Companies are facing hundreds of millions of dollars in fines these days for failing to comply with data protection and data privacy rules, and that’s driving wave of organizations, and their users, to get more serious about data protection. One of the byproducts of that has been the emergence of new technology to meet that increase in activity.
DataGuard is a Munich-based startup that has leaned into the SaaS-based business model to provide privacy, information security and other data protection as a series of on-demand, cloud-based “as-a-service” tools to small and medium-sized businesses, and today it’s announcing that it has secured $61 million in a Series B round of funding led by Morgan Stanley Expansion Capital to double down on the market.
The investment also includes One Peak, the U.K. VC that led DataGuard’s last fundraise of $20 million in 2020, the startup’s first-ever outside funding. Bastian Nominacher (co-founder/co-CEO of Celonis), Hanno Renner (co-founder/CEO of Personio) and Carsten Thoma (founder of Hybris) are also participating
DataGuard is not disclosing its valuation. But as another marker of how it is doing, despite the wider contraction that we’ve seen in the tech sector, this startup continues to grow. It now has more than 3,000 customers across 50+ countries, and they in turn are providing tools that cover over 40 million individual users — employees, customers and other stakeholders. This is triple the 1,000 customers it had in 2020. While DataGuard doesn’t disclose specific revenue numbers, it says that revenues have also grown, some 10x in the last year. Its definition of SMB is somewhat fluid and includes bigger mid-market end users: the customer list includes familiar names like Canon, Hyatt and Unicef.
DataGuard provides a range of tools across privacy, information security and compliance that can assess the different ways that data is being used by an organization. It analyzes this data to determine whether a company is compliant with various certifications (for example, GDPR, CCPA, ISO 27001, TISAX or SOC 2); and if not, what it needs to do to become compliant.
The basic idea behind DataGuard is that while larger enterprises might have teams of in-house staff — lawyers, engineers and data scientists — working to monitor, implement and adjust that org’s data protection, privacy and compliance policies (a strategy that, even with lots of people and budget piled on it, often still goes wrong), smaller organizations might have less human resources but just as big of a task to grapple with.
Its target audience, said Thomas Regier (above, left, who is co-CEO and co-founder with Kivanc Semen, right), are “those with maybe just one IT security person,” who may be a specialist in network security but not data security. Some of its customers, he added, may not have in-house security experts at all: the task of how to make sure data protection is implemented legally and soundly falls to, say, a marketing team: that’s because online interactivity with individuals is one of the key areas that data protection is meant to cover, so in some cases, it’s those using that data who might be tasked with making sure it’s being done correctly.
“We’ve built this for civilians,” he said.
To be sure, marketing — specifically interfaces for cookie and data consent related to marketing and “analytics” — has for many of us been the most obvious face of data privacy and protection over the last several years. Spurred by GDPR and other regulations, we now see those consent windows daily, and many a company has lamented about how the popularity of “reject all” has impacted the bottom line. And the big headlines we’ve read about data protection violations tend to be about the same: in one example from just earlier this month, Instagram was fined more than $400 million for misusing children’s data under GDPR rules in Europe.
But Regier says that these days, added to this are additional pressures beyond the very bad publicity companies get from fines and investigative exposés in the media:
“Marketing is a huge piece of the puzzle, but the second part is that companies are protecting their customers’ data,” he said. “They need to shore that up. They have no choice because if they don’t they will now lose those customers. It’s moved beyond the fig leaf and goes to the core of the business.” With that, cyber insurance premiums have shot up, another sign of how businesses are financially impacted when they don’t implement strong security and data protection. (Debatable whether those premiums are effective for other reasons, however.)
The third important driver DataGuard is seeing among its customers is commercial pressure. That is, organizations are now getting more proactive in vetting partners to make sure that they are being responsible, both on a proactive and reactive basis when something does go wrong.
Interestingly, using mechanics that sound remarkably similar to how data brokers themselves operate, DataGuard can also see how a company’s data might be used by third parties and customers to determine where it might not be compliant, or conversely alert those third parties in the event that any data has been compromised. Getting that bigger picture is becoming increasingly important as part of the vetting process that companies go through when they work on procurement deals, which underscores that it’s not all about making sure that, say, the business-critical nature of the work.
The compliance piece of the business is a newer area, but one that the company will be using some of this investment to continue developing. It potentially also opens the door to DataGuard providing similar services to vet more aspects of security and data protection, such as when it crosses over into data networking and endpoint management. It also opens the door to other kinds of competitors beyond the OneTrust’s of this world, to those like InCountry, which also provides vetting services to determine a company’s enterprise compliance with data protection regulations across different jurisdictions.
Still, the business opportunity, plus the fact that DataGuard has grown as much as it has with so little outside funding, are all reasons why investors have been knocking.
“Data privacy, information security and compliance are areas of increasing focus for regulators, enterprises and consumers globally at a time when the quantity of sensitive data that businesses must process in order to operate is growing exponentially,” said Lincoln Isetta, managing director of Morgan Stanley Expansion Capital, in a statement. “It is clear from our diligence that DataGuard’s unique, all-in-one platform allows customers to move beyond simple ‘check-the-box’ compliance, information security and data privacy practices and instead manage data as a competitive differentiator. We are thrilled to be joining the DataGuard team and look forward to helping them build on their success.”
“DataGuard has seen strong growth since our initial investment which speaks to the drive and execution capabilities of the founders and their leadership team. DataGuard has helped create a new category that is both extremely sizeable and business critical,” added David Klein, managing partner at One Peak, and Christoph Mayer, partner, in a joint statement. “Over the next decade, companies will invest tens of billions of dollars into compliance and security to become and remain trusted partners. We were the first institutional investor in DataGuard back in 2020, and we are thrilled to be doubling down on our investment to support the Company in further accelerating its growth trajectory and expanding its geographical reach.”