Humadroid (https://humadroid.io) - AI-Assisted SOC 2 & ISO 27001 compliance for small teams. $125/month flat (for now, during beta).
Recently crossed the $500/month mark after a painful pivot from HR tech earlier this year. The whole thing started because I did ISO 27001 back in 2019 and was completely lost - overpaid for consultants, got lost with policies and controls, figured it out the hard way.
Passed SOC 2 Type I earlier this year using only Humadroid (yes, dogfooding a compliance tool through an actual audit was... an experience).
Currently finishing automated evidence collection (AWS and GitHub integrations first). Pretty proud of that one - compliance shouldn't mean "panic-screenshot everything before audit."
Really cool stuff, I thought about launching something similar earlier this year, there's definitely a market there. I see a lot of AI-ative startups coming up against compliance requirements way earlier than before, with much smaller teams, and most existing solutions just need too much from you as you engage.
How do you see yourself against someone like delve.co?
Honestly, Delve is great. Them and Compai are leading the front of modern AI-assisted compliance right now. I'm chasing them.
What I'm trying to do differently is depth of context. Humadroid learns about your company first - how you operate, your stack, your processes. From there it generates control descriptions that are actually actionable for your setup, and policies that need minimal review rather than a full rewrite.
Whether that's enough differentiation? Ask me in a year.
The big difference is context-awareness. Vanta/Drata give you templates and checklists. Humadroid starts by understanding your company - what you actually do, how you operate, your tech stack.
From there, the AI generates policies that are yours, not generic docs with [COMPANY NAME] placeholders. Same with control descriptions - they're specific and actionable for your setup, not "implement access control" with no context. It also identifies risks based on what you actually do and helps build business continuity plans around your real critical processes.
You still review everything (it's compliance, not magic), but you're editing 80% done work instead of staring at a blank template wondering where to start.
The price difference is real too, but honestly that's a side effect of being early and solo - not the core value prop.
Gotcha. And then how does that translate into the audit process? Because Vanta/Drata have auditors they work with regularly, there's a bit of an incentive on both sides to use these templates because then it speeds up that part tremendously. I can't imagine the auditors being happy about really diving into hyper bespoke documents for every audit.
Your product seems great for actually doing the spirit of these frameworks (reducing risk, improving controls and processes etc.). However from what I've seen the reality of these audits is it's a box ticking exercise for everyone involved, and so improving the efficiency there tends to be the goal. How do you position yourself in that?
Also hope this doesn't come off too critical, it's just something I've been through recently and love seeing new things! I'd definitely add a vanta/drata comparison to your website though as that is inevitable.
Honestly, great questions - this is either good exercise for me or actionable feedback. Both valuable.
Right now I recommend auditors but don't have formal partnerships. Vanta/Drata's auditor relationships are... let's say on the edge of conflicted? I don't want to go that route. And at $250/month I can't play the referral game anyway (Vanta pays hundreds per referral - that math doesn't work for me).
What I can do is democratize access. I've watched too many small teams get excited about SOC 2, then ghost once they see the total cost - $15k+ for the platform, $20k+ for consultants, $15k+ for auditors. I want the barrier low enough that smaller businesses can actually get certified and compete with bigger players.
On the checkbox vs. real security thing - you're right, it's tricky. I don't want to be another "generate docs, tick boxes, forget until next audit" platform. But targeting smaller businesses actually helps here - when you're a 10-person company, management is in the compliance process, not just signing off on someone else's work. It tends to stick better.
That said, sometimes I wonder if I help too much. My System Description assistant is almost unfair - what used to take weeks now takes minutes. Is that checkbox-enabling or democratizing? Genuinely not sure.
And yes - "vs Vanta/Drata" pages are going on the list. You're not the first to ask.
Not yet - but literally finishing this week. Promised a customer I'd ship it before Christmas, so that's been my deadline.
AWS and GitHub integrations first. It auto-fetches and verifies the data (where applicable), creating read-only evidence snapshots. No manual screenshots or "I swear this config was set correctly" moments during audits.
Part of the standard price - no integration tier upsell.
Working on Humadroid - trying to make SOC2/ISO27001 compliance less painful for small businesses. The $30-50K consultant route is brutal for startups, so we're building an AI-assisted platform that helps with policy generation and guidance.
Still in beta and learning a lot from each customer we onboard. We're actually going through our own SOC2 assessment in August, which has been... educational.
Recently added business continuity and incident tracking features. Trying to build something that's actually helpful rather than just another compliance checkbox tool.
Love this! Not a customer but could see it happening. ISO 27001 compliance (or equivalent) is a standard requirement when working with the public sector in my area. NIS2 is also on the horizon, have you looked into it?
Thanks! Really appreciate the interest.
We already support a major part of ISO 27001 - actually releasing our Statement of Applicability tomorrow or the day after. I went through ISO certification at my previous company, and that experience is what triggered building Humadroid in the first place. The pain was real!
NIS2 is definitely on our radar - planning to have support for it by Q4 2025. The public sector requirements you mentioned are exactly the kind of use cases we're building for.
