Explore

Investor Document

⁠

Cover Letter

This document provides an investor-level view of CACCA (Continuous Audit, Continuous Compliance & Assurance): what problem we solve, how our system operates, where we win, the market we are addressing, and how we plan to execute. It is intended to support diligence conversations by presenting our product, commercial approach, and governance posture in one place.

What this document covers

Product at a glance:

a system-driven compliance loop that connects policy approval and statement‑level asset implementation with scheduled tickets, system‑generated audits (with peer review), findings, automatic risk, and a real-time dashboard for posture.

Delivery models:

SaaS Bundle (turnkey), SaaS Hybrid (integrated with existing tools like ticketing/CMDB/IAM), and Enterprise On‑Prem (customer‑controlled deployment).

Go-to-market:

who we sell to, how we generate demand, and how pilots convert to production with a Mutual Action Plan.

Market, competition, and traction:

the size of the opportunity, how we differentiate, and our early proof points.

How to read this

Start with Problem and Why Now for market context; move to Solution and Product Modules to understand the operating loop; then review Differentiation and Delivery Models, followed by Market Size, GTM, and Financial Plan. Appendices include product screenshots, sample artifacts, and legal/governance materials.

Executive Summary

CACCA is a continuous compliance platform that converts approved policies into provable implementation, system‑driven audits, automatic risks, and real‑time dashboards—keeping enterprises always audit‑ready.

Available as SaaS Bundle, SaaS Hybrid, and Enterprise On‑Prem to match speed, integration depth, and data‑residency needs across SaaS/Software, FinTech/Payments, BFSI, IT/ITES, Healthcare, and Manufacturing.

Points to add

Compliance Tech

Why now:

Compliance is moving to “always‑on” expectations—live evidence, maker‑checker governance, and audit logs by design. CACCA unifies policies, assets, tickets, audits, findings, and risks into one operating layer.

Who we serve:

Mid‑to‑large, regulated and fast‑moving organizations that need traceability from policy to asset, credible On‑Prem/Hybrid options, and measurable audit readiness without tool sprawl.

What’s different:

Policy→asset traceability, system‑generated audits derived from approved policies (with peer review), automatic risk on partial/not‑implemented controls, and SLA discipline via ticket mirroring—plus a credible On‑Prem option for regulated buyers.

Implementation and success:

A phased onboarding (Assessment → Configuration/Integrations → Pilot → Training → Go‑Live), 24/7 support, and dedicated Customer Success ensure fast time‑to‑value and measurable readiness without disrupting existing tools.

Market and investment snapshot:

Expanding compliance automation category with strong India/APAC beachhead and global potential; recurring revenue across subscriptions, integrations, and enterprise licenses. Detailed figures are provided later with [TBD] placeholders where numbers are pending.

Inside this document:

Problem → Why Now → Solution → Product → Models/Industries → Why We Win → Competition → Market Size (bottoms‑up) → Traction → GTM → Business Model → Roadmap/Moat → Team → Ask.

⁠

The Problem

The Problem Most enterprises still manage compliance episodically and by hand. Policies get approved but remain stuck in documents, not consistently mapped to the assets they govern. Audits are point‑in‑time, evidence is assembled late, and the operational truth—tickets, findings, and risks—sits scattered across tools. Leaders infer posture from stale artifacts instead of a live operating picture, which fuels last‑minute audit scrambles.

Episodic, manual, fragmented

Policies in documents; weak linkage to assets and control procedures.

Point‑in‑time audits; evidence re‑created manually and late.

No single, real‑time posture

Tickets, findings, and risks scattered across helpdesk and trackers.

Leadership lacks a current view tied to owners and SLAs.

Governance gaps raise risk

Inconsistent maker‑checker and peer review; variable evidence quality.

Opaque ownership; SLA breaches surface only under deadline pressure.

Late discovery, slow remediation

Non‑compliance isn’t systematically elevated to risk with accountable owners.

Gaps emerge during audits/incidents, not in day‑to‑day operations.

Asset‑level blind spots

Teams can’t quickly answer what’s implemented where and who owns remediation.

No reliable map from approved policy statements to specific assets and procedures.

Net effect: without a unified operating layer from policy approval to asset‑level implementation, evidence, and risk closure, compliance stays reactive, labor‑intensive, and prone to last‑minute surprises—at the very moment regulators expect continuous assurance.

⁠

Why Now

Regulators and boards have moved from periodic attestations to continuous assurance. Standards like ISO 27001, PCI DSS, HIPAA, GDPR, and emerging local privacy laws increasingly expect ongoing control operation and live, retrievable evidence—plus defensible audit trails with maker‑checker governance.

