Growth Rate (y/y)
BigID is a data governance platform doing about $74M ARR. BigID helps companies comply with regulations like GDPR and CCPA that require them to let users request, modify, and delete from their systems any potentially personally identifiable information (PII).
What makes that a challenge in the first place is that PII consists not just of voluntarily submitted data like names and emails, but also inferred indicators like geolocation history, browsing behavior, and shopping history.
Companies today store a lot of data on users. That data is collected and stored in different tools all around the enterprise, making it difficult to manage.
The company was last valued at $1.25B after their $100M Series D (split into a $70M round and a $30M extension) with a share price around $5.35 per share. Investors include Boldstart Ventures, Bessemer Venture Partners, Tiger Global, Comcast Ventures, Salesforce Ventures, and SAP.io.
The way BigID works is that teams connect all of their data sources—from data warehouses like Snowflake and SaaS tools like Salesforce to raw CSV files, Github repos, S3 buckets, and more. BigID then scans across all of that data for PII and classifies and indexes it so teams can take action on it.
Targeting GDPR specifically was a key part of the GTM early on. BigID was able to ride the urgency that companies everywhere felt to quickly get into compliance with GDPR—particularly given that fines for non-compliance can hit 4% of annual revenue.
Their original wedge here was their PII Monitor tool—like Lifelock for PII—which allowed companies to connect all their data to customer and employee identities.
But once inside organizations helping connect data to identities, BigID could start to layer on additional services that built on top of that visibility in two big ways:
- Adding more forms of compliance for existing customers
- Expanding to new industries through new forms of compliance
Today, BigID is a subscription-based SaaS product with these various different vertical solutions layered on top.
The company’s target customer profile is firmly enterprise: today, they have roughly a few hundred customers in this segment, many of which signed up through reseller partnerships with AWS, Microsoft, SAP, and Snowflake. They are working to expand into the mid-market as well.
Companies pay based on their number of team members using the software, the amount of data in their systems being scanned, and need for advanced features like white-labeled reports and unlimited requests.
BigID’s customer base is relatively dispersed across industries like financial services, insurance, retail, healthcare, communications, and others.
BigID competes directly on the core data identification use case with companies like Ketch (CRV, Silicon Valley Bank), Dataguise (acquired by PKWARE) and 1Touch.io (National Grid Partners).
They’ve also become competitive with companies like Transcend (Accel, Index Ventures) and Osano as a result of expanding into consent management and companies like OneTrust and Securiti.ai in the broader privacy operations space.
However, there’s still room for overlap and many winners here: enterprises may use a combination of tools like OneTrust and BigID, using BigID for data discovery and classification and complete their data inventory management in OneTrust.
Emerging tools like Ethyca (Lee Fixel, Lachy Groom) provide an API-based approach to compliance designed to help developers build compliant software by default going forward.
There are a few core tailwinds behind BigID’s growth:
- Growing compliance burden: US states proposed 27 bills for online privacy in 2021, up from 2 in 2018. And on March 24th, the EU agreed on the most sweeping change to internet privacy laws in Europe since GDPR. Everything from app stores to online advertising to ecommerce is likely to be affected as jurisdictions pass additional legislation designed to curtail the power of big tech platforms.
- Data shifting to the cloud: Per O’Reilly, 49% of companies are still running hybrid cloud and on-premises. As more and more companies continue to migrate to the cloud, they lose some of that on-premises control of their data, and maintaining data security becomes even more urgent and challenging.
- Companies storing more data: SaaS analytics tools are getting more sophisticated and consumer endpoint devices are proliferating, driving the creation of more and more data. In 2020, Seagate estimated that the amount of data collected by enterprises was growing about 42% YoY—and would surpass 2 petabytes per year by 2022.
The launch of GDPR and the California Consumer Privacy Act between 2016 and 2017 was a watershed moment for data security and privacy startup funding. VC firms invested just $1.7B in privacy tech in 2010—in 2019, that number rose to $10B.
And the growth of this market hasn’t slowed as more and more companies have gotten into compliance. In 2021, privacy and security startups raised $15B as it became clear that regulators, especially in the United States and Europe, were not done.
The continued appetite for legislation around security and privacy means that security and privacy startups will continue to have plenty of market to address—not even taking into account the force multipliers of cloud migration and expanded data collection.
This report is for information purposes only and is not to be used or considered as an offer or the solicitation of an offer to sell or to buy or subscribe for securities or other financial instruments. Nothing in this report constitutes investment, legal, accounting or tax advice or a representation that any investment or strategy is suitable or appropriate to your individual circumstances or otherwise constitutes a personal trade recommendation to you.
Information and opinions presented in the sections of the report were obtained or derived from sources Sacra believes are reliable, but Sacra makes no representation as to their accuracy or completeness. Past performance should not be taken as an indication or guarantee of future performance, and no representation or warranty, express or implied, is made regarding future performance. Information, opinions and estimates contained in this report reflect a determination at its original date of publication by Sacra and are subject to change without notice.
Sacra accepts no liability for loss arising from the use of the material presented in this report, except that this exclusion of liability does not apply to the extent that liability arises under specific statutes or regulations applicable to Sacra. Sacra may have issued, and may in the future issue, other reports that are inconsistent with, and reach different conclusions from, the information presented in this report. Those reports reflect different assumptions, views and analytical methods of the analysts who prepared them and Sacra is under no obligation to ensure that such other reports are brought to the attention of any recipient of this report.
All rights reserved. All material presented in this report, unless specifically indicated otherwise is under copyright to Sacra. Sacra reserves any and all intellectual property rights in the report. All trademarks, service marks and logos used in this report are trademarks or service marks or registered trademarks or service marks of Sacra. Any modification, copying, displaying, distributing, transmitting, publishing, licensing, creating derivative works from, or selling any report is strictly prohibited. None of the material, nor its content, nor any copy of it, may be altered in any way, transmitted to, copied or distributed to any other party, without the prior express written permission of Sacra. Any unauthorized duplication, redistribution or disclosure of this report will result in prosecution.