The best things to automate are the tedious, time-consuming things no one wants to do but everyone has to do. Taxes. Invoices. Insurance claims. Anything with the word “compliance” in it. Now imagine it’s also existential: If things go wrong, your company could lose customer trust and its public reputation. Understandably, security and data compliance is on the top of many companies’ to-do lists.
That’s why I was so intrigued when I heard about Drata, a 17-month-old company that is creating a pervasive layer of trust across the internet by helping customers automate security and compliance. “Trust is at the core of what we do,” says Drata CEO and Founder Adam Markowitz.
I’m happy to announce today that Salesforce Ventures has joined ICONIQ Growth in investing in Drata’s $100 million Series B round, joining Alkeon Capital and previous investors Cowboy Ventures, Leaders Fund, and GGV Capital. With this new financing, Drata is now officially the first $1 billion company in this new market.
Why are we so excited about this promising young company? In short, pain, scale, execution, and vision. The risk of security non-compliance is very real, very important, and rising: According to Statista, the monetary damage caused by reported cybercrime was $4.2B in 2020 — four times as much as in 2015.
Because the incidents of cybercrime and other data breaches are rising and the consequences are so severe, tech buyers at most big companies are requiring SOC 2 compliance — the current industry standard for data security — for all their software providers. That means every cloud software startup that is trying to sell into larger companies will want to get certified in order to land more customers and bring in more revenue, faster.
At his last startup, an education platform, Adam was frequently asked by potential customers to provide a SOC 2 report as evidence of the company’s security stance. “With massive data breaches happening more often, it felt as though a magnifying glass was being rightfully placed over data privacy and security, which meant companies like ours were going to need to prove early and often that they prioritize the security of their customers’ data,” he said in an interview.
More and more of our founders of Salesforce Ventures portfolio companies have told us they, too, are struggling through the process of SOC 2 compliance and are looking for ways to automate the process. And that’s precisely why Drata is growing so fast. In its first 45 days on the market, the company secured 100 customers and is on track to reach thousands next year.
The grunt work of compliance
Achieving SOC 2 certification requires tracking down hard-to-find details, sifting through old emails, taking hundreds of screenshots, and creating reams of documentation. This problem only gets harder as companies scale. Each new employee or contractor requires the addition of new security controls. And SOC 2 certification requires that not only you but also your vendors and contractors, meet compliance. Considering the fact that a typical small enterprise works with 50–100 or more vendors, the complexity is dizzying.
Getting to SOC 2 certification takes the average company 600 hours, which continues to climb as the company grows and continually needs to be renewed. It also requires hiring an expensive consulting firm to walk you through the process and give you the rubber stamp.
But with Drata, most of the manual labor is automated — including evidence collection, policy creation, and continuous security control monitoring — saving your engineers hundreds or even thousands of hours that would be better spent working on your product. Drata also integrates into more than 50 apps, infrastructure providers, identity providers, code repositories, including your CRM, HRIS, and Slack. And Drata is constantly rolling out more integrations. Additionally, the company has partnered with dozens of audit firms to make sure its product is customized to suit their needs, which drastically reduces your audit time and cost.
So many regulations, so many kinds of compliance
The world is full of rules, standards, and regulations for all sorts of industries, from tech and finance to healthcare. Drata’s first product eases the suffering of companies aiming for SOC 2 compliance. The company recently added automated compliance assistance for ISO 27001, another data security standard.
Ultimately, Drata aims to solve problems across many more governance, risk, and compliance issues. They’ve already launched their ISO 27001 product and will soon include HIPAA, PCI DSS, and more. As the company realizes its product roadmap, Drata’s addressable market will continue to grow.
At Salesforce, trust is our number one value. Drata’s mission to build a layer of trust around the modern enterprise resonates, and we’re delighted to support the company through its next wave of growth. Welcome, Drata!