# Vanta: The Innovation Fund's First Investment

A high-growth tech company with a solution that software companies "must have" and a product we believe is 10x better than the old fashioned status quo.



Note: In preparation for your opportunity to invest in the Innovation Fund later this month, we wanted to share this exciting announcement regarding the fund's first investment in Vanta, a company in one of the fund's target sectors, Modern Data Infrastructure, which we <u>shared an update</u> on earlier this week.

We're excited to announce that the Fundrise Innovation Fund has invested \$5 million in Vanta, as part of their Series B round, investing alongside Craft Ventures, Sequoia, Y Combinator, and Crowdstrike, among others. Previously, investing in a business of Vanta's caliber alongside storied VCs was highly inaccessible to individual investors. **Together, we are disrupting the establishment status quo.** 

Vanta fits within the <u>data infrastructure thesis</u> we laid out in our last note and is poised to be the market leader at the intersection of cybersecurity and compliance. With the proliferation of software products moving vast amounts of data, it is critical that these software solutions are safe and secure.

Major companies, such as those in the Fortune 500, must ensure that when they purchase and use third-party software it doesn't put their own data at risk. Done wrong, the purchased software can expose customer data or leave the enterprise vulnerable to cybersecurity attacks, data theft, and malware. To address this risk, firms require specific certifications to provide assurance that the software vendors properly manage information security.

While this may sound a bit obscure, it is a prerequisite to sell software to any company. In other words, it is a big business.

Before Vanta, obtaining the necessary certifications and achieving compliance was a manual process. Auditors pushed paper and collected evidence of compliance by hand. Considering the number of new SaaS products and widespread adoption of software as a service, the need to automate security and other compliance has become acute.

Vanta was first to help companies automate compliance for the industry's most sought after security and privacy standards. We believe Vanta, with thousands of customers already, is the clear market leader and has achieved an impressive amount of scale in a short time. Vanta is exactly the kind of business that we look to partner with from team, sector, stage, differentiation, momentum, and financial profile perspectives.

## Why we invested

- Critical, high-growth opportunity: Automating corporate compliance processes is
  essential, if not inevitable, in the era of data. We believe Vanta is the clear leader in the
  space and has continued to innovate, by, for example, launching <u>Trust Reports</u>, which
  moves assurance from point-in-time annual certificates to continuous, real-time
  reporting.
- **Preferred equity**: During this period of great economic volatility, we made our investment as preferred equity, meaning it is senior to all common equity.
- **Efficient growth**: Vanta combines "top-tier growth rate with excellent capital efficiency, as reflected by a superb <u>burn multiple</u>," writes David Sacks of Craft Ventures, who led this round. We couldn't agree more. A track record of success and prudence is a necessity during the coming tech winter, and one we deeply value.

### Industry background and company business plan

In order to sell software to any major enterprise, companies require assurance that the software product won't compromise their own information security. To address the issue of trust in cybersecurity, the software industry has adopted a set of compliance <u>frameworks</u> focused on the safe handling of customer data. The industry has standardized these requirements, insisting

on third-party accreditation and audits, most notably SOC 2, ISO 27001, HIPAA, and GDPR, before purchasing a company's software.

While this laundry list of acronyms may sound complicated, they are an unavoidable precondition to sell any software solution. Every major software product sold in the world is certified and recertified annually, which means the companies requiring certification comprise a large addressable market with obvious recurring revenue.

The most common compliance standard for software businesses is called SOC 2. It was created in 2010 and is administered by the AICPA, the accreditation body of certified public accountants. Software buyers can rely on the fact that a software provider with SOC 2 compliance has the infrastructure and practices in place to handle customer data securely.

Standardized certificates, like SOC 2, allow buyers of software to more easily evaluate a wider range of compliant vendors without having to dedicate significant resources to assess the cybersecurity risk themselves. This allows small startups to more easily sell to large enterprises. However, achieving SOC 2 compliance has historically been a labor-intensive process. Companies typically have to spend valuable engineering and IT time on a manual, months-long process to demonstrate their security practices to an auditor.

Vanta improves this process by integrating with a company's existing technology stack to seamlessly demonstrate that the security practices are in place. Instead of manually providing evidence that access controls are implemented in a company's cloud environment or that background checks have been performed on new hires, Vanta <u>integrates</u> with cloud and HR providers to create and present reports in a unified dashboard. Vanta replaces the manual, annual inspections with continuous, automated review and reporting.

Companies typically engage Vanta when they want to land an enterprise customer that requires certification. A certification is only good for 12 months, but in helping companies achieve compliance initially, Vanta then provides ongoing monitoring to make the process even faster and easier the next year. While the whole process isn't yet fully automated, achieving compliance through Vanta *is* significantly faster, easier, and cheaper than the DIY or consultant-heavy approaches companies were forced to rely on before Vanta.

