When a tech vendor wants to sell into a large enterprise — or when that enterprise wants to buy software from a tech vendor or AI model provider — each side may be required by the other to prove they will handle shared data responsibly in the form of mandatory surveys and questionnaires.

Regulations such as GDPR, the soon-to-be effected EU AI Act and a patchwork of U.S. state laws make those proofs more complex each year.

As a consequence, a tech vendor trying to sell to a large enterprise will usually be asked to complete security questionnaires that can stall deals for weeks and cost six figures in staff time.

San-Francisco-based SecurityPal was founded in March 2020 by CEO Pukar Hamal to handle all that paperwork largely automatically on behalf of the vendor, using the vendor’s unique product information and internal data.

SecurityPal combines an AI engine with a 240-person analyst team in Kathmandu, Nepal, to draft, verify and package the answers vendors and buyers need.

“It’s like Palantir for security reviews — expert humans and AI working together to accelerate enterprise security assessments,” Hamal said on a recent exclusive video call with VentureBeat.

Hamal labels the category “security assurance”: a workflow that sits between traditional compliance software and the sales-ops stack.

The company just announced a fleet of updates in its Q2 blog post this week, including smarter fallback responses from its AI Copilot, a fully brandable White Label Package for Trust Centers, and a new Custom HTML Block for embedding rich media in assurance profile, all geared toward making its AI interactions more professional and informative, even when data is limited.

The firm has also added Salesforce Auto-Approval, which enables real-time, criteria-based approvals using live Salesforce data; Global Search across the full SecurityPal platform; and soon, a Custom Tasks feature that should let customers manage workflows with personalized fields and forms.

“We’re on a mission to accelerate GDP growth by solving complex security assurance challenges for buyers and sellers,” Hamal added, further offering that, “my thesis when we raised money was that there will be $10 trillion companies, and we’re staring at market caps in the hundreds of billions or more. That demands a radically different capital strategy.”

How the service works

SecurityPal ingests a customer’s existing controls — policies, cloud configurations, attestations — and maps them to a proprietary corpus of roughly 2.5 million previously answered security questions it has assembled from customers and filtered web data.

The company uses a combination of cutting-edge third-party AI models, among them, those from OpenAI, Google’s Gemini family, and open-source alternatives.

But Hamal emphasized that the true value lies in how those models are applied, explaining: “AI alone is not enough. With AI, you get speed, but you sacrifice quality, judgment, and context.”

To address this, SecurityPal integrates AI with expert human analysts in a tightly interlaced workflow, ensuring accuracy and nuance in every security review. While the models are widely available, the company’s proprietary data, deep customer relationships, and human-in-the-loop design form a critical moat that makes their solution far more than just automation.

The AI engine takes the first pass; human analysts perform a second pass and final QA to catch hallucinations or missing context. Hamal likens the effect to having an exam key in advance: “It’s almost like SecurityPal knows the answers to the test before the test shows up.”

Because the platform maintains a living model of each customer’s posture, new questionnaires rarely require manual digging.

“Our average SLA [service-level agreement] time is 24 hours, but really, our customers are going down to same-day turnaround,” Hamal says.

The company says vendor customers can turn around most security questionnaires from prospective buyers up to 87 times faster than they could with manual workflows.

Second, by letting its platform handle third-party-risk reviews start to finish, buyers report as much as 125 times faster vendor assessments.

Third, the aggregated assurance data the system collects becomes a live dashboard that chief information-security and revenue officers can mine for board-level insight rather than spreadsheet trivia.

AI plus people, not AI instead of people

Hamal is quick to stress that SecurityPal’s analysts remain central to the product.

“AI alone is not enough…you need expert humans layered on top of the technology,” he told VentureBeat, describing the internal workflow as a “centaur” model where machine and human passes alternate throughout the pipeline.

The human layer also feeds a network-effect moat. Each new engagement expands the corpus of accepted answers, which the AI reuses (with fresh evidence) for other customers.

SecurityPal claims coverage of “most of the Fortune 1000” question sets, giving it early knowledge of emerging concerns—for example, the shift from cloud basics to LLM-specific controls noted in recent federal questionnaires.

Traction and business model

SecurityPal bootstrapped to roughly $1 million in annual recurring revenue before David Sacks’ Craft Ventures pre-empted the company’s first funding round; the $21 million seed deal was signed on a literal napkin, with no slide deck involved.

The customer roster now includes OpenAI, Airtable, Figma, Snap, a top-three U.S. airline and a top-five U.S. health insurer, among other Fortune-class accounts.

SecurityPal does not disclose pricing publicly, but it sells the service as an annual subscription whose cost undercuts the internal headcount many companies dedicate to the task.

Internally, Hamal operates on two continents. Revenue, product and go-to-market teams sit in San Francisco and New York, while the analyst organization forms the kernel of what he calls “Silicon Peaks” — a tech hub 100 miles from Mount Everest that taps Nepal’s deep pool of STEM graduates.

Why buyers care

For vendors, faster questionnaire turnarounds shorten sales cycles and reduce the risk of stalled deals.

For buyers, automated reviews make it feasible to evaluate every supplier instead of sampling a risky few.

The outcome, Hamal argues, is alignment between revenue and security teams that have historically been at odds: “There are very few tools that are the favorite tool of the CRO and the CISO. We’re it.”

Competitive landscape

Start-ups such as Vanta, Drata and Secureframe also target compliance pain points, but they focus on evidence collection and audit preparation.

SecurityPal’s differentiator is doing the actual writing and response work—something Hamal believes will prove harder for pure-software rivals to automate because it still requires judgment and domain expertise.

The Kathmandu center of excellence gives SecurityPal a cost base low enough to keep humans in the loop while staying price-competitive.

What’s next?

SecurityPal’s near-term goal is to help 5,000 global enterprises tame their most complex assurance challenges within five years.

Longer term, Hamal sees the service as infrastructure for an economy where every significant transaction carries a security or privacy attestation.

“It’s called SecurityPal, but it’s way more than just about security,” he said, adding “I look to Salesforce—it’s way more than just sales. Same for us. It’s all about satisfying requirements and accelerating deals.”

If that forecast is correct, the company’s combination of AI scale and human nuance could become a standard part of enterprise procurement, whether or not anyone notices the “vibe coding” origin story along the way.