This is the third GRC platform I've built.
The first was RSA Archer — the platform that defined the enterprise governance, risk, and compliance category. I was lead architect. It went on to generate over $500 million in revenue and became the standard for Fortune 500 risk management.
The second was Lockpath — a GRC platform my co-founder and I built from scratch, scaled to hundreds of enterprise customers, and sold to a PE-backed acquirer. We lived the full founder lifecycle: angel rounds, VC funding, an investment banker, and an exit.
Now we're building the third. And this time, everything is different.
We needed it ourselves
Here's the honest version of why DealCycl Compliance exists: we needed SOC 2.
DealCycl handles the most sensitive financial data a private company produces — cap tables, equity ownership, investor information. To compete with the incumbents, we need SOC 2 Type 1 and Type 2 reports. Every enterprise customer and sophisticated investor is going to ask for them.
We looked at the compliance automation platforms. They wanted $10,000 to $25,000 a year. They offered proprietary evidence formats we couldn't export. They delivered a checkbox experience — pass the audit, move on, don't actually understand your risk posture.
We'd spent the bulk of our careers building enterprise GRC software with a six-figure price tag that couldn't deliver what we needed right now. So instead of writing a check to a vendor that would lock us in, we built the tool ourselves.
DealCycl is customer zero for DealCycl Compliance. Every feature, every workflow, every AI-generated policy has been tested on our own compliance program before any external customer will ever touch it. We're not building compliance software in a vacuum. We're building it while simultaneously using it to achieve our own SOC 2 certification.
That's not a marketing story. That's how you build software that actually works.
Compliance is the connective tissue of private markets
Here's what most people miss: compliance isn't just a company problem. It touches every participant in private markets.
A Series B founder gets an email from an enterprise prospect: "We'd love to move forward, but we need your SOC 2 report before we can sign the contract." That founder has never done compliance before. They don't want to become a compliance expert. They want it handled — the way Stripe makes payments invisible.
A GP evaluating a portfolio company asks about their security posture during due diligence. The founder scrambles to assemble a patchwork of screenshots, policy documents last updated eight months ago, and a spreadsheet someone labeled "controls." The GP has no standardized way to assess what they're looking at.
An investment banker running diligence on an exit discovers the target company's information security policy lives in a Google Doc that was last edited by someone who left the company a year ago. The buyer's counsel flags it. The timeline slips.
Every one of these scenarios is a compliance failure — and every one of them could be prevented by a single platform that makes compliance accessible to the people who actually need it.
What's different this time
When I led the product architecture at Archer, GRC meant six-month implementations, dedicated consultants, and seven-figure contracts. It was built for banks and government agencies. A 50-person startup couldn't afford it, couldn't implement it, and didn't need 90% of what it offered.
When we built Lockpath, we moved GRC to the cloud. But the mental model was still enterprise — long sales cycles, complex configurations, customers who had dedicated compliance teams to run the software.
This time, we started from a completely different premise: what if we built an AI-native product that could set up your entire compliance program in under four hours?
That's what the DealCycl Compliance SOC 2 Wizard does. You tell us about your company — your tech stack, your cloud providers, your team size. The AI generates a tailored risk assessment. It recommends controls mapped to SOC 2 criteria. It writes your policies — not generic boilerplate, but documents that reference your actual technology and your actual organizational structure. It configures automated evidence collection from your AWS account, your GitLab repositories, and your Google Workspace.
When you're done, you have a complete compliance program: a populated risk register, 50+ controls mapped to framework criteria, a dozen published policies, automated evidence running, and a vendor inventory. Not in six months. Not in six weeks. In an afternoon.
That's what GRC looks like when you rebuild it for the AI era.
Full GRC capability, not a checkbox
The compliance automation platforms that have raised over a billion dollars in combined funding all share the same limitation: they're designed to pass audits, not to manage risk. They give you a checkbox. Check it, get your report, move on until next year.
We built something different. DealCycl Compliance is GRC-lite — actual governance, risk, and compliance capability, sized for startups and growth-stage companies. Policies you can author and version in a real editor, not templates you rubber-stamp. A control matrix that maps across multiple frameworks simultaneously. Evidence that's collected automatically and verified for integrity. A risk register that helps you understand your actual risk posture, not just satisfy an auditor's checklist.
And when you're ready for ISO 27001 after your SOC 2 is done? The controls you've already implemented map across frameworks. You don't start over. You extend.
Multi-framework from day one. Because that's how we built it at Lockpath, and that's how we're building it now. Some lessons you only need to learn once.
The bottom line
I've spent fifteen years building GRC platforms. I've seen what works at enterprise scale and what breaks when you try to force-fit it for startups. The compliance automation platforms took the startup market seriously but built shallow tools. The enterprise GRC vendors built deep tools but never made them accessible.
DealCycl Compliance is both: full GRC capability at startup speed. AI-native. Open export. No vendor lock-in on your evidence. And built by people who've done this twice before.
Third time's the charm.
Learn more at dealcycl.com/compliance
Your compliance. Your data.
Chris Goodwin is CEO & Co-Founder of DealCycl.