When a tech vendor aims to sell to a large enterprise, or when that enterprise seeks to purchase software from a tech vendor or AI model provider, both parties might need to demonstrate their responsible handling of shared data through obligatory surveys and questionnaires.

Regulations such as GDPR, the imminent EU AI Act, and a mix of U.S. state laws add complexity to these proofs each year.

As a result, a tech vendor attempting to sell to a large enterprise typically faces security questionnaires that can delay deals for weeks and require significant staff time, potentially costing six figures.

San Francisco-based SecurityPal was established in March 2020 by CEO Pukar Hamal to automate this paperwork on behalf of the vendor, utilizing the vendor’s specific product information and internal data.

SecurityPal merges an AI engine with a 240-person analyst team in Kathmandu, Nepal, to draft, verify, and assemble the responses needed by vendors and buyers.

“It’s like Palantir for security reviews—expert humans and AI collaborating to expedite enterprise security assessments,” Hamal mentioned during a recent exclusive video call with VentureBeat.

Hamal describes the category as “security assurance,” a workflow that bridges traditional compliance software and the sales-ops stack.

The company has just revealed a series of updates in its Q2 blog post this week, including enhanced fallback responses from its AI Copilot, a fully customizable White Label Package for Trust Centers, and a new Custom HTML Block for embedding rich media in assurance profiles, all designed to make its AI interactions more professional and informative, even with limited data.

The firm has also introduced Salesforce Auto-Approval, which facilitates real-time, criteria-based approvals using live Salesforce data; Global Search across the entire SecurityPal platform; and soon, a Custom Tasks feature allowing customers to manage workflows with personalized fields and forms.

“Our mission is to boost GDP growth by solving intricate security assurance challenges for buyers and sellers,” Hamal added, further noting, “my thesis when we raised funds was that there will be $10 trillion companies, and we’re eyeing market caps in the hundreds of billions or more. That necessitates a radically different capital strategy.”

How the service works

SecurityPal integrates a customer’s existing controls—policies, cloud configurations, attestations—and aligns them with a proprietary database of approximately 2.5 million previously answered security questions collected from customers and filtered web data.

The company employs a mix of advanced third-party AI models, including those from OpenAI, Google’s Gemini family, and open-source alternatives.

However, Hamal emphasized that the real value lies in the application of these models, explaining: “AI alone is insufficient. With AI, you gain speed but compromise on quality, judgment, and context.”

To tackle this, SecurityPal integrates AI with expert human analysts in a closely coordinated workflow, ensuring accuracy and nuance in every security review. While the models are broadly accessible, the company’s proprietary data, strong customer relationships, and human-in-the-loop design create a significant advantage, making their solution far more than mere automation.

The AI engine makes the initial pass; human analysts conduct a second pass and final QA to catch hallucinations or missing context. Hamal compares the effect to having an exam key in advance: “It’s almost like SecurityPal knows the answers to the test before the test appears.”

Because the platform maintains a dynamic model of each customer’s posture, new questionnaires seldom require manual investigation.

“Our average SLA [service-level agreement] time is 24 hours, but in reality, our customers are experiencing same-day turnaround,” Hamal says.

The company claims vendor customers can process most security questionnaires from potential buyers up to 87 times faster than they could with manual workflows.

Moreover, by allowing its platform to handle third-party-risk reviews from start to finish, buyers report up to 125 times faster vendor assessments.

Additionally, the aggregated assurance data collected by the system becomes a live dashboard that chief information-security and revenue officers can utilize for board-level insights rather than spreadsheet trivia.

AI plus people, not AI instead of people

Hamal is quick to emphasize that SecurityPal’s analysts remain integral to the product.

“AI alone is insufficient…you need expert humans layered on top of the technology,” he told VentureBeat, describing the internal workflow as a “centaur” model where machine and human passes alternate throughout the pipeline.

The human layer also contributes to a network-effect advantage. Each new engagement expands the corpus of accepted answers, which the AI reuses (with fresh evidence) for other customers.

SecurityPal claims coverage of “most of the Fortune 1000” question sets, providing early insight into emerging concerns—for instance, the shift from cloud basics to LLM-specific controls noted in recent federal questionnaires.

Traction and business model

SecurityPal bootstrapped to approximately $1 million in annual recurring revenue before David Sacks’ Craft Ventures pre-empted the company’s first funding round; the $21 million seed deal was signed on a literal napkin, with no slide deck involved.

The customer list now includes OpenAI, Airtable, Figma, Snap, a top-three U.S. airline, and a top-five U.S. health insurer, among other Fortune-class accounts.

SecurityPal does not publicly disclose pricing, but it offers the service as an annual subscription, which is cost-effective compared to the internal headcount many companies allocate to the task.

Internally, Hamal operates on two continents. Revenue, product, and go-to-market teams are based in San Francisco and New York, while the analyst organization forms the core of what he calls “Silicon Peaks”—a tech hub 100 miles from Mount Everest that leverages Nepal’s abundant pool of STEM graduates.

Why buyers care

For vendors, quicker questionnaire turnarounds shorten sales cycles and reduce the risk of stalled deals.

For buyers, automated reviews make it feasible to evaluate every supplier instead of sampling a risky few.

The result, Hamal argues, is alignment between revenue and security teams that have historically been at odds: “There are very few tools that are the favorite tool of the CRO and the CISO. We’re it.”

Competitive landscape

Start-ups such as Vanta, Drata, and Secureframe also target compliance challenges, but they focus on evidence collection and audit preparation.

SecurityPal’s distinction lies in doing the actual writing and response work—something Hamal believes will be more challenging for pure-software competitors to automate because it still requires judgment and domain expertise.

The Kathmandu center of excellence provides SecurityPal with a cost base low enough to keep humans involved while remaining price-competitive.

What’s next?

SecurityPal’s short-term goal is to assist 5,000 global enterprises in managing their most complex assurance challenges within five years.

In the longer term, Hamal envisions the service as infrastructure for an economy where every significant transaction includes a security or privacy attestation.

“It’s called SecurityPal, but it’s about much more than just security,” he said, adding “I look to Salesforce—it’s way more than just sales. Same for us. It’s all about meeting requirements and accelerating deals.”

If that prediction holds true, the company’s combination of AI scale and human nuance could become a standard part of enterprise procurement, regardless of whether anyone notices the “vibe coding” origin story along the way.