Compliance startup OneTrust raises $210 million at a $2.7 billion valuation

About 64% of respondents around the world — and 74% of those in the U.S. — feel that adhering to compliance requirements is a “very” or “extremely” effective way to keep data secure, according to a Thales report. That said, compliance is often expensive. In a 2017 PricewaterhouseCoopers survey of execs at U.S., U.K., and Japanese tech companies, 88% said their company planned to spend over $1 million preparing for the EU’s General Data Protection Regulation (GDPR) in the run-up to its full May 2018 implementation. A smaller percentage of respondents — 40% — said they expected to spend $10 million or more.

Kabir Barday, a former developer at BlackRock and previously director of product management at Dell-owned VMWare, anticipated the nearly $51.5 billion compliance management market’s growth in 2016 when he founded OneTrust with cochair Alan Dabbiere, a cofounder of Manhattan Associates and AirWatch. (Barday was an early employee at AirWatch, which raised $200 million in 2013 before it was acquired by VMware for $1.5 billion.) The Atlanta, Georgia-based privacy and marketing solutions firm went on to raise $200 million in a series A round last July — its first funding round — at a whopping $1.3 billion valuation. This week, in anticipation of further growth, the company closed a $210 million series B round led by Coatue and Insight partners, bringing its total raised to $410 million at a $2.7 billion valuation.

The cash infusion comes after roughly half a year in which OneTrust grew its customer base to 5,000 organizations across 100 countries, up from 3,000 as of July 2019. According to Barday, nearly half the Fortune 500 companies now use its product suite, including brands like Aetna, Randstad, Steelcase, Vevo, Oracle, Marketo, Akamai, Criteo, 21st Century Fox, Adobe, Tealium, Okta, Salesforce, and Kickstarter.

Above: Cross-border data-mapping with OneTrust

“OneTrust plans to use the combined funding to continue to invest in meeting the widespread demand for our technology platform,” said Barday. “We will scale our services, support, and partner ecosystem globally and add new capabilities to the platform through both organic and inorganic innovation.”

OneTrust offers a privacy management program that helps companies comply with the GDPR, California Consumer Privacy Act (CCPA), and hundreds of other global privacy laws by using research portals and automation tools. It streamlines the intake and fulfillment of consumer and subject rights requests and allows customers to benchmark against their peers, map and inventory records of processing, and generate custom reports as data flows through their organization. With OneTrust DataGuidance, admins can search across over 10,000 associated templates, guidance case law, and resources contributed by a network of over 500 lawyers and 20 in-house legal researchers. Alternatively, they can look up individuals’ data across cloud and on-premise systems while maintaining security standards with data review, redaction, and approval workflows.

OneTrust’s complementary PerferenceChoice enables companies to drive opt-in demand while demonstrating full compliance. It allows businesses to deploy interfaces and experiences across marketing and sales activities that collect consent and preferences and sync them across channels, while at the same time automating the fulfillment of consumer rights requests and the maintenance of historical consent records from a single portal. In addition to scanning mobile apps to detect where data is going, PreferenceChoice surveys websites and generates consent and preference banners, drawing on a database (Cookiepedia) of over 7 million precategorized tracking cookies. And it brings in business apps for access, deletion, and portability, integrating a central preference center with detailed consent records.

On the third-party risk side of the equation, there’s OneTrust’s Vendorpedia, which assesses IT and non-IT vendors, direct suppliers, services, legal organizations, franchisees and retailers, agents, and contractors with risk mitigation workflows and ongoing monitoring. It prepopulates security and privacy data on thousands of global vendors in total, each with information at the service and product level, and it lets managers create automated rules to trigger reassessment or receive alerts when enforcement actions occur. Using Vendorpedia, customers can scour contracts, certificates, and documentation for key terms and create audit-ready reports with risk views and interactive dashboards. Additionally, they’re able to link vendors to IT systems and business processes with data inventory and mapping, ultimately adding context to various vendor risks.

Above: OneTrust “readiness” dashboard

OneTrust also automatically responds to incidents and breaches, informed by its ever-growing Databreachpedia global law engine. From within a dashboard, customers can track breach response progress and ensure their team adheres to notification deadlines, or drill down to individual incidents to see additional details. This same dashboard automatically flags risks during incident assessments and investigations, and it recommends mitigation steps based on regulatory guidance from hundreds of privacy laws.

It’s safe to say that compliance management is a red-hot sector, as alluded to earlier. Last year, San Francisco-based TrustArc raised a $70 million round of funding to help companies implement privacy and compliance programs. Privitar recently nabbed $40 million to better enable businesses to engineer privacy protection into their various data projects. And InCountry exited stealth with $7 million in seed funding to help multinationals comply with local data residency regulations, while in 2018 BigID nabbed $30 million to expand its data privacy management platform for enterprises. More recently, LogicGate, which provides a platform that automates processes and compliance tracking, raised $24.75 million to invest in content, frameworks, data partnerships, and integration.

But Insight Partners managing director Richard Wells isn’t concerned about the competition.

“Our continued investment in OneTrust represents the value that businesses are placing on having the right tools to implement cost-effective and efficient privacy programs at scale,” he said in a statement. “With CCPA now in effect and other privacy laws to follow suit, we are thrilled to continue our partnership with OneTrust to bring value and operational expertise from our Insight Onsite team to help OneTrust scale up.”

OneTrust, which is co-headquartered in London, with additional offices in Bangalore, San Francisco, New York, Munich, Hong Kong, and Bangkok, has over 1,500 employees globally.