Why more startups are getting compliant

Compliance is a must but also a means to an end

SaaS startups are working on acquiring enterprise clients earlier than they used to, and this is changing their road map.

“What I’ve seen is more and more companies are launching with table stakes enterprise features [ … ] whereas those used to be added in at closer to $5 million-$10 million in annual recurring revenue,” tweeted David Peterson, a partner at Angular Ventures.

The Exchange explores startups, markets and money.

Read it every morning on TechCrunch+ or get The Exchange newsletter every Saturday.

These must-have enterprise features may look like acronym soup at first, from SSO to SOC 2 and ISO 27001. But they actually come down to a fundamental need: trust. And just because the vendor is a startup doesn’t mean that standards can be lowered.

“Enterprise customers expect startups to go through the same sales procurement processes and meet the same security, privacy, and compliance requirements as other vendors,” VC firm Work-Bench noted in a playbook co-authored with New York-based startup Laika.

Subscribe to TechCrunch+Going through this process can be a pain for startups, and Laika is one of several well-funded companies that are hoping to help make it both easier and more meaningful.

The need for proof of compliance

There are many reasons why enterprise buyers want to ensure that vendors have a good grasp of security and compliance, but data loss prevention is very high on the list.

“With massive breaches on the rise — like Uber, Sony, Equifax — companies understand that proving their security is a must to doing business. Why? Because enterprises won’t buy a product that is not secure, and regulators will crack down on any company with a weak security posture,” Christina Cacioppo, the CEO of compliance startup Vanta, said in October.

Laika CEO Austin Ogilvie pointed out another factor in a past interview: COVID, which resulted in more employees working remotely and in the cloud, therefore creating new security and data protection needs.

To mitigate these risks, enterprise buyers typically require vendors to fill out security questionnaires and show that they have gone through a compliance audit. In the U.S., the most common one is known as SOC 2.

Obtaining SOC 2 certification as a startup is no easy feat and considered kudos-worthy. After noticing a tweet from Costanoa Ventures along these lines, I reached out to one of the firm’s partners, Amy Cheetham.

One of the things I was curious about was whether Cheetham and her colleagues were pushing their portfolio companies to seek SOC 2 certification.

“Push is probably a strong word,” she replied. “But we definitely encourage portfolio companies to take compliance extremely seriously, especially those in highly regulated industries, such as fintech. We frequently have board-level discussions around ensuring that we’re taking all the right steps to mitigate any compliance issues and make sure we’re staffing compliance and SOC 2 teams effectively.”

Indeed, compliance shouldn’t be looked at as one-and-done: Buyers will also want to know whether vendors are staying compliant. This is why most compliance-as-a-service companies claim that they do more than help startups check boxes, but what that means depends on the company and can range from hands-on guidance to AI-enabled features and real-time updates.

From compliance to trust

Kintent CEO Sravish Sridhar has an analogy for the old, static way of doing things that was once the norm: Showing months-old certification and filling questionnaires often feels like going to the dentist and saying that you are very consistent at flossing and brushing. But just like dentists need to see your teeth to know the truth, buyers, too, want to see results for themselves.

Trust Cloud is Kintent’s answer to this issue. Sridhar described it as a trust assurance platform that “programmatically verifies that what you’re doing is correct and is constantly advising you on how to improve your security and privacy programs using intelligence.” But more than that, “you can share that programmatically with your customers [ … ] to prove that what you’re doing is accurate and correct.”

Talking to TechCrunch, OpenView partner Mackey Craven ventured that if you’re a vendor who can share this type of data with buyers, “you’re not only perceived as, but you actually are, more mature from a security and business practice perspective than many large companies.” And, he added, “that generates revenue in a measurable way.”

That OpenView led Kintent’s $18 million Series A funding round in May, Craven explained, means the firm agreed with Sridhar that there was a bigger opportunity in connecting compliance and revenue generation. And that comes by building trust online between parties rather than from compliance for its own sake.

But Kintent has quite a few competitors who have enough funding to follow suit. For instance, Vanta acquired Trustpage, which could also be described as a trust assurance platform with an eye on ROI.

While the deal value wasn’t disclosed, we know that Vanta had raised an additional $40 million in October in an extension of a $110 million Series B round that valued the company at $1.6 billion.

More players, more adoption

Kintent and Vanta aside, there’s also Drata, which raised a $200 million Series C round at a $2 billion valuation; Secureframe, which secured $56 million in Series B funding; and Trustero, with $8 million in seed funding. As for Laika, it closed a $50 million Series C round in November.

This may give the impression of a crowded space, but even together, these companies have yet to capture a major share of the market. “Most of the market is still independent auditors and folks trying to figure it out for themselves,” Craven said.

Fintech and health tech startups understood this perhaps earlier than their peers in other sectors, but the need is there, Craven argued, for “any company that is selling a product or service that handles another company’s data of any kind.”

While this would be a huge addressable market, OpenView is supportive of Kintent’s decision to approach it with a freemium model. Indeed, the company launched a free self-service option for startups to achieve SOC 2 readiness (as well as another standard, NIST-CSF).

Adopting a tech-based approach has the advantage of bringing costs down, which is timely as more startups now understand compliance to be both a necessity and something that gives them a competitive advantage.

“Compliance doesn’t just tell enterprise customers that you’re open for business,” Work-Bench said in its playbook. “It’s a powerful brand and marketing message that signals to the world that your startup is more established, credible, and attuned to customer needs.”