At the same time, API‑first enterprise stacks now emit approvals and logs that make auditability‑by‑design practical, if organizations can orchestrate signals across tools.

Regulatory shift to continuous assurance

Standards (ISO 27001, PCI DSS, HIPAA, GDPR, and local privacy laws) increasingly expect ongoing control operation and live, retrievable evidence—not annual prep.

Auditability by design is finally practical

API‑first ecosystems (ticketing, asset, CMDB, IAM/SSO/MFA) produce approvals and audit logs that can trigger system‑generated tasks and audits, enable peer review, and centralize findings.

Tool sprawl needs a unifying operating layer

Policies, assets, tickets, audits, findings, and risks live across separate tools; no single place shows live posture or ownership.

Rising compliance cost and real‑time expectations

Manual compilation across silos consumes weeks of high‑cost effort and consulting spend.

Expanding cyber and privacy risk surface

Cloud/SaaS adoption, remote work, and third‑party dependencies multiply assets, identities, and controls to evidence.

⁠

Solution: What CACCA does

CACCA is a continuous compliance operating layer that turns policy approval into real execution, evidence, and accountable risk closure. It connects policy lifecycle, asset‑level implementation, tickets, audits, findings, and risks—so posture is always live and audit‑ready.

End‑to‑end policy lifecycle

Draft → Review → Approval → Publish with maker‑checker governance and versioning.

Policy statements mapped to standards and asset categories.

Policy→asset implementation mapping

Statement‑level implementation status per asset.

Documented procedures and clear ownership for remediation.

System‑driven tasks and audits

Schedules derived from approved policies automatically create tasks/tickets.

Open/Closed mirroring from external helpdesk; SLA breaches surfaced.

Audits and questions generated from live policy definitions; no manual re‑creation.

Centralized findings and automatic risk

Findings recorded in a single register with peer review for evidence quality.

Partial/not‑implemented and non‑compliance auto‑create risks with full lifecycle: Identification → Analysis → Treatment → Post‑treatment → Acceptance → Closure.

Risks linked to specific assets and policy statements with accountable owners.

Real‑time dashboards and posture

Organization Level Risk score (pointer reflects highest open risk) and risk level status.

Policy workflow status and policy/asset implementation status.

Audit findings (Major/Minor NC, Observations) with open/closed tracking.

SLA‑breached tickets and “running risk” by policy to prioritize action.

In effect, CACCA operationalizes compliance: approvals generate work, audits are system‑driven, evidence is reviewable by design, and gaps become managed risks with owners and SLAs—keeping organizations continuously audit‑ready without the scramble.

⁠

Product Heros (Modules)

CACCA’s product is organized around a live operating layer for compliance: policy lifecycle, asset‑level implementation, tickets, audits, findings, and risks all tie back to a single view of posture. Each module below maps to a visible object and workflow, ensuring auditability, ownership, and continuous readiness without tool sprawl.

Organizational Dashboard

Indicators: organizational risk score (pointer to highest open risk); risk level/status counts; policy workflow status (Approved/Draft/In Review/Waiting for Approval); policy→asset implementation status (Implemented/Partial/Not); audit findings by category and open/closed; SLA‑breached tickets; “running risk” (SLA‑violated tickets per policy with trend).

Policy Management

What it includes: 30+ templates aligned to standards; versioning; maker‑checker approvals; mapping to standards and asset categories.

Why it matters: enforces governance and creates the basis for system‑driven tasks/audits and evidence‑by‑design.

Implementation Tracking

What it includes: statement‑level policy implementation status per asset (Implemented / Partially Implemented / Not Implemented) with documented procedures and ownership.

Why it matters: surfaces gaps early; “Partial/Not Implemented” can trigger risks automatically for accountable closure.

Audit Module

What it includes: system‑generated audits and questions from approved policies; findings register; peer review; audit and findings reports; ability to register external audit findings.

Why it matters: turns approved policy into scheduled, reviewable audits—reducing manual prep and improving evidence quality.

Ticket Module

What it includes: schedule‑based task creation from policy definitions; push to external helpdesk; Open/Closed mirroring; role‑based ownership; SLA breach visibility.

Why it matters: aligns day‑to‑day work with compliance intent and makes SLA discipline visible in one place.

Risk Register

What it includes: automatic and manual risks; full lifecycle (Identification → Analysis → Treatment → Post‑treatment → Acceptance → Closure); linkage to assets and policy statements; accountable owners.

Why it matters: elevates non‑compliance into managed, owned risks with traceable treatment and closure.

