Democratizing good privacy and compliance practices

W

elcome to the TechCrunch Exchange, a weekly startups-and-markets newsletter. It’s inspired by the daily TechCrunch+ column where it gets its name. Want it in your inbox every Saturday? Sign up here.

Just because you’re a startup doesn’t mean you can be careless with the data you’re handling, but enterprise-grade compliance and privacy used to be prohibitively expensive for small teams. This is starting to change. — Anna

Compliance for all

When it comes to selling products and services to enterprise clients, compliance is a requirement for any vendor — including startups.

However, meeting governance, risk and compliance (GRC) standards and proving that you’ve done so used to be very expensive. A new wave of startups that are helping others prepare for compliance audits has cropped up, but entrepreneur Sravish Sridhar thinks that more can be done.

“In the previous generation of companies that had GRC products — like Archer, ServiceNow, SAP and IBM — it was just way too expensive for young companies to use those tools. It was unreachable,” Sridhar told TechCrunch.

This wasn’t sustainable: Startups, too, want to get compliant, as this is increasingly a must-have for enterprise readiness.

But while well-funded startups such as Drata, Secureframe and Vanta now offer services that startups can afford, Sridhar isn’t fond of their approach. He said that some modern companies take advantage of startups by charging them money because it’s a business requirement. “I think that’s wrong. I think that’s fundamentally wrong from a society perspective, to take advantage of young companies and make them pay for something that can actually be democratized.”

Sridhar has a horse in the race; his company, Kintent, is the maker of Trust Cloud, a trust assurance platform that helps companies stay compliant and show their compliance practices to their customers in real time. But he is also consistent with his view: Trust Cloud has a free, self-service tier for startups.

While Sridhar says “it’s the right thing to do,” he doesn’t believe that Kintent is giving too much away for free. “Our business model [relies] on more mature businesses,” the free offering’s landing page notes.

Kintent’s lead investor, OpenView’s Mackey Craven, said that his firm backed the startup because it was offering to do more than compliance for its own sake. “It is, in some sense, the cost of doing business, but it’s not where the most important value is going to get created in this market.”

Where Kintent and OpenView think there is more value to be created is in building trust between vendors and buyers. “There’s not a single founder that I’ve talked to that is doing compliance [out of] the goodness of their heart,” Sridhar said. “They’re doing it for one very simple reason and that’s to drive sales.” Hence Kintent’s focus on connecting compliance and revenue generation.

Privacy for free

In a similar vein, the makers of Privacyboard don’t think that self-motivation or even fear of sanctions should be what drives founders to improve their privacy policies. Instead, Privacyboard aims to educate fellow entrepreneurs about good privacy practices and how they can help them win deals.

Privacyboard’s promise is to help SaaS teams automate their privacy compliance, with an initial focus on Europe’s GDPR, which is arguably the most stringent privacy framework in the world and includes hefty sanctions.

This means that every company targeting European users needs privacy and cookie policies. This inspired Privacyboard’s founders, Sara Boudam and Antoine Milkoff, to come up with a first iteration of their product — a template called GDPR Unpack that helped small businesses comply with GDPR — but they soon realized that there was more they could offer.

Milkoff is an indie maker who understands the needs of founders, and Boudam is a subject matter expert: She is a certified data protection officer, a profession on the rise thanks to GDPR. Having worked with clients, she knew that templates were not enough, even for startups: They’re way too static. But she also knew that advanced tools were too expensive and too complex for small teams.

What SaaS companies need, although they may not realize it, are policies that evolve with their business. For instance, they need data-processing agreements that truly reflect how personal information is processed and which subprocessors are used. One of Privacyboard’s goals is to educate others on meeting these requirements, starting with fellow indie makers.

When I chatted with Boudam and Milkoff, they hadn’t started monetizing Privacyboard. They have since launched reasonably priced subscription tiers, but the free tier hasn’t gone anywhere and still allows anyone to create privacy and cookie policies at no cost.

This freemium approach reminded me of Kintent, but they’re also similar in their conviction that being better at privacy is a strong marketing argument that will result in more sales.

It’s too early to tell whether Privacyboard will have as many paid users as Trust Cloud, but the point remains: Security and privacy compliance shouldn’t be luxury items. The more startups that can up their game in this regard, the better.