Skip to content
Case Study

How Formstack uses Whistic to streamline the security review process

Coworkers in a meeting outside
formstack logo


As the Data Privacy and Compliance Officer at Formstack, Lisa Berry-Tayman knew she had her work cut out for her early on. Formstack is a leading data collection platform that works with thousands of unique clients around the world. Because each of these clients trusts Formstack to securely capture data and maintain compliance with their individual security standards, there is no room for error on the Formstack security team.

Before joining Formstack, Lisa worked in compliance and data protection consulting for more than ten years. Her experience working on multiple projects made jumping in to the Formstack security landscape that much easier.

Vendor Assessments

When I started at Formstack, it felt like I started out six months behind – there was so much to do!” Lisa said. Right out of the gate, there were dozens of security reviews to go through with just spreadsheets and varied documentation for guidance. It was definitely a busy, albeit exciting, time.”

Lisa Berry-Tayman, Data Privacy and Compliance Officer



It quickly became clear to Lisa that dealing with this backlog of security reviews for. current and prospective clients was a larger task than she had originally thought. At one point, nearly 80% of Lisa’s time was being spent answering and reviewing security assessments, and this was on top of her other tasks and responsibilities. When security reviews came in from clients, there was no standard format, which meant Lisa had to be prepared for any format or file type. She then had to go through each assessment question by question, which meant answering the same things over and over.

“Over time, this process was causing a serious backlog for multiple teams,” Lisa said. “When sales reps would submit a request for a security review, the request would go through JIRA, so there was a clear view of just how behind I was on all of these requests.”

Because Formstack takes security and compliance extremely seriously, and because many of its clients are dealing with sensitive data, the questionnaires that Lisa was dealing with weren’t quick 10-question forms. It took Lisa an average of 2-3 hours to respond to a single security request.

“We were getting assessments with 300+ questions, and it was taking us hours to get through them,” Lisa said. “And, thanks to the JIRA queue, you could clearly see that this was a bottleneck in the system.”


Today, Lisa and the Formstack team use Whistic to manage the entire security review process in just a few minutes instead of a few hours. 

“One of our vendors actually gave us access to their Whistic profile when we were doing a review with them,” Lisa explained. “Once we saw the intuitiveness of the platform we realized that we didn’t have any follow-up questions for the vendor since it was all in Whistic. Simply put, we were hooked from the beginning.” 

Lisa and her team talked to the team at their vendor about Whistic, and they walked the Formstack team through their decision process. Lisa and team were able to use this research to make their own decision about Whistic. 

In addition to the intuitive user interface, Lisa and team were also interested in: 

  • Having access to the multiple assessments and questionnaires that were already in the Whistic platform instead of having to purchase these separately. 
  • Sending security profiles directly to clients as soon as they express interest, with little to no lag time. 
  • Proactively working through the team’s JIRA backlog and staying on top of security requests. 
  • Being able to focus more on security and compliance activities and less on admin-esque sales assistance. 
  • Automating NDAs and other security information into the Whistic security profile. 
  • Putting a governance system in place around security documentation so that everyone is using the most updated versions of content.

“At the end of the day, building our profile in Whistic took the most time, and it was just uploading data,” Lisa said. “Now, wecan send out these complex securityprofiles to clients, who in turn have fewer and fewer questions since we’re over-delivering on information. This helps push sales cycles forward and move the needle on deals.”


Today, Lisa spends around 15 minutes per day on sending out security reviews via Whistic, compared to four or more hours before Whistic. She simply has to ‘review’ the day’s queue, make sure there are no glaring issues, and she’s ready to move on. With four different versions of the Formstack security profile ready to go, Lisa can immediately respond to inbound requests – reducing the JIRA backlog and operating on a more proactive level.

“Don’t get me wrong, we have a few larger clients that insist on having their security assessment documents completed. But completing unique questionnaires for those few clients versus completing unique questionnaires for all customers is a huge win for Formstack and me!” 

Additionally, Lisa and the Formstack security team have seen measurable:

  • Cost savings: Lisa is currently taking advantage of the industry-leading questionnaires and assessments available on the Whistic platform. While some questionnaires like SIG-LITE can cost thousands of dollars ad-hoc, they are available at no extra charge on Whistic.
  • Increase in internal efficiency: Thanks to Whistic’s intuitive interface, Lisa was able.  to create a security profile the very same day she was granted access to the platform. Additionally, Lisa shared its first security profile with a client within just 3 days of getting up and running.
  • Increase in customer satisfaction: By sending best-in-class security profiles to clients, the Formstack team looks and feels more professional when dealing with clients. Formstack is now engaging with security teams as the leader they are.

“I just love how easy Whistic is. It’s easy to build, easy to understand, and easy to make changes. Our team can operate at a higher level – and we can deliver better service to our clients – with a single, streamlined launchpad for all things. security and privacy.”


Vendor Assessments Third-Party Risk Management