PAUBOX: Leverages HITRUST RightStart Program to Expand Target Market and Give Customers Peace-of-Mind


When prospects started asking if Paubox was HITRUST Certified—as a mandatory condition for doing business—the encryption solutions firm took note. Management quickly learned that HITRUST offered a program that fit their unique needs—the HITRUST RightStart Program for Start-Ups. Earning the certification gives Paubox customers peace-of-mind knowing that Paubox proactively takes appropriate measures to ensure customers’ sensitive information is safe from cybercriminals and other malicious actors while meeting appropriate regulatory requirements when handling information such as PHI. With the HITRUST Risk-based 2-year (r2) certification playing a key role in expanding the Paubox target market, the company projects doubling their revenue.

The Challenge: Satisfy Customer Requirements for Security Posture Attestation

Since launching in 2015, Paubox has strived to secure every email for its customers by helping them increase end-user adoption of encryption-based communications. The solutions offered by Paubox achieve this objective while putting the user experience first—but not at the expense of security. This approach resulted in protected email and communication application programming interfaces (APIs) for Paubox customers, enabling them to mitigate the risk of cyberattacks and data loss that often originate through or involve communications systems.

During the first couple of years of operation, Paubox initially targeted doctor offices and small hospitals for use of its encryption services, and later added data loss prevention to the offering. As the company experienced success, larger healthcare organizations, including hospitals and medical centers, began to inquire about encrypting their email and communication APIs.

“That’s when our prospects started asking if we were HITRUST certified,” says Paubox CEO Hoala Greevy. “No one asked about any other certifications or standards—like SOC2 and ISO27001—so after receiving multiple inquiries about HITRUST, we knew that going through the HITRUST CSF program was a must.”

Paubox did its homework to understand how HITRUST assessment compared to other assessment or assurance programs to determine if it should invest in the HITRUST approach or tell their customers they are able to demonstrate the effectiveness of their security and privacy controls.

What Paubox learned was in addition to the HITRUST Risk-based 2-year (r2) certification increasing the speed at which Paubox could address the risk-reporting requirements of this important target market, Paubox eliminated time-consuming tasks associated with completing the additional lengthy, and now redundant, security questionnaires that customers requested in the past.

With major prospects demanding HITRUST Certification in order to become customers, Paubox realized security posture attestation could do more than expand the sales pipeline and increase revenue-generation potential; it could also reduce the amount of time it took to complete the transaction.

“For some prospects, an attestation to the HITRUST CSF was mandatory to do business,” says Greevy. “Getting certified was a high priority—a necessity, actually—for achieving our revenue goals. Understandably, the sales team was particularly motivated.”

When Paubox informed investors it was pursuing HITRUST Certification, they immediately recognized the benefits and actually earmarked additional investments specifically for the certification process. “Our advisors all recognize that HITRUST is the gold standard in information security attestation,” Greevy says. “They also know that certification plays an important role in marketing our offering to our customers.”

The Solution: HITRUST RightStart Program Proves Ideal for Start-Ups

Given that prospects specifically requested HITRUST Certification, Paubox decided to look into the HITRUST RightStart Program for Start-Ups. The program—launched about the same time that Paubox began exploring HITRUST Certification—enables new companies to quickly build a solid foundation for risk management, compliance, and privacy. By leveraging the HITRUST RightStart Program to streamline risk management and compliance processes, businesses gain more time to focus resources on growth and establishing strong customer relationships—while also knowing they are using the most comprehensive security and privacy platform trusted by these same customers the world over.

“Many might view the HITRUST programs as offerings designed for large enterprises,” says Greevy. “In reality, the HITRUST CSF actually gives us—as an early-stage company—a leg up on processes, policies, and controls that larger companies take for granted.”

One of the key pillars that give the HITRUST RightStart Program a strong position is that certified third-party organizations determine whether or not a business meets the criteria of the HITRUST CSF framework. Developed in collaboration with information security and risk management professionals representing healthcare organizations of all shapes and sizes, the framework provides certification-seeking companies with a comprehensive, flexible, and efficient approach to regulatory compliance and risk management.

The HITRUST CSF also rationalizes relevant regulations and standards into a single overarching security framework mapped to measurable controls, a unique component specific to the HITRUST CSF. From there, organizations can tailor their security control baselines formulated on a variety of factors—including organization type, size, and systems, as well as other industry and regulatory requirements. A key factor in helping Paubox utilize the HITRUST CSF efficiently was establishing a collaborative relationship with KirkpatrickPrice—an approved HITRUST Authorized External Assessor organization.

“At first, we tried to prepare for the assessment on our own,” says Tyler Dornenburg, Strategic Projects Lead for Paubox. “But we realized we could use some help in how to properly scope and then apply security controls to our risk gaps. Working with KirkpatrickPrice positioned us to better attest to the HITRUST CSF in a timeframe that matches our customer expectations and our related business requirements.”

