A Case Study Overview—ThreeFlow Emerges as Market Leader with SOC 2, HITRUST e1 from BARR

ThreeFlow is the world’s first Benefits Placement System—a new category of enterprise software that streamlines benefits placement by connecting brokers, carriers, and employer clients in a single, shared system. With its innovative SaaS platform, ThreeFlow empowers its customers with the tools and information needed to make smart choices about their benefits.

Security and compliance are deeply embedded into ThreeFlow’s business and company culture. Serving a highly regulated industry, the company prioritizes robust security measures to align with the stringent requirements of its partners, customers, and their end clients. Since 2021, ThreeFlow has partnered with BARR Advisory to navigate its compliance journey, achieving multiple attestations, including SOC 2 Type 2 and HITRUST e1, with the goal of reinforcing trust and cementing its place as a true market leader.

The Challenge

From the outset, ThreeFlow recognized the critical role security and compliance would play in its ability to serve insurance carriers and brokers. Given the strict regulatory requirements in the industry, establishing a strong compliance foundation was not just a priority—it was a necessity.

“From Day 1, security, compliance, and governance has been a first-class citizen in our architecture decisions, in our product development decisions, and how we imagine this company growing,” said Shaheeb Roshan, co-founder and CTO of ThreeFlow. 

With security and compliance ingrained in its business model, ThreeFlow made early investments in software development practices, infrastructure decisions, and governance structures that could support long-term scalability. However, as the company expanded, the complexity of maintaining compliance grew.

“As ThreeFlow scaled, the volume of [vendor] security assessments that we were responding to, on both the carrier and the broker side, was scaling with us,” Roshan said. “The time to complete these was anywhere from an hour to three days.”

ThreeFlow needed a compliance partner with expertise in multiple frameworks, a proactive approach to audit support, and the ability to provide strategic guidance to ensure alignment with its long-term goals.

The Solution

ThreeFlow found a partner in BARR Advisory. With a strong security foundation already in place, the ThreeFlow team sought BARR’s guidance in refining its compliance roadmap and ensuring its security infrastructure was prepared for future growth.

“When we first engaged with BARR, we did so from a position of fairly good readiness…and a clear picture of where we needed to go,” Roshan said. “But we couldn’t take those next steps without the support and guidance from BARR Advisory.”

Rather than taking a reactive approach to compliance, ThreeFlow worked with BARR to align its security efforts with its business trajectory. This forward-thinking strategy was particularly valuable as the company expanded into new market segments, including medical benefits, which requires adherence to even more rigorous security standards.

With SOC 2 Type 2 and HITRUST e1 certifications in place, ThreeFlow has significantly reduced the time spent on security questionnaires required by partners and customers.

“Now, our market directors are trained to dive headfirst into the security and compliance governance question,” Roshan said. Supplying a SOC 2 report right off the bat “has materially reduced our administrative time for getting agreements and contracts finalized with our customers and our partners,” he said.

ThreeFlow also leveraged compliance automation tools such as Vanta to simplify evidence collection and automate compliance workflows. Combined with advisory support from members of BARR’s attest services team, including Steve Ryan and Brianna Plush, this has allowed ThreeFlow to manage audits efficiently, even as the business continues to grow at a rapid pace.

“There’s just so much detailed work to be organized and kept track of, but at the end of the day, it’s really been the advisory support from folks like Steve and Brianna that has been extremely valuable,” Roshan said.

Rather than a traditional, check-the-box audit approach, BARR provided a “deeply collaborative” and consultative experience, ensuring ThreeFlow’s technical teams fully understood the intent behind each compliance requirement. In addition, as ThreeFlow’s team looked deeper into HITRUST, they appreciated the support of trusted advisors at BARR who could explain the differences between HITRUST’s various certifications—e1, i1, and r2—and help ThreeFlow work toward these requirements well before beginning the formal assessment process.

It’s this level of trusted guidance that Roshan says makes BARR more than just a vendor to ThreeFlow, but a true partner.

The Results

Through its partnership with BARR Advisory, ThreeFlow has successfully built a compliance program that supports its rapid growth and reinforces customer trust. In fact, ThreeFlow is the only company in its space that has achieved HITRUST certification, positioning it as a leader in security and compliance within the benefits placement industry.

Adding HITRUST e1 certification to their existing compliance program allows ThreeFlow to take their commitment to security a step further and “lead with a trust posture, especially as we enter into the medical markets,” Roshan said. “Leading with the HITRUST certification allows us to skip ahead the gatekeeping conversations directly into how we can actually deliver value to our insurance carrier partners and our brokers.”

ThreeFlow’s compliance achievements are not just about meeting today’s requirements—they are about building a scalable, security-first foundation that supports its vision for the future. Looking ahead, ThreeFlow is preparing for the evolving compliance landscape by proactively evaluating additional security controls to set the standard for responsible artificial intelligence (AI) development in its industry.

“We see an opportunity here to set the standard for what secure and responsible development of AI-based technology looks like in our space,” Roshan said. “We’re excited about working with Steve and Brianna and understanding what those additional controls look like and how do we adopt them.”

As ThreeFlow continues its rapid growth, security and compliance will remain core to its mission. With SOC 2 Type 2 and HITRUST e1 certifications in place, the company is well-positioned to expand its market presence, deepen trust with partners, and set the benchmark for security excellence in its industry.