Case Study · 002Multi-quarter engagement · ongoing

SOC-2 certified, loans processed 4× faster.

Client identity withheld at client request · references available under NDA

Client: Leading U.S. Auto-Finance Firm
Sector: Fintech · Auto lending
Engagement: Replatform & compliance
Duration: Multi-quarter · ongoing
Disclosure: Anonymized · references under NDA
Compliance bar: SOC-2 Type 2 (first-time)

CertifiedSOC-2 Type 2 (first-time)

4×Faster loan processing

+35%Productivity (VP Data Eng.)

TBDTime-to-certificationTBD

01A regulated lender with a hard audit ahead of it.

Replatform a live lending system. Pass SOC-2 Type 2 on the first try.

Sector: Auto finance · prime + non-prime
Region: United States
Client identity: Anonymized at client request
Loan volume: TBD · disclosure pendingTBD
Engagement model: Replatform · compliance · automation

A leading U.S. auto-finance firm serving prime and non-prime dealers across the country. The business runs on data — origination, underwriting, servicing, dealer reconciliation — and that data was scattered across self-hosted databases, manual operations, and aging infrastructure that no longer matched the company's growth trajectory.

Two pressures arrived together. The market wanted faster loan decisioning. Regulators, enterprise dealers, and capital partners wanted attested security. A SOC-2 Type 2 certification was no longer a nice-to-have — it was the price of admission for the next stage of the business.

The constraint was simple to state and difficult to deliver: replatform a live lending system to a secure, audited, AI-ready stack — with zero downtime, no missed approvals, and no compromises on the audit.

A buyer reviewing finance options with a dealership representative on a tablet, beside a car on the showroom floor.

02The Challenge

Four constraints, one live lending system.

Replatforming a regulated lender is rarely a single-axis problem. The data, the workflows, the audit, and the operational continuity all moved together — and any one of them, mishandled, would have ended the engagement.

Multiple systems, no single source of truth.

Data lived across multiple self-hosted databases and disconnected systems. Underwriters, servicing, and dealer ops each had their own view of the borrower — and none of them agreed. Reporting was a weekly reconciliation exercise rather than an operational signal.

Siloed Data

Workflows that humans held together.

Loan workflows depended on manual handoffs between teams: spreadsheets, email approvals, ad-hoc scripts. The work got done — but slowly, inconsistently, and in ways that did not survive an audit trail.

Manual Operations

SOC-2 Type 2 as a hard requirement.

SOC-2 Type 2 was not optional. The business needed an attested, audited posture to keep enterprise dealers and capital partners on the platform. First-time certification, on a multi-quarter clock, with no prior compliance program to inherit.

Compliance

Replatforming without taking the business offline.

Loans were being originated and serviced in real time throughout the migration. The window for a maintenance-style cutover was zero. Every change had to land without interrupting decisioning, disbursement, or dealer reconciliation.

Operational Stakes

They take intrinsic pride in their work and in being good partners — unusual in my experience. Their ability to work independently is coupled with a consistent pattern of overdelivering on requirements and deadlines.

CTO (name withheld)Chief Technology Officer · Leading Auto Fintech Firm

03Selection

Why a regulated lender trusted us with the audit.

The client interviewed several partners before signing. Four attributes drove the decision — none of them flashy, all of them attestable.

Replatforming without disruption.

Replatforming a live lending system is not a greenfield project. We had a documented track record of moving regulated workloads onto managed cloud infrastructure without dropping a single transaction — and a methodology for doing it incrementally rather than in a single, risky cutover.

Compliance-first architecture.

SOC-2 was not an after-the-fact certification exercise. We architected the new platform with controls, audit logging, multi-account isolation, and vulnerability scanning baked in from day one. Compliance came along for the ride, rather than being bolted on the week before the audit.

End-to-end delivery: decisions through audit.

From data migration through automation through audit prep, the same team owned the work end-to-end. No handoffs between an integrator, a security firm, and a managed-services vendor — one team, one set of decisions, one auditor-facing narrative.

Anonymization-friendly partnership.

Regulated clients need discretion. We routinely operate under NDA, with anonymized references and customer-controlled disclosure. The client could trust that the work would be done, attested, and never overshared — which matters in a market where competitors read each other's case studies.

04The Shape

Six fragmented surfaces. One audited platform.

The replatforming wasn't a rewrite. It was a consolidation — self-hosted databases, manual workflows, and a single-account AWS footprint were collapsed into a managed, isolated, audited platform that the SOC-2 evidence package could be built directly on top of.