Asset Register

What it includes: categories across end‑user devices, computing, networking, security devices, infrastructure apps, business apps, general, and components; manual/API ingestion; ownership and relationships.

Why it matters: provides the map from policy statements to real assets and people—foundation for traceability and evidence.

(👆 Might have to rephrase the above into a high level note and add screenshots from the tool)

⁠

How it Works (The Compliance Loop)

CACCA operationalizes compliance by turning policy approval into scheduled work, system‑generated audits, accountable risk, and a live dashboard of posture. The loop below illustrates how approvals become implementation, evidence, and closure—without the audit scramble.

Policy approval and mapping

Maker‑checker workflow: Draft → Review → Approval → Publish with versioning.

Approved policy statements mapped to standards (e.g., ISO/PCI) and relevant asset categories.

Scheduled tasks/tickets from policy

System‑driven schedules generate tasks/tickets aligned to policy definitions.

Open/Closed mirrored from external helpdesk; SLA breaches surfaced to prioritize work.

System‑generated audits

Per schedules, the system builds audits and question sets from approved policies.

Audits align to the live policy baseline—no manual re‑creation of checklists.

Findings capture and peer review

Auditors record findings in a centralized register (Major/Minor NC, Observation).

Peer review tightens evidence quality; reports available by audit or across audits.

Automatic risk creation and lifecycle

“Partially Implemented” / “Not Implemented” and non‑compliance auto‑create risks.

Full lifecycle: Identification → Analysis → Treatment → Post‑treatment → Acceptance → Closure, with owners and asset/policy linkage.

Real‑time posture on the dashboard

Risk score (pointer to highest open risk) and risk level/status counts.

Policy workflow status and policy→asset implementation status.

Audit findings with open/closed tracking; SLA‑breached tickets; “running risk” by policy.

Net effect: Approvals generate work, audits and evidence are system‑driven, deviations become owned risks, and leadership sees a single, live operating picture—keeping the organization continuously audit‑ready.

⁠

Delivery Models & Target Industries

CACCA is offered in three levels to meet distinct buyer constraints without compromise: ASSURE for rapid readiness, SHIELD for integrated assurance in existing toolchains, and CORE for customer‑controlled deployments. This packaging reduces time‑to‑value, aligns with procurement and governance expectations, and creates a durable expansion motion as customers’ compliance sophistication deepens.

Model:

CACCA Assure (SaaS Bundle)

CACCA Shield (SaaS Hybrid)

CACCA Core (Enterprise - On prem)

For:

Small and mid‑size teams that want speed without relying on external ITSM/CMDB/IAM.

Mid‑size and regulated teams that will keep Jira/ServiceNow/CMDB/IAM and want CACCA as the stitching and assurance layer.

Enterprises in regulated sectors requiring data residency, deep integrations, and enterprise change controls.

Integrations:

Not required (inbuilt help-desk and asset registry).

Ticketing/ITSM, CMDB/IAM/SSO/MFA, asset tools.

Enterprise ticketing/ITSM, CMDB/IAM, asset sources; optional expansion per roadmap.

Implementation:

Import or author policies; map statements to assets; start schedules for tickets/audits; run peer review; expose posture via dashboard in ~30 days.

Define scopes/roles; connect systems; validate Open/Closed mirroring and SLA tests; launch policy‑driven audits; centralize findings/risks.

Plan/provision infra; deploy; connect systems; harden access; validate mirroring/audit schedules; pilot with executive readout.

Implementation Timeline:

Costing - India

INR 3,00,000 – 4,50,000

INR 3,00,000 – 6,00,000

INR 9,00,000 – 15,00,000

Costing - International

INR 6,00,000 – 7,50,000

INR 6,00,000 – 9,00,000

INR 15,00,000 – 50,00,000

Feature 1

Feature 2

Feature 3

There are no rows in this table

⁠

Which Model to choose & When

Choose ASSURE when speed and simplicity matter most, and you prefer a turnkey stack without external ITSM/CMDB/IAM.

Choose SHIELD when you already run Jira/ServiceNow/Okta/CMDB/IAM and want CACCA to orchestrate policy→tickets→audits→risk with governance and SLA discipline.

Choose CORE when procurement, data residency, or security policy requires customer‑controlled deployment and deeper enterprise integrations.

Target Industries

Industries

IT/ITES & Software

FinTech/Payments

Banking/Financial Services (BFSI)

Healthcare

Personas

CTO/CISO, Compliance Lead, IT/Eng Ops.

CISO, Risk/Compliance Head, Platform Ops.

CISO, Internal Audit, CIO/IT Ops.

