Streamlining compliance: How Thoropass and XFA partner to solve compliance challenges

In a world where we’re free to work from anywhere on any device , ensuring compliance and security has become more critical and challenging than ever. With employees accessing sensitive data from a variety of locations and devices, the risk of breaches and non-compliance continues to grow. In the third quarter of 2024, data breaches exposed over 422 million records globally, marking a substantial rise from previous periods. The average cost of a data breach reached $4.88 million in 2024, the highest on record. Non-compliance can lead to revenue losses averaging $4 million, more than double the cost of maintaining compliance.

Organizations must find solutions that not only protect their systems but also adapt to the flexibility and preferences of modern work environments without disrupting productivity.

Enter XFA, the device security solution that seamlessly identifies every device in your organization, informs users of risks, and ensures compliance with security policies during login—all without micromanaging the devices themselves. 

Better together: XFA + Thoropass

By teaming up with Thoropass, XFA is helping to automate and simplify the compliance process, providing organizations with the tools they need to secure their operations in a dynamic and ever-changing regulatory landscape.

Can you give us a brief overview of XFA and what sets it apart in the compliance space?

XFA is a device security solution that discovers every device used within your organization and pushes it into compliance by acting as an ‘extra factor’ for users who want to log in to your digital workspace. 

Other solutions presume that you know about each user’s devices and can force a management solution on them for the sake of ‘compliance’, while XFA is focussed on taking a direct approach by allowing users to start working on any device, as long as they can prove that this device is secure.

What compliance challenges do you commonly encounter, and how does the XFA and Thoropass integration help solve them? 

Many organizations view compliance as merely a checklist or a documentation exercise, which can lead to gaps in security and oversight. This mindset often results in incomplete processes, missed details, and inefficiencies that can jeopardize compliance efforts.

The integration addresses this issue by automatically gathering and combining all device information with the necessary evidence, ensuring that the process is complete but also accurate. By moving beyond the checkbox mentality, this approach streamlines compliance, saves time, and ensures that security controls are continuously monitored and maintained. It transforms compliance from a reactive task into a proactive, efficient, and reliable process.

What inspired the collaboration between XFA and Thoropass?

More than ever, compliance has become a real enabler for moving towards better cybersecurity practices. Certifications like ISO 270001 and SOC 2 are becoming a staple for many organizations that prioritize quality and customer trust. Being part of Thoropass’ Integration Partner Program is a no-brainer that enables organizations to have efficient processes and get certified as quickly as possible.

How does the integration work, and what are the key features?

XFA takes care of discovering each device through the authentication and organization’s login, informing users of their risks, and enforcing a device security policy as part of authentication into company resources. This enables a hands-off approach towards complete device security.

With a couple of clicks from the Thoropass dashboard, XFA will forward this asset information to complete the inventory overview in the Thoropass platform, which is ready for an auditor to review, knowing that XFA provides a complete list.

Which frameworks or regulations does the integration help customers address?

The integration supports customers in meeting the requirements of several key frameworks and regulations that mandate strong security measures. 

ISO 27001 and SOC 2 Type II are two of the most widely recognized frameworks, both of which include specific requirements for securing devices as part of a comprehensive information security management system. These frameworks focus on ensuring that devices used within an organization are adequately protected to maintain data confidentiality, integrity and availability. 

In addition to these, the integration also addresses compliance with frameworks and regulations such as:

• GDPR : Requires organizations to implement measures that ensure the security of personal data, including securing the devices used to access or store that data.
• NIS 2: Enforces stricter cybersecurity measures, including device security, for organizations operating in critical sectors across the EU.
• DORA: Focuses on the resilience of IT systems, including device management, in financial institutions to prevent and respond to cyber threats.
• HIPAA: Mandates device security to protect electronic health information in the healthcare sector.
• HITRUST: Establishes specific controls for device security as part of its risk management framework for safeguarding sensitive information.

The integration enhances compliance by automatically monitoring device security, such as encryption status, and generating tasks to address issues proactively. By providing real-time visibility into device compliance and ensuring violations are solved quickly, the integration simplifies meeting these requirements and strengthens overall security. 

How does the integration simplify compliance workflows for joint customers?

Often, auditors question the completeness of a device security strategy. When relying on managed devices, the questions become: 

• How do you make sure people only work on managed devices? 
• And what about exceptions? 

Many companies do have some form of bring-your-own-device strategy, but auditors are not always satisfied with the addition of a written device policy anymore. Having a solution like XFA enables any strategy, but guarantees each and every device is verified and listed as part of your compliance track.

Can you share a specific use case or example of how the integration has made an impact?

A great example of how the integration makes an impact is the device encryption monitor. This feature provides users with a real-time list of their devices and checks whether they are encrypted. It continuously monitors the relevant controls, providing updates daily on their status using XFA data. If a device is found to be unencrypted, a task is generated for the control owner to resolve the violation.

Typically, devices are excluded from audit scope, especially as companies scale, because managing employee endpoints can be complex. However, this monitor helps streamline audit evidence collection by easily showing whether devices are secured, saving about 30 minutes when devices are in scope for an audit. The real value, though, comes from the ongoing control monitoring and the proactive reminders to fix any security gaps that could impact compliance.

While the time savings of 30 minutes per audit might seem modest, the true benefit lies in the overall impact on audit efficiency. Studies show that audits with higher usage of monitor-sourced evidence (over 10%) have a 56% faster time to draft compared to audits with minimal monitor usage (less than 2.5%). In short, this integration gives an efficient monitoring tool that, when used effectively, can half the audit time.

How can customers implement the Thoropass XFA integration?

It’s easy to get started, and it can be done in just a few simple steps:

While other solutions require external consultants, both Thoropass and XFA are complete platforms that can be set up and used by anybody who wants to start improving their security and compliance.

Getting started with XFA takes just a few minutes and you can try it for free for one month—Explore the integration or request a demo today to see the difference for yourself.