Facebook Instagram X-twitter Linkedin
Book a Meeting

How Coinflow Manages SOC 2, ISO 27001, PCI DSS, and DORA Compliance With Insight Assurance

How Coinflow Manages SOC 2, ISO 27001, PCI DSS, and DORA Compliance With Insight Assurance
About Coinflow

Coinflow is a Chicago-based fintech company focused on modern payment infrastructure for high-growth businesses. The company supports cross-border money movement with security and reliability at the center of its platform. With a team of approximately 60 employees, Coinflow serves businesses operating in a highly regulated environment where security, trust, and operational discipline are essential. 

For a payments company, compliance is not a side initiative. It is part of how the business builds trust with customers and the broader market. Enterprise buyers and commercial counterparties want independent validation that security controls are operating as expected. That need has shaped Coinflow’s approach to compliance from the beginning. 

Today, Coinflow holds SOC 2 and ISO 27001 certifications and is completing its PCI DSS recertification, all assessed by Insight Assurance. The company also works with Insight Assurance on data protection officer (DPO) services across multiple jurisdictions and has engaged the firm in connection with the European Digital Operational Resilience Act (DORA). 

Insight Assurance spoke with Malcolm Portelli, Chief Information Security Officer at Coinflow, who is based in Malta and oversees the company’s global security and compliance program. 

The Challenge

For a payments platform operating across borders and industries, the compliance landscape is not a single destination – it is a continuously moving set of requirements. SOC 2 and ISO 27001 address information security controls. PCI DSS governs payment card data environments. GDPR and other data protection regulations vary by jurisdiction. DORA introduces digital operational resilience requirements for financial services firms in Europe. Each framework has its own standards, timelines, and evidence requirements. 

Managing all of these simultaneously, while a company is also building its product, onboarding customers, and scaling operations, requires a compliance program that is organized, well-communicated, and flexible enough to adapt when priorities shift. 

Malcolm described the core motivation plainly: “The idea is for us to be in a position to show our customers that we are doing the utmost to ensure that systems are secure. And the best way to do that is to get an unbiased third party to review those services and essentially provide us with that kind of independent validation to show that we’re doing what we need to do to make sure that we’re keeping you safe.” 

The Solution

Coinflow’s relationship with Insight Assurance predates Malcolm’s full-time involvement at the company. By the time he joined, SOC 2 and ISO 27001 assessments had already been completed. Malcolm came on board during the final stages of the ISO 27001 process and has since led Coinflow’s engagement with Insight Assurance across PCI DSS recertification, DPO services, and DORA-related work. 

The decision to continue with Insight Assurance across multiple compliance frameworks came down to two things: the quality of prior assessments and the quality of communication. “The audits we’ve done in the past went well, so the experience was positive,” Malcolm said. “And I liked, personally, the people who we’re working with, which for me is one of the most important things. You have to deal with people on a regular basis and make sure that the communication is good.” 

That communication has been a consistent theme across every engagement. Malcolm described the onboarding process ahead of Coinflow’s upcoming SOC 2 and ISO reassessments as an example: “Even though our SOC 2 and ISO exercise is going to take place later this year, we’ve already had an intro meeting with the assessor and our account manager to make sure that we’re clear on what the overall plan of action is, when it’s going to start, and what we need to do to prep for it. That process has been very helpful for my team and me.” 

For the active PCI DSS recertification, Malcolm highlighted the ability to move quickly when needed: “Whenever there was something that was unclear, we got clarity very quickly. The ability to jump on quick calls with people is really great because we’re in a position where we don’t want to delay the process.” 

On the tooling side, Coinflow uses Vanta as its compliance platform. Malcolm described the experience as seamless: “It was the preferred route for both of us. Everything is logged in there and it will make next year’s recertification process a lot easier because we have everything mapped to last year, which makes it less time consuming to upload evidence for the following year.” 

Across all compliance frameworks, Malcolm noted that Insight Assurance’s team demonstrated a quick grasp of Coinflow’s specific operating context – particularly around data protection and GDPR. “Once we explained the situation and the business, it was quite quick to understand what we needed to do. The explanation was descriptive, so we knew exactly what the audit would evaluate. We were able to communicate the requirements to people who don’t have everyday exposure to these kinds of things, such as support staff, and for them to get it relatively quickly was great.”

The Results

Following the completion of its SOC 2, ISO 27001, and ongoing PCI DSS assessments, Coinflow has seen several significant outcomes: 

A More Efficient PCI DSS Timeline 

Malcolm noted that PCI DSS certification exercises typically take around three months in his experience. Coinflow’s current recertification is on track to be completed on schedule, supporting continuity for a payments platform where certification lapse creates risk. “That’s quite good. Usually, PCI exercises that I’ve been involved in in the past tend to take three months on average, so the fact that we can get it done in two is fantastic.” 

