Formal is a security startup that came out of stealth on Tuesday with an impressive list of investors and an interesting product positioning. The company designed reverse proxies for its data stores and APIs to make it easier for security teams to secure access to sensitive data.
More practically, Formal is a proxy that you deploy in a Virtual Private Cloud (VPC) that logs all requests made to a data store (for example, a database containing customer information) and enforces access policies. apply.
Formal is the brainchild of founder Mokhtar Bacha. He is 24 years old and started his technical career at ConsenSys while still a teenager before becoming a solopreneur.
“When I was 17, I was lucky enough to connect with a guy named Joseph Rubin, one of the co-founders of Ethereum, and get hired as a software engineer. [for ConsenSys]This is behind things like Metamask and other wallets,” Basha told TechCrunch.
“Technically it was very interesting, but I didn't feel like I was working on anything very useful,” he adds, which led him to join Y Combinator as a solo founder when he was just 19 years old. He explained that this was the reason he applied (Maytana's fund management platform, a multinational startup).
He then pivoted and his first startup idea became Formal, a security product that Chief Information Security Officers (CISOs) and CTOs would find useful.
In late 2023, Formal raised a $5.8 million seed round led by Thrive Capital with participation from Y Combinator. Abstract Ventures, Kima Ventures, and a number of business angels also participated in the round, including Alexis Lê-Quôc, Charles Gorintin, Mathilde Collin, Aaron Katz, Jean-Denis Greze, and Matt MacInnis.
access and control
Data access management is nothing new, but what's special about Formal is that you can add or remove data stores and applications without manually configuring each new component in the stack with a new security policy.
“With the growth of modern data stacks and the move to the cloud and AI, we basically had too many different types of tools, different types of applications and users consuming data,” Bacha suggested. I did.
Formal serves as an abstraction layer for visualization and control of data flows. After you deploy Formal Connector to your infrastructure and update all applications to use the proxy, each query is checked against Formal's policy engine and data is dynamically masked or filtered.
“If I'm a software engineer based in the US, I shouldn't be able to see European customers' data. So the proxy automatically masks and redacts European customers' data,” Basha said. I explained.
For example, in the case of a Postgres database, when querying the database, employees do not “talk” directly to the Postgres database, but instead interact with an official Postgres proxy. This new step could make it easier to enforce access policies and help customers better comply with laws such as the EU's General Data Protection Regulation.
“For example, for an engineering team that is creating data from a laptop, we have an agent that our customers can deploy that automatically redirects their traffic to a proxy without the engineering team actually noticing.” Bacha he added.
Formal's customers include Gusto, Notion, Ramp, and more. Although still a relatively new startup, these companies tend to handle sensitive data such as personnel records and financial statements. So having such early adopters is an encouraging sign for Formal's security model.