Skip to main content
PactPact
Sign inStart free
All customer stories
Regulated B2B fintech

Beaconwell Capital

The auditor stayed for forty minutes instead of four days.
Director of Privacy Engineering · Beaconwell CapitalIllustrative scenario

8 days → 0

engineering time on annual audit evidence prep

4 days → 40 min

auditor on-site time

100%

consent records exportable with full event chain

3 → 1

compliance systems of record consolidated into Pact

Background

Background.

Regulated B2B fintech, ~120 people, ten years old. CCPA, GDPR, CASL, plus three state-specific privacy laws and ongoing SOC 2 Type II commitments to enterprise customers. Consent state had grown across three systems over the years: a hand-rolled application table for product opt-ins, a [legacy consent vendor] for marketing consent, and a legal-team spreadsheet for one-off bespoke opt-ins.

Challenge

Challenge.

Their annual privacy audit had been getting steadily worse for three years. Last year's took eight engineering-days of evidence gathering — pulling consent records from three systems, reconciling timestamps, generating proof bundles by hand. The auditor stayed on-site for four days asking follow-up questions; each follow-up required a new query against a different system.

This year's audit was scheduled for a Friday. Two weeks out, the privacy team realized one of the state-specific laws had a new "reasonable evidence chain" standard that none of the three systems satisfied independently.

Solution

Solution.

The team migrated their consent records into Pact over a two-week sprint, using Pact's consent ledger as the new system of record. Every existing record was imported with its original timestamp, source, lawful basis, and proof text preserved. The application table and the legacy consent tool kept syncing into Pact for a transitional month; the legal-team spreadsheet was retired entirely.

When the auditor asked for the date range, the team exported the consent ledger straight from Pact's admin UI. The export included lawful_basis, proof_text, proof_version, source, actor_id, correlation_id, and the full event chain back to the original opt-in.

Result

Result.

The auditor's reaction was a quiet "oh" and a forty-minute review instead of a four-day one. The "reasonable evidence chain" requirement was satisfied trivially — the event-sourced ledger is structurally a chain of attributed events.

The Director of Privacy Engineering's quote on the post-audit call: "For the first time, when the auditor asks a question about a specific contact, I open one screen and answer in five seconds. Not five days."

Related stories

More teams that switched.

Try Pact free. Upgrade when it pays for itself.

The stories above are illustrative composites of design-partner deployments. Run your own numbers with the live calculator, or talk to sales for a real quote.

Start free Open the calculator