Tech News

Singapore-headquartered startup Plugo has secured $9 million in a Series A funding round. The company offers a complete spectrum of e-commerce support services for direct-to-consumer (D2C) brands, from making a website, setting up a payment system, and managing marketing to handling shipping, warehousing, and logistics. In other words, Plugo enables D2C merchants to focus on their products and supports other processes.

The Series A round was led by Altos Ventures, with participation from BonAngels Ventures Partners, Access Ventures, Mahanusa Capital, Prodigy Investment, and Pearl Abyss Capital. The company did not disclose its valuation when asked.

The startup plans to use the proceeds to beef up its R&D team and hire more engineers, Plugo co-founder and chief executive officer KyungMin Bang said, adding that it currently employs about 30 people.

Bang founded Plugo two months ago with five founding members. Approximately 200 D2C brands have already started using Plugo’s beta service in Indonesia. The Singapore-based startup with offices in Indonesia and South Korea intends to launch its service officially in Indonesia in the first quarter of next year.

The company wants to focus on the Indonesian market, one of the largest markets in Southeast Asia, for the next 12 months, then expand to other Southeast Asian countries, such as Malaysia, Vietnam, Thailand and the Philippines, Bang told TechCrunch. It has partnered with an array of logistics companies, including Indonesia-based JNE Express, SiCepat and J&T, and a payment outlet such as Nicepay Indonesia, Bang noted.

Bang, a serial entrepreneur, was inspired to offer an end-to-end management system for D2C brands and merchants in Indonesia to set up online stores after realizing Indonesia’s D2C market, which accounts for less than 1% of the total e-commerce in the country, is nascent but growing fast.

Indonesia’s D2C market is expected to have a vast potential to grow, with the fourth-largest population size, including the rising young population in coming years and rapid penetration of smartphone users in the country, Bang pointed out.

“Local businesses [in Indonesia] have accelerated their adoption of digital technology due to innovation in the e-commerce ecosystem and dynamic changes in consumer behavior,” Bang said. In Indonesia, D2C platforms have become a new trend in the e-commerce industry from business-to-consumer (B2C) platform that has predominated the e-commerce market over the last decade, Bang explained.

The startup looks to challenge e-commerce players like Shopify in Southeast Asia. “I believe we have enormous potential because there is still much room for growth and huge gaps [in the D2C business] that big e-commerce behemoths like Shopify couldn’t address yet [in Southeast Asia]. For example, we can offer customized services, particularly for small merchants like MSMEs in the region, and empower them to sell online,” Bang said.

“We believe the timing is perfect for the birth of Plugo as the e-commerce landscape is experiencing turbulence that will nurture positive disruption, benefiting both aspirational sellers and consumers,” said Charles Rim, founding and general partner at Access Ventures, said in a statement.

Bang previously exited two startups: Indonesian e-commerce enabler TokoTalk operator CodeBrick which Singapore’s e-commerce Sea bought in 2021 per Pitchbook, and Korean PC online game J2MSoft (J2M), which Electronic Arts acquired in 2008. (According to a report by Tech in Aisa, Sea has shut down the TokoTalk service since October in an effort to reduce costs amid broader economic uncertainty.)

“Plugo’s mission aligns with our own mission of creating significant economic value while contributing positively to society,” Moon-Suk Oh, partner at Altos Ventures, said in a statement. “Plugo offers an unmatched suite of digital capabilities that will transform the future of e-commerce in Indonesia.”

Plugo, an e-commerce support platform for D2C brands in Southeast Asia, picks up $9M Series A by Kate Park originally published on TechCrunch

The Covid-19 pandemic grounded travel and tourism to a halt, but as those sectors pick up speed again, so too are the more promising startups in them raising money to keep up. Today, a startup called Mews — which provides a cloud-based hotel property management platform with tools covering reservations, payments, and more — announced that it has raised $185 million in a Series C round of funding giving the company a post-money valuation of $865 million.