The process to pass the validated HITRUST Risk-based, 2-year (“r2”) Validated Assessment included on-site sessions between KirkpatrickPrice and all of the key players at Paubox. Greevy participated directly, and as CEO, he motivated the staff to react immediately to any security controls that had to be added or updated.

The Results: Certification Benefits Drive Deeper Than Increasing the Target Market

Paubox initially chose HITRUST r2 Certification to make it possible to do business with prospects and customers requiring third-party attestation to Paubox’s security and compliance posture. In addition to the certification helping them close business more quickly within the company’s target market, Paubox has since realized additional key business benefits.

One such benefit came in the form of resource allocation and prioritization by collaborating with KirkpatrickPrice, which advised Paubox on the systems and processes to include in the scope of the initial attestation. “Some systems can be handled after the initial testing for certification,” says Dornenburg. “This was a big help since it meant we didn’t have to jump on everything right away. We addressed the major risks immediately to earn certification and devised an action plan to address the minor risks in the next 12 months.”

An example of how KirkpatrickPrice helped Paubox think creatively when it came to applying security controls is the facility where employees work. Paubox began as a start-up in a shared space that is home to other start-ups, with open physical access to other businesses as well as a public café. This presents a tricky situation as to the security controls to apply when employees use their laptops in a public space vs. handling documents at their desks. “KirkpatrickPrice came up with a plan to set up security controls for our employees as if they work at home or on the road,” Greevy says. “We just needed to implement a couple of additional precautions that a company working in its own building might not need to.”

To address this control requirement, Paubox created a user-friendly handbook so the whole workforce was very clear on the remote worker rules to which they must abide. Paubox also provided remote training as part of both the annual employee training and new employee onboarding activities. The training program started by defining different types of public spaces—home working, co-working, public/open spaces—and the safety measures the employees would need to take in each of these environments. Among other examples provided in the handbook and as part of the training, employees were instructed to: work with their back to a wall; close their laptop when not in use; and never leave their laptop alone in a café or any other public area without another co-worker nearby.

Going through the HITRUST risk analysis and security certification process expanded and amplified the company’s internal focus on security and helped increase the number of controls to protect the IT assets of the business and customer information. The handbook and training represent one example of this adoption of a culture of security.

“From engineering to customer service, sales, marketing and operations, everyone believes in the importance of securing PHI (protected health information) and the importance of proving it to our customers,” says Greevy. “We essentially adopted a whole new mindset towards security, which is a big benefit in demonstrating to our customers just how highly we prioritize protecting their PHI.”

HITRUST RightStart Program for Start-Ups Highlights

  • Expands target market to include prospects requiring HITRUST security posture certification. (Paubox projects a doubling of revenue)
  • Enhances Paubox brand as a company that takes information security seriously
  • Gives customers peace-of-mind that Paubox protects their sensitive data
  • Increases internal awareness of the importance of protecting digital assets
  • Eliminates need to complete lengthy security questionnaires—saving 1.5 weeks of resource time per questionnaire

Access Once–Report Many

Another benefit for Paubox is that the internal staff no longer has to complete the extensive security questionnaires requested by many customers in the past. The questionnaires —often delivered as a spreadsheet containing 1,000+ questions that represent a moment-in-time when the questions were answered—can take a single resource as much as eight days to complete.
“Now when we receive a request to complete a security questionnaire, we can respond quickly by presenting the results of our HITRUST Certification,” says Greevy. “Because of the industry credibility found in HITRUST, that’s usually enough to satisfy their interest in our security posture—we don’t spend time answering questions already addressed in our security assessment report, which a third-party assessor has certified.”

Given the momentum, their HITRUST RightStart Program brings to the Paubox business as it facilitates business development, expedites deals, and amplifies the Paubox brand, senior management not only projects doubling revenue it also sees the entire Paubox team playing an active role in improving the firm’s security posture in support of the expected business outcomes.

“With HITRUST Certification, there’s immediate recognition from our customers that we have established a strong security culture to match the security of our solutions,” Greevy says. “Certification gives them peace-of-mind that we take information protection seriously and that their data is safe. They know we don’t just have a security certification—we also live and breathe security and realize the importance of risk management.”


As Paubox received inquiries from healthcare organizations looking to employ the company’s email encryption services, the team quickly spotted a trend where most prospects required Paubox to demonstrate that its solution was HITRUST Certified.

What Paubox learned was in addition to the HITRUST Risk-based 2-year (r2) certification increasing the speed at which Paubox could address the risk-reporting requirements of this important target market, Paubox eliminated time-consuming tasks associated with completing the additional lengthy, and now redundant, security questionnaires that customers requested in the past.

Headquarters: San Francisco, CA
Number of Employees: 13
Industry: Internet

Paubox logo

All product names, logos, and brands are property of their respective owners and used for identification purposes only, and are in no way associated or affiliated with HITRUST. Use of these names, logos, and brands does not imply endorsement.


Chat Now

This is where you can start a live chat with a member of our team