A Stronger Security Posture Across the Entire Organization 

Malcolm described the most significant internal benefit as a shift in mindset rather than just process: “It makes the company think about the requirements for security in a different way,  from a holistic view as opposed to the individual parts of the business. It improved our security posture and, from a compliance perspective, naturally it did improve – but I’m more interested on the security side, so I was happier about that.” 

The assessment process pushed Coinflow to examine security controls across the organization as a system rather than in silos – a perspective that strengthens security decisions well beyond the assessment period itself. 

SOC 2 and ISO 27001 Certification as a Customer-Facing Signal 

For Coinflow’s enterprise customers and counterparties, independently verified compliance credentials serve a direct commercial purpose. Malcolm framed it simply: the certifications exist to show customers “that your data is safe, your systems are safe.” In a sector where security reviews are a standard part of the procurement process, holding SOC 2, ISO 27001, and PCI DSS certifications means those conversations move faster and with greater confidence on both sides. 

A Long-Term Compliance Relationship Across Multiple Frameworks 

Malcolm rated the overall experience a 9 out of 10 – and has already acted on it. When asked whether he would recommend Insight Assurance to other companies, his answer was immediate: “I just did yesterday.” A Coinflow client seeking PCI DSS certification was referred directly to Insight Assurance. “We want to make sure that they’re getting it from somebody who we can vouch for. We know that the exercise will be done properly.” 

What makes the relationship work, Malcolm said, comes down to the people: “Everybody I’ve worked with till now has been great communicators, patient, and understanding. And they appear to be good at what they do. They’re real people – they have character. They feel human.” 

Conclusion 

For fintech and payments companies, compliance programs rarely stay simple. New frameworks, expanding customer expectations, and evolving regulations create pressure to manage more requirements without losing operational clarity or momentum. 

Coinflow’s experience reflects what that work can look like when it is supported by a consistent, independent audit relationship. Across SOC 2, ISO 27001, PCI DSS, DPO services, and DORA-related work, the company gained external validation, stronger internal security thinking, and a working relationship it trusted enough to recommend to its own clients.

What Compliance Frameworks Do Fintech and Payments Companies Need?

For payments platforms and financial technology companies, multi-framework compliance is increasingly the standard – not the exception. Here is what each framework covers and why it matters:

SOC 2 is an independent audit of a company’s security, availability, processing integrity, confidentiality, and privacy controls. For fintechs, SOC 2 certification is often required by enterprise customers and financial institution partners before onboarding.

ISO 27001 is the international standard for information security management systems (ISMS). ISO 27001 certification demonstrates that an organization has a structured, auditable approach to managing information security risks across the business.

PCI DSS (Payment Card Industry Data Security Standard) governs how organizations store, process, and transmit payment card data. Any company that handles card payments – directly or as a service provider – must maintain PCI DSS compliance.

GDPR and DPO Services apply to any organization handling personal data of individuals in the European Union. A Data Protection Officer (DPO) is required under GDPR for certain categories of organizations and helps ensure ongoing compliance across jurisdictions.

DORA (Digital Operational Resilience Act) is a European regulation that sets requirements for the operational resilience of financial entities and their critical technology service providers. It covers ICT risk management, incident reporting, and third-party risk.

Managing these frameworks through a single independent audit firm – with coordinated timelines and harmonized controls – reduces rework, improves evidence management, and gives leadership a unified view of the organization’s compliance posture.

Simplify Complex Compliance With InsightONE

Managing SOC 2, ISO 27001, PCI DSS, HIPAA, CMMC, NIST, and more – simultaneously – is one of the most common challenges facing security and compliance teams today. InsightONE is Insight Assurance’s structured approach to multi-framework compliance: one audit firm, coordinated timelines, and harmonized controls across all applicable standards.

InsightONE is designed for organizations that are:

  • Preparing for multiple assessments in the same year
  • Managing compliance across multiple business units or geographies
  • Scaling fast and entering regulated markets
  • Dealing with duplicated efforts and disconnected audit workflows

What it includes:

  • Unified audit planning across frameworks
  • Framework harmonization to eliminate duplicated controls and rework
  • Coordinated timelines that reduce bottlenecks for leadership and IT teams
  • Backed by experienced auditors, including former Big 4 professionals
More Case Studies

Ready for Stress-Free Compliance?

Whether you’re a two-person team or a global enterprise, our team of former Big 4 auditors brings the same level of quality and care to every engagement.

Let’s simplify compliance — together.

Let’s Talk Compliance

Share This Post

Let's Talk Compliance

Share a few details and our team will be in touch shortly to schedule a friendly, no-pressure conversation—no obligations, just answers.

Insight Assurance needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, please review our Privacy Policy.