Co-led by Kinnevik and the Growth Equity business within Goldman Sachs Asset Management, the round also included new backers Revaia, Derive Ventures and Orbit Capital; as well as previous investors Battery Ventures, Notion Capital, Salesforce Ventures, Thayer Ventures, and henQ. The raise is mostly equity with a small amount of debt, founder and president Richard Valtr said in an interview. Columbia Lake Partners is providing the debt.

Mews are streets (for example, in London) full of usually-small houses or flats converted from horse stables for bigger houses nearby. Ironically, though, Mews the startup is not that small at all. In the year that travel “came back” post the peak of Covid and the various restrictions imposed on people moving around, Mews saw revenues grow 174%, with gross payment volume in the period up 227% and now standing at $2.3 billion. It has customers in 70 countries, 3,253 hotels in all.

Its customers include big chains spanning from five-star through to the most basic accommodation, including Accor and the Youth Hostel Association, as well as a number of smaller groups and independent hoteliers, all of which turn to Mews both for specific tools to manage reservations, payments, guest services, analytics, shifts for hotel workers, as well as a marketplace of 600 apps for users to build one-stop dashboards that integrate any number of other apps that a hotel might be using in its operations (for example accounting, sales or CRM software), a little like a Toast or a Shopify for the hospitality industry, Valtr said.

That is also, these days, leading the company to working with other kinds of property management groups looking to provide residents or visitors with hotel-like services — the Airbnb effect on how we live, or might want to live, these days.

“We think of ourselves as the platform on which businesses in our vertical are run,” he said. “We take a broad brush approach with our ambitions. Mews nominally looks after hotels and hospitality, but that could be hostels or Airbnb’s or services for people in mixed-use real estate. Longer term, we feel that what is considered commercial or residential is melding. This is the direction all real estate is going. What is happening post-pandemic is that more are realizing they want to live more of their travel life more of the time.”

The last time Mews raised money was 2019, a $33 million round that it raised in part to re-orient itself to working on product and building out its tech to differentiate itself from the other property management software players on the market. It turned out to be a fortuitous shift, Valtr said: as the pandemic hit, the company was head-down on its own internal transformation, emerging just as hotels were also looking to invest in better and newer systems during their own down time. That may well be a sugar-coated spin on a period that was virtually dead for the travel and tourism industry, but ultimately the growth Mews has had more recently speaks to its momentum right now.

This latest funding will be used for, essentially, more of the same: more tech investing and to expand globally, with some optional M&A too.

“Richard, [CEO] Matthijs Walle, and the broader Mews team have an intimate understanding of hoteliers’ needs and have taken a product-first approach to develop a modern solution in a sector ripe for disruption,” said Akhil Chainwala, investment director at Kinnevik, in a statement. As cloud adoption in hospitality accelerates driven by more complex guest needs and rising costs, Mews is best positioned to rebuild the sector’s digital plumbing. We are excited to welcome a fourth travel investment to our portfolio and look forward to supporting Mews in the next phase of its journey.”

What’s been surprising is not so much that Mews is seeing a surge in business, but that investors are backing it readily right now, given how tricky it’s been for other sectors, and given the current investment climate and the contraction specifically in the hospitality industry.

“Closing a large round in this environment speaks to the tremendous growth and future potential of Mews,” said Kirk Lepke, MD in the Growth Equity business within Goldman Sachs Asset Management, in a statement, “Hoteliers have experienced a lot of challenges over recent years, driving increased demand for cloud-native platforms, like Mews, to help them modernize, improve the guest experience, and create efficiencies through smart automation. With their open architecture and fully integrated payment capabilities, Mews is heavily relied upon as a mission critical solution.”

Mews books $185M for its SaaS-based hotel management platform by Ingrid Lunden originally published on TechCrunch

A notable development for the fraught issue of cross-border data flows from the Organisation for Economic Co-operation and Development (OECD) Wednesday: After two years of closed-door discussions, the intergovernmental organization has adopted a declaration on government access to data held by private sector entities.

