, including law firms, insurance companies, consulting firms, and more.


The survey process typically would come through a series of questions related to the security, resiliency, testing compliance and policies those software vendors abide by. These were typically filled out manually by  multidisciplinary teams from Sales Engineering, Sales Ops, Security, CTO and Finance functions, and took anywhere from weeks to months to fill out. The back-and-forth nature of this process created serious friction in the sales cycle. Moreover, given the repetitive nature of the questions, the process caused skilled teams to perform daunting and repetitive work, especially in large scale organizations, which onboard hundreds and thousands of new customers per quarter.      

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Maecenas a fringilla tortor, et porttitor tort. Vestibulum non nisi interdum, blandit dolor in. laoreet magna. Suspendisse sit amet elit sit amet nisl. semper imperdiet. Suspendisse

Enter Conveyor

When we met Chas Ballew and the Conveyor team, it was clear that they possess a unique perspective and firsthand experience in the broader compliance market, and in particular, the security review processes. 

The team previously founded Aptible, a DevOps company working at the epicenter of the industry’s attempt to automate compliance. In selling compliance tools, they developed deep empathy for the needs of end-buyers. In being a SaaS vendor selling into regulated industries, they also felt the pain of having to go through redundant and tedious security surveys - the time and resources wasted because of it, and the additional pressure and fraction added to a sales process.

Chas and the team decided that this problem required a separate dedicated solution, which was built on their knowledge base and utilized their proprietary trained model, and out of this effort, Conveyor was born.

The Conveyor team also understood that in order to be part of the solution to the complexities and friction of the GRC market, one must understand the importance of the user experience and must approach the problem through the lens of a cohesive platform centered around the vendor’s and buyer’s needs. As such, there’s a need to short-circuit an excessively tedious process using a combination of a platform and trust portal, that forges more trust between vendors and buyers.

It’s our strong belief that Conveyor embodies a perfect use-case for leveraging AI: A manual, text-based problem that requires too much human intervention, which can be replaced with a highly accurate and automated process which dramatically decreases completion time.  

Since every business that sells to large customers will eventually have to formally explain how it protects customer data during the sales process, Conveyor is in a position to help instantly and accurately convey their security and compliance posture to any customer. 

In getting to know the culture of the team, their vision for the compliance space and their technology, it became quite clear why a roster of existing customers like Carta, Notion, Workday, Lucid, PagerDuty and Freshworks, leverage Conveyor’s platform to build trust with customers and expedite the sales process. These customers benefit from an up-to 91% reduction in time spent on security questionnaires and a 75% faster turnaround time for security reviews. 

It’s our strong belief that an experience-centric approach, which takes into account the needs of both vendors and end buyers, is required from a potential winner in the compliance market. Conveyor’s ability to provide a best-of-breed solution and solving the needs of Security, Operations, Sales, and Finance teams, puts the company in a fantastic position to reshape multiple compliance problems and use-cases for vendors and buyers alike.

We feel incredibly fortunate to have the opportunity to lead Conveyor’s 12.5M Series A round, joined by Maverick Ventures and prominent security and SaaS angel investors. The opportunity to partner with founder Chas Ballew and the entire Conveyor team, as they aim to disrupt this massive GRC market, is exciting. We are immensely proud to welcome them to the Cervin family.

(1) Research and Markets: 
Governance, Risk and Compliance Platform Market: Global Industry Trends, Share, Size, Growth, Opportunity and Forecast 2023-2028

(2) Grand View Research: 
Enterprise Governance, Risk And Compliance (eGRC) Market Size, Share & Trends Analysis Report By Component, By Software, By Services, By Organization Size, By Vertical, By Region, And Segment Forecasts, 2023 - 2030

(3) iMARC: 
Governance, Risk and Compliance Platform Market Report by Deployment Model (On-Premises, Cloud), Solution (Audit Management, Risk Management, Policy Management, Compliance Management, and Others), Component (Software, Services), Service (Integration, Consulting, Support), End-User (Small Enterprise, Medium Enterprise, Large Enterprise), Industry Vertical (BFSI, Construction and Engineering, Energy and Utilities, Government, Healthcare, Manufacturing, Retail and Consumer Goods, Telecom and IT, Transportation and Logistics, and Others), and Region 2023-2028