CIO/CISO, Compliance/Quality, IT Ops.

Pains

audit scramble, scattered evidence, unclear asset‑level implementation, SLA breaches.

continuous evidence expectations, vendor scrutiny, exception backlog governance, data‑residency.

fragmented controls across systems, weak policy→asset traceability, point‑in‑time audit burden.

evidence quality and retention, asset classification, change governance, recurring audits.

Triggers

enterprise sales diligence (SOC 2/ISO), partner/vendor assessments, scale‑up readiness.

product launches, processor/regulator reviews, growth rounds.

board/regulator reviews, consent‑order remediation, vendor onboarding.

accreditation cycles, security incidents, new system rollouts.

Model Fit

ASSURE for speed; SHIELD when retaining ITSM/identity stacks.

SHIELD first; CORE where residency and enterprise control are required.

CORE for on‑prem governance; SHIELD for hybrid environments.

ASSURE (smaller providers) or SHIELD; CORE where residency is mandated.

There are no rows in this table

⁠

Competitive Landscape

The compliance automation market has scaled rapidly, led by well-funded U.S. players and fast-growing India-born vendors. These solutions have proven demand for automated evidence, SOC 2/ISO workflows, and compliance reporting at scale.

Yet, most offerings remain framework-centric and SaaS-first, with limited policy→asset traceability, inconsistent SLA discipline across tickets, and few credible options for regulated on‑premise deployments.

This leaves an opening for a unified operating layer that connects policy approval to asset‑level implementation, system‑generated audits with peer review, automatic risk creation, and a real on‑prem path for BFSI/FinTech/Manufacturing.

Competitor

Location

Team

Customers

Total Funding

Funding Round

Last Funding Round

Last Funding Date

Lead Investors

Vanta

1,439

12000+

$503M

Series D

$150M

Jul 2025

Drata

501–1000

7,000+

$328.2M

Series C

$200M

Dec 2022

Sprinto

458

1000+

$31.5M

Series B

$20M

Apr 2024

Scrut Automation (Riversys Technologies Pvt. Ltd.)

221

1700+

$29.5M

Private Equity

$10M

Apr 2024

Delve

700+

$35.8M

Series A

$32M

Jul 2025

There are no rows in this table

⁠

Market Size

We quantify the English‑speaking markets across four focus industries: IT/ITES & Software, Financial Services & Banking, Healthcare, and Manufacturing, restricted to companies with turnover above 50/100 crore. Sizing is presented as three lenses: TAM (all qualified accounts), SAM (near‑term serviceable portion based on focus and reach), and SOM (obtainable in the next 24–36 months based on conversion capacity).

Total qualified accounts across listed countries: 403,805.

Largest country opportunities by accounts:

United States (302,661),

United Kingdom (28,346),

India (21,655),

Canada (17,940),

Australia (11,374).

Industry distribution overall:

IT/ITES & Software (83,101),

Financial Services & Banking (84,355), Healthcare (70,534),

Manufacturing (165,815).

This mix favors our Bundle/Hybrid motions in IT/ITES & Software and BFSI/FinTech, with meaningful Hybrid/Core potential where Manufacturing and regulated Healthcare are concentrated.

Market Opportunity Breakdown

Table 4

Table 4

Sl No

Country

TAM

SAM

SOM

United States

302,661

90,798.30

4,539.92

United Kingdom

28,346

8,503.80

425.19

India

21,655

6,496.50

974.48

Canada

17,940

5,382.00

269.1

Australia

11,374

3,412.20

170.61

South Africa

2,313

693.90

34.7

United Arab Emirates

1,975

592.50

29.63

Singapore

1,898

569.40

28.47

New Zealand

758

227.40

11.37

Total

403,805

116,676.00

6,483.45

There are no rows in this table

⁠

Market by Industry Breakdown

Table 5

Table 5

Country

IT/ITES & Software

Financial Services & Banking

Healthcare

Manufacturing

Total

United States

58,942

70,408

54,411

118,900

302,661

United Kingdom

5,497

3,879

4,504

14,466

28,346

India

6,688

2,676

3,296

8,995

21,655

Canada

4,357

1,703

3,064

8,816

17,940

Australia

2,650

1,525

1,915

5,284

11,374

South America

1,551

1,054

1,196

2,966

6,767

China

1,069

407

415

3,029

4,920

South Africa

313

1,233

202

565

2,313

United Arab Emirates

440

384

420

731

1,975

Singapore

604

374

338

582

1,898

Ireland

338

226

320

419

1,303

Malaysia

255

203

185

538

1,181

New Zealand

210

109

130

309

758

Philippines

187

174

138

215

714

Total

83,101

84,355

70,534

165,815

403,805

There are no rows in this table

⁠

Why We Win

To prepare a differentiation mapped against competitor features

⁠

Traction

⁠

Go-to-market Strategy

⁠

Business Model & Unit Economics

⁠

Technology Infrastructure

⁠

Implementation & Customer Success

CACCA deploys with a structured, measurable program that turns policy approval into day‑to‑day execution and continuous assurance. The focus is fast time‑to‑value, clear ownership, auditability by design, and ongoing optimization—without disrupting existing tools.