Siloed → unified, audited, automated

Self-hosted DBsManual opsSiloed dataSingle AWS accountLegacy stackManual reconciliation

One secure platform

AWS-managed · automated · SOC-2 audited

+ Image placeholder

SOC-2 Type 2 attestation letter (redacted) or audit-window timeline — presented as a measured, low-noise visual. The goal is quiet credibility, not a hero shot.

05Decisions

Three calls that made the audit possible.

Replatform onto cloud-managed services.

The first call was to stop running our own database servers. We migrated to AWS-managed services — managed PostgreSQL, managed message queues, managed observability — so the operational surface area shrank by an order of magnitude. Fewer servers to patch is fewer SOC-2 controls to attest to.

PrincipleEvery self-hosted service is a SOC-2 control you have to attest to yourself. Managed services move that attestation to the provider — and into the audit-friendly shared-responsibility model.

Adopt a multi-account isolation model.

We split the production environment across multiple AWS accounts: production, staging, audit-logging, and shared services each isolated by account boundary. Blast radius shrinks, IAM gets simpler to reason about, and the auditor sees a clean, defensible isolation model rather than a flat network.

OutcomeAccount-level isolation became the single strongest control narrative in the SOC-2 evidence package — and the easiest one to demonstrate in walkthroughs.

Automate the entire operational surface.

Manual workflows do not pass SOC-2. We automated the end-to-end operational surface: CI/CD with required reviewers and gated deploys, automated vulnerability scanning on every build, scheduled backups with restore drills, and end-to-end test suites that ran on every change. The auditor asked for evidence; we handed over dashboards.

06Honest

What we won't put on this page.

Time-to-cert · TBD

We don't quote a number we can't fully attest to.

We have not publicly committed to a time-to-certification figure. The path from kickoff to SOC-2 Type 2 ran through dependencies outside the engineering org — auditor scheduling, evidence-collection windows, and policy ratification. We can share the figure under NDA; we will not put a number on the page that we cannot fully defend.

Volume · withheld

The 4× is real. The absolute number is the client's.

We will not publish loan volume or transaction counts. The client operates in a competitive market where headline numbers move competitor behavior. We attest to the multiple (4× faster) because the multiple is the operational truth — the absolute volume is the client's to share, in the room, with the people they choose.

Attribution · anonymized

Real quotes. Anonymized attribution. Names available on request.

Two named leaders went on record with strong quotes — the CTO on partnership, the VP of Data Engineering on +35% productivity. We anonymized both attributions per the client's disclosure policy. The quotes are real; the names live in the reference list we share with serious prospects under NDA.

07Outcomes

The numbers the audit attested to.

Each outcome below is paired with the baseline it's measured against. The figures attached to the auditor's observation window are reproducible from the client's internal telemetry and the SOC-2 evidence package.

No formal compliance programCertified, first attempt

SOC-2 Type 2 attestation

First-time SOC-2 Type 2 certification, achieved on the original audit window. The evidence package was built into the platform rather than reconstructed for the auditor.

Manual, multi-system handoffs4× faster

Loan processing time

End-to-end loan processing time reduced to roughly a quarter of the pre-engagement baseline, attested by the client's operations team. Faster decisions, faster disbursements, fewer dealer escalations.

Pre-engagement baseline+35% productivity

Data engineering productivity

Confirmed on record by the VP of Data Engineering. Attributable to unified data, automated workflows, and the removal of manual reconciliation work that the engineering team had previously absorbed.

Multiple silos, weekly reconciliationUnified, digitized, queryable

Data unification

A single, governed data platform replaced the previous patchwork. The same underlying data now serves underwriting, servicing, dealer ops, and the eventual ML roadmap — without a reconciliation step in the middle.

High-risk cutover aheadZero downtime through cutover

Migration continuity

Loan origination, decisioning, and servicing ran without interruption through the entire replatforming. The migration was incremental, reversible, and dual-running where it mattered.

Data too siloed to modelFoundation in place

AI/ML readiness

The unified, audited platform is the substrate the client needed for analytics and ML — credit scoring, fraud detection, portfolio risk. The next phase of the engagement is no longer infrastructure; it's modelling.

Their work has saved us time and increased productivity by 35%. They consider every detail, deliver on time, and respond promptly.

VP, Data Engineering (name withheld)VP of Data Engineering · Leading Auto Fintech Firm

08The Team

Five Streavers. One auditor. Zero handoffs.

The same team that designed the platform sat in the auditor walkthroughs. No subcontracted security firm, no external compliance consultant — one set of engineers, one consistent narrative through every control review.