It's Time Software Companies Take Data Privacy Seriously - Why We Invested in Drata

With cyber crime on the rise, and awareness around data privacy heightened, it has never been more important to ensure that company data, processes and systems are secure. Across our portfolio, we’ve seen deals get pushed or fall apart because they could not prove to the customer that their security posture was strong enough. Increasingly, proving that an operation is secure and that data privacy is taken seriously is vital to doing business today. One way to prove that is to get a SOC 2 audit and certification, but SOC 2 certification is hard to get and painful to keep. It is costly, and takes valuable development time away from engineers who need to document the fact that there has been adherence to the compliance policies every day.

Knowing this, we were ecstatic when one of our portfolio CEO’s, Amiram Shachar, CEO of Spot (acq: NTAP), told us we needed to meet Adam, Troy and Daniel of Drata. The team lived through this problem in their previous venture, Portfolium, which was acquired by Instructure in March of 2019. In building Portfolium, they had experienced the endless time, effort and confusion wrapped up in the SOC 2 compliance process. The manual evidence collection process included screenshots, spreadsheets and back-and-forth emails with employees trying to gather everything they needed to show the auditors. Getting ready for the audit was a sluggish, inconvenient and costly endeavour that jeopardized many deals they were pursuing and impacted their engineering organization’s ability to operate at full capacity. They knew there had to be a better way to get there, and it was from this painful experience that the idea for Drata was conceived.

Drata’s main thesis is that much of the work that goes into creating security policies, enforcing those policies, documenting the fact that you’ve adhered to them, and getting an audit can be automated. Most software companies today use some combination of infrastructure (AWS, Azure, GCP), identity provider (Okta, Office 365, GSuite), code repository (Github, Gitlab, Bitbucket) and HRIS (Gusto, BambooHR). Through integrating deeply into these systems, Drata automates and documents much of the work that goes into achieving a strong security posture and getting certified.

After a few quick calls to our portfolio companies, we realized almost everyone was going through the challenges of becoming SOC 2 compliant, and the requests for introductions to the Drata team came flooding in. 

The feedback we heard from those calls was that while many vendors in this space claim to have automation capabilities and reduce friction in the process, they are actually more like databases that may organize the data, but don’t actually reduce the workload, time and cost. 

Most importantly though, Drata walked the walk when it came to taking security seriously. They refused to launch publicly before having their own SOC 2 certification, and are the only company in the market built on a single tenant architecture. Whats more, they understood that the point wasn't just to get SOC 2 certified, but to actually run a company that put security and privacy at the core of their culture.

Since that first meeting, we have watched the team acquire customers rapidly, even while still in stealth, improve and refine the product with velocity and listen deeply to their customers. 

While we believe Drata has the best product in the market, customers choose Drata because they want to work with a vendor who is authentic and stays true to the principles they preach.

We couldn’t be more excited to be partnering with the Drata team, Houman Haghighi, Cowboy VC, SV Angel and many more.

Onwards & upwards,

Leaders Fund team

PS - If you’re struggling with SOC 2, feel free to reach out to us for an intro!

Techcrunch coverage