Drata, a security compliance and automation platform that helps companies adhere to frameworks such as SOC 2 and GDPR, has raised $200 million in a Series C round of funding co-led by Iconiq Growth and GGV Capital, valuing the company at $2 billion.
The raise comes just a year after the San Diego-based company hit unicorn status off the back of a $100 million Series B funding round, while in the intervening months rivals in the space including Secureframe and Laika have each raised $50 million-plus, while Vanta secured $150 million across two tranches this year at a valuation north of $1.6 billion.
So while layoffs and lower-valuations have been a key talking point in the venture capital sphere this past year, it seems that security compliance and automation is somewhat bucking that trend.
The reason may be somewhat obvious, vis-à-vis data is the cornerstone of just about every modern day business, powering everything from AI applications and CRM systems, to digital medical services. In tandem, companies have had to up their data privacy game, particularly where personally identifiable information (PII) is concerned, to meet a growing array of regulations and frameworks designed to safeguard sensitive user data.
“When you factor evolving threats to data, and increasing privacy regulations, security and compliance are now essential to an organization’s infrastructure,” Drata cofounder and CEO Adam Markowitz explained to TechCrunch. “It becomes even more vital for fast-growing companies when you consider other countries have varying preferences toward unique compliance frameworks, standards, or regulations. The more compliance becomes normalized, companies can no longer afford to ignore or avoid it, and those that embrace it need a way to do so scalably with automation.”
While Drata supports multiple frameworks, including GDPR as of March this year, SOC 2 remains its bread and butter. SOC 2, for the uninitiated, is essentially a voluntary auditing process that companies go through to prove to would-be customers that they have a robust data privacy regimen in place. However, achieving SOC 2 attestation is a resource intensive endeavor, one that doesn’t stop at the point of attestation — it’s an ongoing process, because companies’ data-harnessing practices typically evolve as they grow their tech stack, add more SaaS integrations to the mix, change their suppliers, and so on.
In short, companies have to continuously prove that they are worthy of their customers’ trust.
And this is where Drata and its ilk enter the fray, integrating with dozens of cloud platforms, developer tools, SaaS apps, cybersecurity systems, and more, helping companies to automatically gather the necessary “proof” to verify that their data privacy and security practices are ship-shape.
Compliance automation effectively replaces multiple manual efforts involving collecting data across myriad systems, a process that is pretty much out-of-date by the time it’s complete: by plugging into the very systems that hold the data, from AWS and GitHub to Okta and Gusto, everything is maintained in real-time.
While many companies have had to scale back their operations against economic headwinds, the fact of the matter is they still need to seek new business, and proving data privacy compliance is now an essential part of that — it’s no longer a “nice to have.”
“A strong security and compliance program is a requirement for selling to larger companies or enterprises, so companies have to prioritize this as soon as they launch,” Markowitz said.
It has been a whirlwind couple of years for Drata, founded in mid-2020 before emerging from stealth with $3.2 million in funding early last year. Initially, Drata was focused on helping startups solve their SOC 2 attestation headaches, but as it has extended support to additional frameworks, the company has secured bigger name customers including billion-dollar businesses such as Notion and Lemonade.
The problem, ultimately, isn’t restricted to any particular size or type of company, the issue of compliance impacts everyone.
“Virtually every company is processing or storing customer data in the cloud in some capacity,” Markowitz said. “Compliance is a way of validating that your company can be trusted with this data. Whether you’re a two-person startup or a publicly-traded company selling to millions of companies across the globe, compliance is necessary.”
Prior to now, Drata had raised around $128 million, and with another $200 million in the bank, the company said that it plans to invest heavily in R&D around its enterprise-grade product, though it also intends to invest in new features for startups and auditors.
Drata’s Series C round included backing from institutional investors including Salesforce Ventures, Alkeon Capital, Cowboy Ventures, S Ventures (SentinelOne), and Silicon Valley CISO Investments (SVCI). Angel investors included former LinkedIn CEO Jeff Weiner and Snowflake CEO Frank Slootman. As an interesting side note here, Drata also revealed that Microsoft chairman and CEO Satya Nadella invested in its $100 million Series B round last year, something that it had not previously disclosed.
“We’ve always viewed fundraising as a tactic, not a goal or outcome — funding is a part of our strategic growth and indeed also validation of our execution to date,” Markowitz continued. “Funding allows us to accelerate the next stage of growth. For us, that means further expanding our product capabilities and truly bringing continuous compliance to the masses globally.”