A Company That Sells You the Absence of a Problem
Here is a fact about privacy regulation that nobody puts on a billboard: the hard part is not the law. The law, if you read it slowly with a lawyer and a large coffee, is mostly comprehensible. The hard part is that a modern company's data about you is scattered across dozens - sometimes thousands - of different software tools, each with its own login, its own export format, and its own opinion about what "your data" even means. When you email a company and say "delete everything you have on me," you are asking a stranger to go on a scavenger hunt through a building they've never fully mapped. DataGrail, founded in 2018 and headquartered in San Francisco, sells the map.
More precisely, it sells software that automates the scavenger hunt. The company's pitch - and it is a genuinely useful pitch - is that compliance with GDPR, the California Consumer Privacy Act, and the alphabet soup of regulations that keep arriving should not require hiring one new human per regulation. It should require a platform. DataGrail's platform connects to more than 2,500 applications, which is a genuinely large number, and it uses those connections to do four unglamorous things well: map where personal data lives, fulfill data subject requests, manage consent, and run privacy and AI risk assessments.
None of this is exciting in the way a consumer app is exciting. That is, I think, the entire point. The best privacy software is the software you never think about, in the same way the best plumbing is the plumbing you never think about, right up until the moment a regulator or a journalist or a very angry customer asks a question and you have four weeks to answer it or you don't. DataGrail is betting - and so far the bet is working - that a lot of companies would prefer to answer in four minutes.
Three Founders, Three Continents, One Dull Problem
The company was started by Daniel Barber, Ignacio Zendejas, and Earl Hathaway - an Australian, a Mexican, and a Wisconsinite, respectively, which is the kind of detail that sounds like the setup to a joke and is instead just a fact about a cap table. Between them they had spent a combined few decades in and around data and third-party applications, at companies including Facebook, HP Labs, Quantcast, DocuSign, and Responsys. Zendejas and Hathaway build the data products; Barber, now CEO, takes them to market. They launched on Product Hunt in May 2018, which is a very startup way to be born, and raised a $4 million seed shortly after.
What is worth noticing here is the choice. Plenty of founders with that pedigree chase the flashy consumer problem or the obvious enterprise gold rush. This trio looked at data privacy - a field defined by regulatory tedium, cross-system complexity, and the constant threat of being blamed when something goes wrong - and decided it was worth a decade of their lives. The durable businesses are often hiding in the problems everyone else finds boring. Boring, done well, turns out to be a moat.
Funding History // Disclosed Rounds
The Money, and Who Handed It Over
DataGrail has raised more than $84 million in disclosed venture funding across five rounds. The early money came from Cloud Apps Capital Partners. Then things got strategically interesting: in 2019 the company took investment from American Express Ventures and from Okta, which is the sort of investor list that tells you the product touches identity and enterprise trust in ways that matter to serious infrastructure companies. The 2021 $30 million Series B was led by Felicis Ventures with Next47, DocuSign, and HubSpot along for the ride. The $45 million Series C in 2022 was led by Third Point Ventures and Thomson Reuters.
That last name is the tell. When Thomson Reuters - a company whose entire existence is bound up in legal, regulatory, and compliance information - writes a large check into a privacy platform, it is making a statement about where the workflow between "the law" and "the software that complies with the law" is heading. DataGrail wants to be the bridge, and it recruited a bridge-builder as a backer.
Enter Vera, the AI Agent Built to Do Less
The most recent chapter is an AI agent named Vera, which became generally available in 2025 and which DataGrail describes as a "complete privacy AI agent" living inside its workflows. Vera does the things you'd hope: it detects and investigates new cookies, suggests rules, and - crucially - only applies them when a human gives the word. Its AutoFill feature drafts evidence-based answers to privacy assessments using system metadata and previously completed work, turning a process that used to take months of email into one that takes minutes.
What makes Vera interesting is less what it does than what it refuses to do. It never trains on customer data. It only takes approved actions. It runs in a single-tenant environment, hosted separately from the main database, with no internet access, reaching data only through a multi-stage, permission-bound process. In a market full of AI demos that promise to do everything autonomously, DataGrail shipped an agent whose selling point is its constraints. For AI inside a regulated workflow, that is exactly right: the humans still sign off, the automation just removes the typing.
Shadow AI Is the New Shadow IT
DataGrail also does the thing that good infrastructure companies do: it publishes research that makes its own product look necessary, which is not a criticism because the research also happens to be true. Its Privacy and AI Trends Report for 2026 spotlighted "Shadow AI" - employees quietly pasting company data into unapproved chatbots - as an emerging threat. This is shadow IT wearing a new costume, and it is precisely the sort of invisible risk that a data-mapping company is well positioned to both diagnose and sell you the cure for.
The through-line across all of it is a bet on order over chaos. Privacy regulation is not going to get simpler. AI is going to make the data landscape messier, not tidier. DataGrail's wager is that companies will increasingly refuse to manage this by hand, and will instead want a control center - a live map, an automated request queue, a consent ledger, and an AI agent that drafts the paperwork and waits to be told yes. Whether it becomes the category's defining company or a well-run challenger to the incumbent giant, the underlying thesis is sound: the least glamorous software often ends up being the most load-bearing.
The competition is real - OneTrust looms large, and TrustArc, Osano, Securiti, and Transcend are all in the arena. DataGrail's answer has been to be the tool people actually like using, integrate with nearly everything, and only then layer AI on top of a foundation that already works. It is a sensible order of operations. AI on top of a broken workflow just breaks faster.