At the beginning of April, news of a 533 million user Facebook leak became public. This giant exposure of users’ personal information is just the latest in a series of giant data breaches — it’s another loud reminder that privacy is a right and a priority for more and more online consumers, but an increasingly difficult challenge for even very well-resourced companies.
In 2019, Anshu Sharma co-founded Skyflow with a simple question in mind: “What if privacy had an API?” Over the last two years, his startup has grown exponentially, raising $25 million to create a service that allows customers to store personally identifiable information (PII), payments (PCI), or healthcare (PHI) data in a zero trust cloud-based data vault delivered as an API. Put more simply, Skyflow is the “Stripe for Sensitive Data” or “Plaid for PII” — your developers build with the Skyflow API and automatically get data security, encryption, tokenization, governance and auditing, data loss prevention, and PCI compliance.
When building our personal finance superapp, it was a no-brainer for Unifimoney to sign on with Skyflow. That’s because when it comes to money, security and privacy are especially essential. We spoke with Anshu about Skyflow, how polymorphic encryption can change the way our identity moves across the internet, and what it all will mean for Fintech going forward.
The idea came from just talking to lots of customers during my time at Salesforce, who all said, "This is great that we can keep our HR data in the cloud with Workday, we can keep CRM data in the cloud with Salesforce, but we don't really have a place to store a lot of our sensitive customer data that's been purpose built for the kind of use cases companies are increasingly seeing now." If you think about a company like Starbucks, 10 years ago, they were just selling coffee. Then they built an app for points, which was basically like frequent flyer miles — you buy five coffees, you get one free. Then it became a place for you to preorder and then it became a way for you to hold your money. So, all of a sudden, Starbucks is a bank with billions and billions of dollars in float. Without realizing it. Starbucks has gone from a company that mostly worries about the supply chain of coffee to being a company that worries about data breaches.
So whether you're Starbucks or Uber or One Medical or Zillow, you go from this journey of having almost no direct interaction with customers to having a desire for direct customer interaction. In order to do that, you collect personal information, which over time becomes a challenge. And I always thought, you know, there's Okta and Stripe and Twilio. But why isn't there an equivalent service for your sensitive data?
If it’s 2000 and you're building an online store like Amazon, you have to build everything, right? You have to build your checkout, you have to build a marketplace, you have to build search, you have to build CRM, you have to figure out how to send text messages to customers. But over time, people have pre-packaged and pre-built all of those functions and many more as cloud services. So if you wanted to open a store to sell coffee directly to consumers today, you could pretty much do what Starbucks does in a week or two.
But when it comes to Fintech, we're basically still in that 2000 era. Every Fintech company I talk to started with a clever idea: a credit card for the millennials who have too many subscription services or a Robinhood competitor or a service to make it easier to save for your mortgage. Then they build mockups, sign up users, and then oftentimes, they actually release the thing. It's not until they hit thousands or sometimes millions of users that they start wondering if they're a target for a hack.
What are the things they should have done? If you're building a Fintech, you basically have to do all the things that Google Pay, Apple Pay, Stripe and Square do. The problem is: you don't have the thousands of engineers to do it. Because of that fact, I think what's going to happen is there are going to be some common services that every Fintech company needs. You have customer data, you need to onboard them, you need to secure their data, you need to connect to KYC, AML, and you need to connect to certain kinds of background check processes. And, of course, you need to move money.
At this early moment, we've basically only figured out two or three of those essential services. One of them is obviously Plaid. The other is Two Factor Authentication. Two years ago, you would have needed to build those two from scratch. Everything else is still being created. I believe there's a logical set of functions and functionality that's moving into a platform. For us, customer identity data storage is the one we've solved for.
So, the idea is fairly simple. If you work at the CIA, and you're working on a project, you don't go around saying, "My name is Anshu and I am working on a project to change how oil is sold in the Middle East and to do that I'm gonna go and change this leader and and make these changes." Instead, the way every intelligence organization works is that information is only shared on a need-to-know basis. Information sharing is always minimized. So if you're going to be transporting a passport from Italy to France, because someone needs to get out of the country with a fake passport, nobody's going to tell you who that passport is for. If you can limit the information known by any party, then it lowers the risk of a breach because there's less of an incentive to try to extract it.