Onboarding at a glance (typically 4–6 weeks; complexity-dependent)

Assessment & Planning: confirm frameworks and scope; inventory policies/assets; define integrations and success criteria.

Configuration & Integrations: map policy statements to standards and asset categories; connect ticketing/CMDB/IAM; enable maker‑checker and audit logs.

Pilot & Validation: run the loop on a limited scope; validate ticket mirroring (Open/Closed), audit question sets, and findings capture; calibrate risk auto‑creation.

Training & Go‑Live: role‑based enablement for admins, auditors, owners; finalize dashboards; handover with a Mutual Action Plan (MAP).

Success plan and MAP

Documented success criteria: day‑30/60/90 outcomes, executive sponsor, decision path, risks/assumptions.

Cadence: weekly working session during onboarding; monthly adoption review; quarterly business review (QBR) post go‑live.

Adoption scorecard (tracked in QBRs)

Policy coverage: # imported/approved; % statements mapped to assets.

Ticket health: % Open/Closed mirrored; SLA‑breach trend; “running risk” by policy.

Audits/findings: # system‑generated audits executed; finding closure time; peer‑review completion.

Risk lifecycle: % risks with owners; treatment progress; closure within target SLA.

30/60/90 outcomes (illustrative targets to align in MAP)

Day‑30: first policies approved (maker‑checker), assets mapped for priority categories, first scheduled audits generated, ticket mirroring live.

Day‑60: majority of priority statements mapped; initial findings closed; auto‑risk functioning for Partial/Not Implemented; baseline dashboard adopted in weekly ops.

Day‑90: reduced time‑to‑readiness vs. baseline; SLA breach visibility normalized; risk closure rate trending to target; executive dashboard in monthly governance.

Governance and security defaults

Maker‑checker approvals; audit logs on key actions; least‑privilege, API‑based integrations; data‑residency options (SaaS, Hybrid, On‑Prem).

Integration approach

Connect to existing ticketing/CMDB/IAM to avoid rip‑and‑replace; mirror Open/Closed only; surface SLA breaches; keep systems of record authoritative.

Evidence and review cadence

System‑generated audits and question sets from approved policies; centralized findings; peer review to improve evidence quality pre‑reporting.

Support and engagement

Dedicated Customer Success Manager to guide adoption and optimization.

24/7 technical support via ticketing, chat, and email; periodic health checks; release briefings and enablement for new features.

Optimization loop

Use dashboard trends (risk score, policy/asset status, SLA breaches, audit findings) to prioritize work.

Quarterly tuning of schedules, mappings, and ownership to improve closure times and reduce audit prep effort.

Outcome: rapid go‑live, measurable adoption, and continuous readiness. Approvals generate work, audits and evidence are system‑driven, deviations become owned risks, and leadership runs on a live posture—sustained through a CSM‑led MAP, scorecards, and QBRs.

⁠

The Soffit Advantage

Soffit, CACCA’s parent company, provides the distribution, credibility, and execution backbone to deliver CACCA at enterprise scale—especially for Hybrid and On‑Prem buyers. With multi‑decade delivery heritage and ISO 27001 certification, Soffit shortens timelines, de‑risks integrations, and strengthens buyer confidence.

Distribution and delivery strength

800+ clients, 900+ projects across a dozen countries; ~two decades of IT/security delivery; ISO 27001 certification.

Managed SOC (mSOC), NOC, IT managed services, technology integration, security testing, and advisory reinforce CACCA implementations at scale.

Enterprise credibility

Process‑driven operations with governance and quality practices.

Security‑by‑design posture with audit readiness and advisory offerings aligned to regulated‑buyer expectations.

Practical impact on CACCA

Faster Hybrid/On‑Prem deployments with reference architectures and proven runbooks.

Bench strength for integrations (ticketing/CMDB/IAM and adjacent systems) and on‑site execution where required.

Trusted enterprise relationships that open doors and de‑risk complex programs.

⁠

Team & Advisors

Leadership profiles

Saji Prabhakaran

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.