We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 - 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!
The growing array of data privacy regulations — including GDPR in Europe and CCPA in California, not to mention rising data security expectations from customers across industries — has opened the door to a swathe of startups aimed at making it easier for businesses to manage and automate their privacy programs.
This is why San Francisco-headquartered TerraTrue went to market last year with a “privacy-by-design” ethos that helps companies proactively manage their privacy programs before a new product or feature ships.
To accomplish this, TerraTrue essentially unifies product development with privacy standards.
“TerraTrue can power a fast, scalable privacy program because it’s purposefully designed to bring privacy into the product-development lifecycle,” COO and cofounder Chris Handman told VentureBeat. “That’s a radically different approach to how legacy solutions have built their products. They design tools for compliance teams, not product teams or developers.”
In its short tenure (TerraTrue exited beta in the third quarter of 2020), the startup has amassed a reasonable roster of customers that includes freshly IPO’d ecommerce giant Wish and VC-backed photo app maker VSCO. To help its platform reach more businesses around the world, the company today announced it has raised $15 million in a series A round of funding led by 3L, with participation from Chris Sacca and Anthos Capital.
Founded in 2019, TerraTrue is the brainchild of Handman and CEO Jad Boutros, who worked on security at Google before joining Snap (and then Snapchat) in 2014 as director of information security and later served as chief security officer. Handman joined Snap in 2014 as general counsel. The duo were brought in shortly after a major hack compromised the data of millions of Snapchat users. This breach was followed by a settlement with the Federal Trade Commission (FTC), which alleged that Snapchat had deceived its users about the amount of personal data it collected and the security measures it had in place.
Now, having developed a rigorous privacy program that allowed Snap to scale quickly while adhering to all applicable laws and submit to regular audits, they are offering a similar platform any company can use.
“Our time at Snap — and before that at Google — taught us the basic principle that guides TerraTrue’s product design,” Boutros explained. “To do privacy right and to ship features on time, privacy must be a seamless part of product development, not an afterthought done in isolation. That ensures consistency, promotes timely guidance and feedback that won’t jeopardize a sprint cycle, and minimizes complexity as a company grows.”
A slew of data privacy management and compliance platforms have emerged in recent years. This month alone we’ve seen OneTrust close a $210 million round of funding and BigID lock down $30 million, while last month DataGrail secured $30 million to help enterprises manage data privacy requests. TerraTrue is tackling the privacy problem from a slightly different perspective — rather than focusing on data that has already been collected, it’s targeting predeployment privacy compliance.
“Whether it’s managing cookie consents, responding to data subject access requests, or mapping data that a company has been sharing with third parties, the focus [from other companies in this space] is on data that’s already being collected, stored, and processed,” Handman said. “These are all worthwhile tools, but they’re also reactive tools. They don’t address privacy risks, offer guidance, or ensure new features get reviewed before a company ships them.”
By contrast, TerraTrue tracks new features as they’re being developed and surfaces potential privacy risks in real time while issuing recommendations and automating many of the processes required to address pressing issues. TerraTrue also tracks all regulations that are scheduled to come out so that by the time a particular statute is in place, companies are equipped to stay on the right side of the law.
“In privacy parlance, this predeployment work is known as ‘privacy-by-design,” Handman added. “Simply stated, it’s the idea that companies should consider privacy risks, edge cases, and safeguards before they ship features and potentially introduce mischief to their consumers.”
Of course, many companies try to build privacy into their products from the outset, but that’s incredibly difficult to execute while continuously pushing out new features and products, something most modern “agile” software development principles promote.
“Companies lacked proper tooling to pull this off — instead, most companies repurposed spreadsheets, ad-hoc pings through Slack, or email and Google Docs to try to understand what features product teams are building, how they map onto global privacy rules, and how they should address shortfalls,” Handman explained. “But that work is painfully manual, repetitive, and slow.”
TerraTrue integrates with many of the tools companies use, including GitHub, Jira, Google Drive, and Slack, and is designed to “keep privacy and product teams in sync” without slowing down the product development process.
“Everything we do at TerraTrue works to seamlessly integrate privacy into the product-development life cycle,” Handman said. “And integrations are one of the most powerful ways to deliver that experience to customers.”
For instance, a project manager might launch a ticket in Jira, Atlassian’s project management product for software developers, and TerraTrue can instantly flag whether this will have any privacy implications and kickstart a review process, including issuing updates and notifications to all the relevant stakeholders in Jira, Slack, or elsewhere. All comments and responses, regardless of their source, are collated and centralized in TerraTrue.
Although TerraTrue offers many prebuilt integrations that are available out of the box, it also allows customers to develop custom workflows, to, for example, develop independent review processes that funnel into their product development.
“For example, a company might create a vendor security questionnaire but craft it so that TerraTrue will send it to the relevant team members only when a feature would onboard a new vendor,” Boutros said. “What’s more, TerraTrue lets the company quickly triage work by assigning risk scores to responses inside the workflows.”
TerraTrue had previously raised $4.5 million, and with a fresh $15 million, the company is well-financed to support businesses of any size as they face an ever-growing litany of privacy regulations.
While TerraTrue might appeal to smaller startups without the resources to keep on top of everything themselves, enterprises also have better things to focus on than aligning every new feature they build with the latest legislation to come out of Switzerland. Boutros was careful not to give too much away, but he pointed to two strategic priorities on the company’s product roadmap.
“One is to support the needs of very large enterprises that have developed their own proprietary toolchains for managing development and deployment activities over years,” he explained.
In real terms, this means building external APIs that enable these businesses to integrate TerraTrue into their own custom tools while also giving them the flexibility to manage the TerraTrue platform across disparate teams.
Boutros also said companies can expect to see more integrations with other popular third-party productivity and development tools so that “TerraTrue works even better with the way organizations currently work.”
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.