Big companies like Google, Apple and others have figured this out for data privacy. There's no need for every employee at Netflix to know what you're watching. Even within a billing system, it's only the credit card company that needs to see your card number. So, if you tokenize the credit card number and you encrypt the phone number, and make sure that only the right people in the company have access to them, then the chances of a breach and the chances of an internal user taking advantage of a situation goes substantially down. This whole idea is essentially known as the zero trust principle.
When someone shows up, you ask, "Show me who you are. Verify yourself, show me what you have access to, and look up the rules. And then I'll give you only the limited information you need access to." In a similar way, Skyflow basically encapsulates the zero trust data architecture. A call center employee might not need to see a customer's account number or even their phone number. They can call the customer with the help of Skyflow without gaining access to that sensitive information. Essentially, Skyflow turns regular databases into need-to-know-basis databases. And it does that by using polymorphic encryption.
If you go talk to the boards of Target, Equifax, or Facebook, I think they’d say that a big-break moment has already occurred. The original fine that Facebook faced was supposed to be in the range of $40 billion, and they negotiated it down to a few billion dollars. So, I think it's clear the regulatory environment is changing.
The control is moving back into the hands of the users. Europe has been further ahead on this than North America, but it seems there is a growing consensus that there should be a federal level law in the US that establishes a common framework for data privacy. The big moment here is happening because companies are finally realizing that you can actually build for all the U.S. and for a global audience, if you build it right from day one. Nobody starts off with a data center of Sun Microsystems servers anymore; you build for scale by building on a public cloud like AWS. Similarly, you should be building for security and privacy from day one and that means using a zero-trust approach. Skyflow supports that out of the box and it means that you don't have to go back and reengineer down the road.
We are seeing a lot of companies that grew in the last five to seven years, and now they're on the cusp of going public or on their last round before going public, and have had to hire new CTOs to completely renovate their data architecture because they didn't think it through. Every company goes through this learning, and they're learning the same thing again and again: there's value and security in tokenization and anonymization. The good news is with modern technology, like polymorphic encryption, we can actually do that in every online interaction. Even when I'm getting a background check done, they can see my full name, but only for this purpose for these many hours. And then that authorization is revoked. Doing this idea of zero trust with data governance is really the Holy Grail. That's what we've tried to build here with Skyflow.
So, the first thing you want to look at is the team behind the product. When you're dealing with early-stage startups, you should look up who's building this thing. In Unifimoney's case, you have a lot of banking experience on the team and the team is assembled of people from the UK and the USA, where data privacy is taken seriously. When it comes to finance, you don't want to use a startup that's trying to figure things out on the fly. That's fine if I'm looking to publish dance videos, but when I'm entrusting my personal or financial information to an app, you really need to care about the team and the technology. The best way to understand that is essentially by reading up on their thought processes, looking up their LinkedIns, and then trying to see the underlying technologies they're using to get a sense of what their best practices are. There's truly a way for companies to differentiate themselves here.
For the longest time, people said that security and privacy never sells and that customers don't really care. But if you go around and ask why people prefer iPhones over cheaper options, more often than not, the answer turns out to be safety and security. I want to entrust my data with a company like Apple, because I know that they are obsessed with data security and privacy. I don't want my data ending up in the hands of companies that are going to trade it for pennies — sometimes for less than a penny. Because that means I am the product and I'm not the customer in those cases. Put simply, our goal at Skyflow is to help every company be more like Apple.
The above does NOT constitute an offer, solicitation of an offer, nor advice to buy or sell specific securities. The opinions listed above are not the opinions of Unifimoney Inc. or Unifimoney RIA, Inc. but represent the opinions of independent contributors. These contributors may or may not hold positions in the stocks discussed. Investors should always independently research any stocks listed and form their own opinions, while recognizing that any investments made may lose value, are not bank guaranteed and are not FDIC insured.