You could even use google drive with set of spreadsheets and screenshot. The biggest problem is getting through requirements, understanding what they actually mean and having some sort of framework for writing policies. But once you past that, it's manageable. Vanta/Drata just make this easier.
Vanta/Drata are big players and they're charging big time for their platform. That's why I've started working on own startups, that's meant to disrupt this for SMBs - by making it waaay more affordable (for managing compliance, not attestation/certification itself, which we don't do).
One thing I really appreciate about your site is the transparent pricing—something I haven’t seen on any other platform. It also seems surprisingly affordable, assuming I’m correctly understanding what’s included.
An unsolicited suggestion: it would be helpful if you could clearly walk through how your tool supports GRC compliance. I haven’t been able to find this kind of explanation on your site—or others.
For example, something like this:
Step 1: Select a Program – Choose the compliance framework you’re targeting (e.g., ISO 27001, SOC 2, etc.).
Step 2: Guided Evidence Collection – You’re taken through a step-by-step questionnaire outlining what evidence is needed.
Step 3: Pre-Built Templates – For each requirement, you provide example templates or guidance on what needs to be submitted or completed.
Step 4: Centralized Dashboard – All responses and documents are organized into one place that can be reviewed by an auditor.
Step 5: Auditor Handoff – Once everything is ready, you recommend a third-party auditor to complete the certification process.
It would also be helpful to clarify what’s included in your offering vs. what still requires external engagement (like paying for the actual audit).
Just sharing this in case it’s helpful—apologies if I’ve misunderstood the flow above, but hopefully this illustrates the kind of clarity that might help others too.
That's a great suggestion, thanks! More or less it works like so, policy drafts are auto-generated by AI, you need to go through controls and provide the evidence. To support you better on this, we allow redoing their description with your context - and that helps a lot. On top of that we're able to generate some potential risks for you (as this part is also tricky to get started with). Now I'm completing business continuity planning (again - will get AI assistance) and then we need to add incidents - that should make us a complete platform and hopefully I'll be able to do Show HN post ;)
Nonetheless - thanks again, we'll add how the process looks like to the landing page.
Recently I was preparing video for my YC application [1]. I've used RecordOnce[2] and actually it worked pretty great - I've recorded my actions together with voice. It transcribed voice to text and then used text to voice again to render the video. For me, as a non-native speaker, this was really great. And I could edit voice description of my actions post-recording - worked like a breeze. It still rough around the edges, but nonetheless I highly recommend it (for reference - until now I've used Screen Flow for multiple years)
I wanted to start with "this week in review" series, but it ended quite quickly.
Now I want to publish lesson learned while building my side-project (https://humadroid.dev), which is a missing tool I wish I had when running software house year-and-a-half ago, before I sold it.
Topics considered for near future:
* lessons learned while coding it in Rails with hotwire & stimulus
* lessons learned actually sellign it to people (Open-Startup idea/movement is close to my beliefs).
We[1] are one of few software houses, that actually got it. And we're relatively small (30+ people on board).
Certification is not easy and it's not cheap (don't anyone tell you it's otherwise), it's time consuming, but can be done in few weeks (we managed to get certified in 3 months). It's worth mentioning, that instead of covering whole company, you can cover only small department fitted in one room. Maybe not best practice, but certainly possible. And being slightly paranoid beforehand helps a lot. Also - given how time consuming it is once you have it, it's worth to have someone (somehow) dedicated to it in the company - fortunately my great COO does most of the paperwork and checks processes between audits.
Most of our (potential) clients do not ask often about it, but I think it helps to mention ISO at some point. Bigger clients dealing with personal (or health) data do require it and it's a deal breaker.
"you can cover only small department fitted in one room" - this is the most important part to remember when someone comes in waving their ISO certification and has beautiful badge on their website. You can certify your secretary, her cat and her desk in whatever fancy ISO certification you want. Funnily enough it does not really cost that much, there are consulting companies that gladly organize this for a few thousand dollars. This works like this for all ISO certifications.
Another thing, introduction of ISO in the company means only that there is some process to do X within the company. This process can be totally nuts and useless, but ISO certification holds as the process is there.
In general ISO makes a lot of sense for production line environment (like cars production, etc.) - the process is everything there, having someone to review this process is important and valuable, many other ISO certs are just marketing tool that does not really tell much without going into details what processes are covered by ISO.
Haha, yeah. We've covered whole company, but yeah, you're right and it's a joke.
Regarding processes - yes and no - if you can viably proof, that process is not (yet) needed and you're doing things in reasonably manner, then you're good. It's up to you what processes you'll introduce to the company. What we think we did well is that whole certification did not change how we work and it was (almost) painless for our employees (or at least I like to think so).
Recently crossed the $500/month mark after a painful pivot from HR tech earlier this year. The whole thing started because I did ISO 27001 back in 2019 and was completely lost - overpaid for consultants, got lost with policies and controls, figured it out the hard way.
Passed SOC 2 Type I earlier this year using only Humadroid (yes, dogfooding a compliance tool through an actual audit was... an experience).
Currently finishing automated evidence collection (AWS and GitHub integrations first). Pretty proud of that one - compliance shouldn't mean "panic-screenshot everything before audit."