We built Tenurex because audit prep was eating our quarter.
Bootstrapped, Philadelphia-based, founded 2025. Two engineers who got tired of building the same evidence spreadsheet every audit season.
The problem we couldn't stop thinking about.
Andre was Head of Engineering at a 90-person SaaS company in 2024. They were preparing for their second SOC 2 Type II audit — the one that's supposed to be easier than the first. It wasn't. Six weeks of Slack threads, Jira tickets, and spreadsheet exports. Three engineers pulled off sprint work to find evidence that had been silently accumulating in systems they hadn't thought to check. One control gap — a misconfigured logging setting in a secondary AWS region — was almost missed entirely.
Maya was on the other side of the table, building security infrastructure at a fintech startup that was running SOC 2 and ISO 27001 simultaneously. The manual cross-referencing work was brutal. Two frameworks, overlapping controls, evidence that needed to be tagged to specific criteria for each. A dedicated GRC person was spending 20+ hours per week just on evidence management.
The tools they tried — Vanta, Drata, Secureframe — were all doing roughly the same thing: a point-in-time questionnaire with agent-based collection and a checklist UI. They looked polished. They didn't solve the fundamental problem: evidence collection wasn't continuous, and gaps weren't surfaced until you looked.
Tenurex is the thing they both wished had existed. A monitoring system — not a compliance checklist app. Evidence that collects itself. Gaps that surface as they happen, not at audit time. Built by people who've lived audit season from both sides.
The team.
Two founders. One thing we do: continuous GRC evidence collection. No sales team, no SDR sequences — if you email us, Andre or Maya replies.
Andre Ferreira
Co-Founder & CEO
Former Head of Engineering at a 90-person B2B SaaS company. Led two SOC 2 Type II audit cycles. Concluded the 6-week prep scramble wasn't a process problem — it was a tooling problem. Built Tenurex to fix it.
Maya Okonkwo
Co-Founder & CTO
Former security infrastructure engineer at a Philadelphia fintech startup, where she spent 20+ hours a week on manual evidence management while running SOC 2 and ISO 27001 in parallel. Designed Tenurex's collection pipeline architecture from scratch — isolated workers, immutable evidence chains, read-only by default.
How we work.
These aren't brand values. They're how we actually make decisions.
Practitioners first
We built this for the engineering lead who owns compliance alongside everything else — not for a dedicated GRC team with a five-person vendor management budget. Every feature starts with: does this actually reduce work for the person running the program?
Honest about limitations
Tenurex doesn't make you compliant — it makes it easier to prove you are. There's no tool that replaces judgment about whether your controls are actually operating effectively. We'll tell you when evidence is thin. We won't hide gaps.
Bootstrapped discipline
We're self-funded and plan to stay that way until we're sure what we're building is exactly right. No growth-at-all-costs forcing function. We'd rather have 30 customers who rely on us every day than 300 who barely use the product.
Security is not a checkbox
A compliance tool with weak security practices is an indictment. We hold our own infrastructure to at least the standards we help our customers demonstrate. Read our security page for specifics — not marketing promises.