Steve Garrity

Privacy-aware infrastructure

Our goal: help businesses manage user data in a way that strengthens privacy posture, compliance and data security, while maintaining product velocity and reducing costs.


Our goal is to help businesses manage user data in a way that strengthens privacy posture, compliance and data security, while maintaining product velocity and reducing costs.

As users of technology services, we want the companies behind those services to use our data responsibly, but as builders of those services we know how hard it is to avoid mistakes in a fast changing and fragmented regulatory environment.

Today’s infrastructure was not built to carry metadata and policies along with the data, so the two end up separated. That means that data-use commitments have to be enforced out-of-band across many cloud services with custom glue code and ever-growing manual compliance processes.

At the same time, successful companies have to leverage their first-party data for ad attribution, growth analytics, marketing, product personalization and product iteration. The best businesses connect data between multiple best-in-class cloud services to achieve these goals. This results in a complex, error prone, hard-to-update system of dataflows which consumes more and more engineering resources.

We aim to eventually replace the user data store at the heart of these flows with a system that natively understands personally identifiable information and compliance requirements. This evolution will remove custom code from the system, improve compliance with regulation and commitments, reduce the need for manual compliance processes, and free the engineering team to do differentiated work that drives the business forward.


Initial approaches to compliance focused on creating loads of defensive paperwork for lawyers. Privacy policies, cookie policies, processing agreements, and the like. There are some very successful companies in this space, but increasingly people are realizing that the thousands of pages of documentation they’ve generated doesn’t come close to reflecting reality, and they are still quite vulnerable to mistakes and oversights.

The second generation of platforms provide point solutions (like data lake discovery and cataloging, or product-release workflows, or PII classification). They require an immense in-house privacy expertise to implement, and you need 15–20 of them wired together to begin to solve the actual problem.

We believe the next generation will be a more integrated approach to managing PII throughout the data lifecycle, centered on a purpose-based data store that unifies data, metadata, and policy in one place. This will enable unified, consistent reporting about what data is being used for which purposes; centralized policy changes tied to geography or jurisdiction; tokenization of outbound data to prevent later accidental leaks; and many other key data management practices.

Given the scale of our ambition and what we believe needs to be built, we’re starting with identity and access control as the heart of any PII management. This will expand to encompass a richer user data store, with additional capabilities driven by customer adoption.

Reach out today