## More growth to unlock

Vanta has built a substantial business but still has enormous growth in front of it, most notably including:

- **Expanding Internationally** Expand internationally as many of Vanta's customers operate in multiple countries, which often have their own sets of standards.
- **Increasing Integrations** Grow their list of integrations with key major software vendors that enable even greater efficiency and automation.

- Adding Frameworks Offer even more security and privacy frameworks to address the same fundamental problems that complicate compliance accreditation in other subsectors.
- Launching New Initiatives Launch new product initiatives aimed more squarely at the
  underlying problem of facilitating trust between buyers and sellers of software. Vanta's
  new product, Trust Reports, allows their customers to demonstrate their strong security
  practices in real time.

Suffice to say, Vanta has many different avenues to drive further growth, by broadening their product suite, deepening their offerings, and entering new markets.

\_

Fundrise is thrilled to partner with Vanta as they continue to build a long-term, category-defining business. We're excited our investors will participate in their growth as a long-term investor in the company.

The Fundrise Team

P.S. - If you are looking for assistance with a SOC 2 or other certifications, you can learn more about Vanta's offerings <u>here</u>. The more our investors drive value, the more quality deal flow we gain.

#### **Vanta Announcement Investor Update Story Slides**







7

Vanta is a high-growth tech company with a solution that software companies "must have" and a product we believe is 10x better than the old fashioned status quo. Previously, investing in a business of Vanta's caliber alongside storied VCs was highly inaccessible to individual investors.

Together, we are disrupting the establishment status quo.







In our recent <u>sector overview letter</u>, we presented our thesis for why modern data infrastructure businesses offer some of the most exciting investment and growth opportunities today.

Vanta is an excellent fit within that thesis and is poised to be the market leader at the intersection of cybersecurity and compliance. They were first to help companies automate compliance for the industry's most sought after security and privacy standards.

While this may sound a bit obscure, it is a prerequisite to sell software to any company. In other words, it is a big business.









## Critical, high-growth opportunity

Automating corporate compliance processes is essential, if not inevitable, in the era of data. We believe Vanta is the clear leader in the space and has continued to innovate, by, for example, launching <a href="Trust Reports">Trust Reports</a>, which moves assurance from point-in-time annual certificates to continuous, real-time reporting.













In order to sell software to any major enterprise, companies require assurance that the software product won't compromise their own information security.

To address the issue of trust in cybersecurity, the software industry has adopted a set of compliance <a href="frameworks">frameworks</a> focused on the safe handling of customer data. The industry has standardized these requirements, insisting on third-party accreditation and audits.







Every major software product sold in the world is certified and recertified annually, which means the companies requiring certification comprise **a large addressable market with obvious recurring revenue.** 

Standardized certificates, like SOC 2, allow buyers of software to more easily evaluate a wider range of compliant vendors without having to dedicate significant resources to assess the cybersecurity risk themselves.



However, achieving compliance has historically been a labor-intensive process. Companies typically have to spend valuable engineering and IT time on a manual, months-long process to demonstrate their security practices to an auditor.





Vanta improves this process by integrating with a company's existing technology stack to seamlessly demonstrate that the security practices are in place, replacing the manual, annual inspections with continuous, automated review and reporting.







Companies typically engage Vanta when they want to land an enterprise customer that requires certification. A certification is only good for 12 months, but Vanta provides ongoing monitoring to make the process even faster and easier the next year.

Achieving compliance through Vanta is **faster**, **easier**, **and cheaper** than the DIY or consultant-heavy approaches companies relied on before.







#### More growth to unlock

Vanta has built a substantial business, but still has enormous growth ahead:

- → Expand internationally as many of Vanta's customers operate in multiple countries, which often have their own sets of standards.
- Increase their list of integrations with key major software vendors that enable even greater efficiency and automation.
- → Add even more security and privacy frameworks to address the same fundamental problems that complicate compliance accreditation in other subsectors.
- → Launch new product initiatives aimed more squarely at the underlying problem of facilitating trust between buyers and sellers of software. Vanta's new product, Trust Reports, allows their customers to demonstrate their strong security practices in real time.



> 8

Fundrise is thrilled to partner with Vanta as they continue to build a **long-term**, **category-defining business**. We're excited our investors will participate in their growth as a long-term investor in the company.



P.S. If you are looking for assistance with a SOC 2 or other certification, you can learn more about Vanta's offerings <a href="here">here</a>. The more our investors drive value, the more quality deal flow we gain.

