Increasingly, absent a federal framework, U.S. states are passing privacy and security laws aimed at protecting people’s data. The California Consumer Privacy Act is perhaps the best known, followed by the Illinois Biometric Information Privacy Act, the New York Privacy Act and the Virginia Consumer Data Protection Act. While the laws are a step in the right direction from a consumer standpoint, for startups, it can be tricky to navigate the patchwork of policies they’ve codified. Incompatible clauses and high compliance costs make doing business across the country a tougher proposition than it once was.

Inspired to develop a solution, Aatish Mandelecha launched Strac, which helps companies in regulated industries — specifically financial and health care — safeguard against data issues by stripping out customer records. A software platform, Strac automatically detects and redacts sensitive information, including Social Security numbers and driver licenses, from a company’s documents, as well as email, chat messages and web apps.

Prior to launching Strac in 2021, Mandelecha was a principal engineer at Amazon, where he spent 11 years building widgets, APIs and protocols for the company’s payments infrastructure. Mandelecha said that one of the driving forces behind Strac was a personal experience with identity theft. In 2020, after giving out his Social Security number to a customer support team, Mandelecha’s financial data was compromised.

“Post pandemic, businesses are now servicing their customers a lot more over chat and emails, and with remote workforces, a lot of customer personal data moves through internal customer support tools, emails, chat, and more,”  Mandelecha told TechCrunch via email. “Accepting that many of these behavioral changes are here to stay, business leaders are looking for solutions to manage the security and compliance risk that comes with these new norms. This is why we are getting growing interest on a daily basis.”

Strac, which only requires an API integration and supports platform including Office 365, Gmail, Slack, OneDrive, Google Drive and Zendesk, uses algorithms to “tokenize” a customer’s data. Offered as a software-as-a-service (SaaS), Strac “translates” personal data across documents such as passports and bank statements into unique string of characters — tokens — that can’t be used to steal that person’s identity.

Image Credits: Strac.io

Of course, no system is bulletproof. But Strac isn’t the first to market with this approach. DocuVision — acquired by OneTrust last year — uses tokenization to redact sensitive data in customer documents. So does FoxIt, Private AI and Redacted.ai. Elsewhere, some tech giants, including Google and Amazon, provide their own cloud-based solutions for sensitive data redaction.

Auto-redaction systems can fall prey to the sorts of bugs that plague other algorithm-driven software, it’s worth noting — and Strac is likely no exception. In 2009, a flaw in HSBC’s imaging software caused the bank to inadvertently make certain line-of-credit and mortgage information public. In 2013, Citigroup acknowledged that it failed to safeguard Social Security numbers, birthdates and other sensitive data for nearly 150,000 customers who filed for bankruptcy between 2007 to 2011, owing to a redaction software issue.

But Mandelecha makes the case that Strac at the very least releases companies from the burden of having to touch, store and manage some of the sensitive data on their infrastructure and across all the SaaS providers they use, which can be a time-consuming if done completely manually.

“Most people are thinking about managing the liability that comes with touching sensitive data. We are thinking of shifting that risk altogether,” Mandelecha said. “If you don’t touch or store the data, you don’t run the risk of losing it. This is what technical decision makers love about Strac — they don’t have to build anything that requires deep security expertise, scalability, reliability, and massive capital investment. And the best part is, they don’t have to reconfigure any of their business apps.”

Despite the competition, Strac claims to have “dozens” of customers, with revenue growing 22% month over month. Propelling the startup to new heights, Strac recently closed a $3.5 million seed investment led by FUSE with participation from Liquid 2 Ventures, Wayfinder Ventures, Rogue Capital and Y Combinator. (Strac was part of Y Combinator Winter 2022 batch.)

“Fintechs like neobanks, proptechs, accounting firms are eliminating personally identifiable information data risks from backend servers, email, Zendesk, and Slack by leveraging Strac,” Mandelecha said. “Strac is making it possible for startups & enterprises to securely interact with sensitive information without changing their workflows.”

Cameron Borumand, a founding partner at FUSE, added in an emailed statement when contacted for comment: “Nearly two-thirds of Americans have experienced some form of data theft. These breaches happen where sensitive information is most vulnerable: Web servers, apps, email, Slack, Zendesk and other communication channels. When we came across Strac it became clear that this team of ex-Amazon veterans had the right experience and vision to protect our most sensitive information at the highest point of vulnerability. Every business should use Strac to protect their critical communication channels and eliminate all security and compliance risks.”