AWS Startups Blog

How Osano Leverages Amazon QLDB for Its Data Privacy Compliance Platform

In the early days of the Internet, regulation was scant and early adopters were able to generally dictate how they operated. But as more of our personal information is digitized and stored electronically, regulatory bodies have started to step in to pass laws in an effort to protect consumers.

Perhaps the most well-known is the General Data Protection Regulation that was implemented by the European Union (EU) in 2018. The focus of the legislation was to better regulate the gathering and transfer of personal data for people residing in the European Union. The law pertains to any company that manages the data of an EU resident, so the implications have been felt by companies around the world.

Complying with these new laws has proved difficult though. From getting the proper permissions from users to maintaining a system of record for compliance records, it’s a complicated process that typically requires a good amount of investment in building back-end systems. Thankfully, now, there’s Osano.

Founded in 2018, Osano offers “compliance in a box” to companies, making it easy to ensure customers properly align with the data laws of countries they operate in. No longer do CTOs and CIOs need to invest money and engineering cycles into building their own solution, which can be a tedious and expensive process. Instead, they can leverage Osano’s turnkey solution and get back to working on serving their customers.

Arlo Gilbert, Co-founder & CEO

Co-founders Arlo Gilbert (CEO) and Scott Hertel (CTO) attribute the starting of this company to past experience, and a little bit of luck. The two friends previously founded Meta SaaS, a software asset management platform that was acquired by Flexera in May 2018. In building that startup, they found the vast majority of their customers were extremely concerned with GDPR compliance. After spending time at their acquiring company, the two were hungry to dig back into the startup life and solve another problem. Surveying the data compliance landscape, they still saw no real turnkey solution, so they decided to build it.

Although the company hasn’t been around for that long, they’ve already hit quite a few milestones. Osano secured a seed round in Dec of 2018, which led to a period of heads-down building of the back-end tools needed to tackle the problem ahead. After standing that up and creating a frontend, they were ready for primetime. The team entered the TechCrunch Disrupt Battlefield in 2019, coming in second and locking in some initial customers along the way.

Since then, Osano has made great strides towards being the de facto leader in the growing space. Customers of all sizes use the company’s plug-and-play software, from super small startups to the largest enterprises on the stock exchange. That said, they’ve found a sweet spot with the mid-market—companies counting between 500-5000 employees.

With the touted benefit of taking all the work off those customers’ plates, it’s perhaps unsurprising that Osano has signed up for a massive technical challenge. To help solve for this, they’ve fully partnered with AWS to ease as much of the load, Hertel points out.

Scott Hertel, Co-founder & CTO

“At Osano, a compelling benefit we offer companies is the peace of mind that they’re doing everything needed to be data compliant. We view that as not only a technological promise but also a legal one, where we will support them with the evidence needed, relating to compliance tracking, in the scenario they get audited or challenged by a regulatory body.”

This need, and some lucky timing, led them straight to Amazon Quantum Ledger Database (QLDB). Right as the startup was looking at options, the new service reached general availability offering just what they were looking for, as Hertel puts it.

“We knew we wanted to go with a blockchain solution, but our scale and needs around request fulfillment time meant we couldn’t use any of the existing products out there. For example, we are working with a lot of personal information and needed fast retrieval times, which meant we couldn’t use the public blockchain and wait 10 minutes per request. With AWS, we were able to architect a great solution that integrates with Amazon Aurora for storing records and then leverages QLDB for storing hashed versions of the records.”

From an architecture perspective, that portion of their product is structured as follows, per Hertel.

“It all starts with the storage of a consent record that comes as an XHR request from the browser or mobile app when a customer embeds Osano’s script in their website and the cookie popup shows up. When that record hits our API Gateway, no code is run or verification, but we instead drop the request into an Amazon SQS queue. At the same time, an AWS Fargate cluster is watching and pruning the queue, auto scaling to keep it from overflowing. That Fargate cluster pulls the record off of the queue, validates it through a complex logical path, and writes the record to QLDB. The QLDB record ID is then stored, along with the consent record itself, in Aurora. We do this because we found QLDB is best utilized when querying for record IDs versus searching against other indexes with extremely large datasets.”

Diagram depicting consent storage architecture for osano

“If a customer needs to access a history of their records at a later date as part of a request per GDPR, a lawsuit, or a regulatory inquiry, Osano’s API gateway executes a Lambda function which then queries Aurora for the record. If a record is found, then we query QLDB for that record, its full history of changes, and then run verifications against each version to provide proof that it is authentic and has not been tampered with. That verification and the history is then returned to the requestor.”

Diagram depicting audit response architecture for osano

Looking ahead, Osano is driving towards being well qualified for a Series B in January of 2021 (the startup secured a $5 million Series A round in late 2019). That doesn’t mean losing track of their mission, however, says Gilbert.

“Osano started off with a goal of making the internet more of an open and free space, as opposed to the walled garden it seems like it’s turning into. As a proud B Corp, we genuinely believe that the work we’re doing around transparency will help in that battle.”

Mikey Tom

Mikey Tom

Mikey works on the AWS Startup Marketing team to help highlight awesome founders leveraging the AWS ecosystem in interesting ways. Prior to his time at AWS, Mikey led the venture capital news coverage at PitchBook, researching and writing about industry trends and events.