Privado Raises $17.5 Million to Embed Privacy in Software Development Lifecycle
If you look around software is everywhere, it has gone from mobile apps & websites to household devices like doorbells, TVs, cars & Alexa. As developers ship products & applications, there has been a strong movement to integrate security in the development lifecycle but privacy remained an ad-hoc, manual process. This blindspot led to products collecting excessive data, sharing sensitive data with third parties, improper use of personal data & leakages to logs. Regulators around the world have taken notice with a cumulative $1.7 billion in GDPR fines & recent FTC fine of $150 million on large public tech companies.
We are excited to launch Privado, a privacy code scanning solution that brings developers, security & privacy teams together & provides them instant visibility into the use, collection, and sharing of personal data across their products & infrastructure. To make our mission of Shifting Privacy Left a reality, we raised $17.5 million in funding from leading global investors Insight Partners, Sequoia Capital India, Together Fund & Emergent Ventures.
You can’t govern what you can’t see
We started Privado in 2020 when we saw the struggles of GDPR compliance firsthand while working in product & engineering teams. Our first project was to do data mapping for an e-commerce company, the project spanned six months & we conducted over 100 interviews with product managers & developers to build a data map (a huge excel sheet). And even after spending countless manhours doing detailed interviews, we were not sure of the accuracy or completeness of the data maps. Also in the meanwhile, multiple product changes had gone live, and the data maps were already out of date.
We quickly realized getting visibility alone was hard & next we spoke to hundreds of DPOs, CISOs & Privacy leaders, and everyone confirmed the same challenge:
“Getting Visibility into the use of data & data flows for engineering is next to impossible”.
What’s special about engineering?
- Distributed Data Processing: Modern software isn’t just written anymore, it’s assembled. A typical tech company has some user-facing apps or websites coupled with hundreds of internal services to achieve scale and reliability. Netflix famously has over 1000 services in production, each service uses, shares, stores & leaks personal data. Manually mapping data across these apps & services becomes impossible.
- Continuously Changing: Tech companies today follow Agile product development where product & engineering teams continuously launch features, iterate with users & drive value at unprecedented speed. ‘Shipping Fast’ culture makes it challenging for privacy & security teams to stay on top of data processing as it’s always changing & to ensure new product changes don't break privacy.
- Exposure is very high: Unlike any other business process, software apps handle millions of users & petabytes of data. This means a small configuration mistake can lead to a privacy breach affecting millions of users.
Lack of Visibility leads to non-compliance
With four years of GDPR, total cumulative fines have hit $1.7 Billion with even increased regulatory action on the use of data & flows by EU regulators & FTC in the US.
Lack of visibility into data flows & use of data leaves companies at risk of non-compliance:
- Unapproved Use of Personal Data: As data enters your company, it grows by being copied, inferred, transformed, shared & processed. Some of the uses of personal data ends up being inconsistent with the promises made to individuals at the time of data collection & leads to privacy breaches. For example, FTC charged Twitter for using Account Security Data for Targeted ads with a $150 million fine.
- Illegal Data Flows: A common development practice is to use third-party SDKs, libraries & APIs for common functionality like Analytics, Targeting, Personalization, etc. Left unchecked a lot of sensitive data flows to these third parties, a case in point is Flo App where health data was flowing to analytics SDKs - Google, Flurry & Facebook which led to an FTC investigation. This has been the focus of recent FTC guidance, we covered this in detail in our webinar.
- Excessive data collection: Collection points of data have gone from web forms to user permissions, observing user data, IoT devices & many more. If not audited properly, these collection points can have bad privacy defaults collecting more personal data than needed for the purpose. For example, recently CNIL fined a car-rental company UBEEQO 175,000 Euros for excessive collection of location data.
- Hidden data leakages: As developers create applications, they log error messages. One of the common privacy issues plaguing applications is personal data being logged with these error messages. This leads to unapproved access to personal data to employees inside the company. One example is the recent Solana exploit where in the Phantom wallet, login credentials were being leaked to logs & were being used to take over wallets.
- Out-of-date compliance reports: Companies have to prove with audit trail & paperwork that their regulatory & compliance reports are up to date and new code changes follow the principles of Privacy by Design & Default. With distributed data processing & regular product updates, it becomes impossible to keep the reports up to date which leaves companies at risk of non-compliance, an example is NOYB reading of Facebook’s GDPR Article 30 or RoPA document where Peter Hense, Partner at Spirit Legal highlighted that as an auditor he would have to treat this ROPA as non-existent and that Facebook's processing is, therefore "illegal".
Why another privacy tech tool
When we looked at the current tools to solve these challenges, we realized they were either
- Manual: Depending on human inputs which often resulted in plain wrong data maps, could not scale and went out of date as soon as a new product change went live
- If Automated: Only focussed on discovering data in datastores leaving blind spots in the data lifecycle, especially around the collection, usage, sharing & leakages of personal data.
Even with all the tools in the market, getting visibility into data flows for products & applications still is a big challenge.
Privado: Privacy as Code
Privado is a code scanning solution purpose-built for privacy that discovers personal data, use of data, data flows, leakages to logs & flags privacy issues in the code for GDPR violations or CWE vulnerabilities. Privado connects with source code management tools like GitHub and within minutes provides visibility into data flows to privacy teams which otherwise would have taken months of back & forth with product managers & developers.
From Blind Spots to Complete Visibility in Minutes
Scan internal code & discover all products, apps & dashboards processing personal data.
Instantly visualize the data lifecycle starting from data collection, storing, and sharing to leakages across your products & applications.
Privacy Risks & Issues
Find & Fix common CWE & OWASP data security vulnerabilities including data leakages to logs, insecure data storage & excessive data sharing.
Compliance as Code
Make your privacy policies, PIAs, and DPIAs guardrails for product development. Stop unapproved data flows from going live & avoid privacy breaches.
Privacy by Design
Scale privacy checks across new code changes & get alerts on new data collection & data flows.
Future is Developer-led Privacy
Privado currently monitors over 600,000 code commits and counts enterprises like Here.com, and scaleups like Thrasio & Zego as customers. Our free data safety generator tool has seen 8,000+ downloads from the developers of companies like Automatic, Asos, Blinkist & many more, generating accurate Play Store Data Safety reports.
With this fundraising, we will continue on our mission to Shift Privacy Left and truly enable developers to build products & apps with privacy embedded from the start & not bolted afterward. To make this a reality, we will work with the Open-Source community, and our customers to extend the frameworks we support from GDPR and CPRA to HIPAA, PCI DSS & NIST.