The declaration, which has been adopted by the 38 OECD countries and the European Union, talks about “legitimate government access on the basis of common values” — and identifies seven shared principles (summarized below) which member countries have agreed reflect “commonalities” drawn from their existing laws and practices. The stated aim is to increase clarity about how government agencies can access data.

Member countries adopting the declaration include the U.S., U.K., European Union Member States including France and Germany and other international democracies including Australia, Canada, Israel, Japan, Korea, Mexico and New Zealand.

The move comes almost a decade after NSA whistleblower Edward Snowden brought a different kind of clarity to the world on that topic when he leaked scores of intelligence documents to journalists detailing how spooks in the U.S. and other Western democracies were quietly tapping into commercial Internet platforms and helping themselves to user data without a thought for people’s privacy.

Western governments have moved on from the Snowden scandal by — in many cases — updating their legal frameworks to embed mass surveillance (often with a claimed wrapper of democratic accountability and safeguarding). However differences in levels of legal protections afforded for privacy between countries, and discrepancies between how citizens and foreigners may be treated under surveillance regimes, continues to cause trouble for cross border data flows — which the OECD is concerned threatens the smooth scaling of the global digital economy.

The declaration builds on an earlier (1980!) OECD recommendation, on privacy and transborder flows of personal data, by addressing “policy gaps” affecting the cross-border flow of personal data — and specifically tackling what it describes as “the lack of a common articulation at the international level of the safeguards that countries put in place to protect privacy and other human rights and freedoms when they access personal data held by private entities in the course of fulfilling their sovereign responsibilities related to national security and law enforcement”.

Or, put another way, the OECD wants a set of agreed principles for how governments say they will acquire and use private sector user data to be out there, in writing, building trust that surveillance practices have reformed, are regulated, and are becoming increasingly aligned between economically allied nations, to encourage a lowering of barriers to cross border data flows for members of the club.

Here are the seven principles in the declaration — with lightly condensed summaries:

1) Legal basis: The declaration says data access by government is provided for and regulated by the country’s legal framework that is binding on government authorities and adopted and implemented by democratically established institutions operating under the rule of law — and which sets out “purposes, conditions, limitations and safeguards concerning government access, so that individuals have sufficient guarantees against the risk of misuse and abuse”.

2) Legitimate aims: Government access “supports the pursuit of specified and legitimate aims”, so is not excessive vis-a-vis those aims and is in accordance with legal standards of necessity, proportionality, reasonableness etc — and in conformity with the rule of law. So access cannot be used for purposes such as suppressing criticism or dissent; or disadvantaging persons or groups solely on the basis of protected characteristics etc.

3) Approvals: It says prior approval requirements are embedded in the legal framework to ensure access is “conducted in accordance with applicable standards, rules and processes”. The declaration also notes these are “commensurate with the degree of interference with privacy and other human rights and freedoms that will occur as a result of government access” — and stipulates that “stricter approval requirements are in place for cases of more serious interference, and may include seeking approval from judicial or impartial non-judicial authorities”. Emergency exceptions to approval requirements are also provided for in the legal framework, and are “clearly defined, including justifications, conditions, and duration”. Decisions on approvals are “appropriately documented” and “made objectively, on a factual basis in pursuit of a specified and legitimate aim and upon satisfaction that the approval requirements are met”. Where approvals are not required, the declaration states that other safeguards in the legal framework apply to protect against misuse and abuse, including “clear rules that impose conditions or limitations on the access, as well as effective oversight”.

4) Data handling: Personal data acquired through government access can be processed and handled only by authorised personnel — and this activity is subject to requirements provided for in the legal framework, including putting in place physical, technical and administrative measures to maintain privacy, security, confidentiality, and integrity. Mechanisms to ensure that personal data are processed lawfully; retained only for as long as authorised in the legal framework in view of the purpose and taking into account the sensitivity of the data; and are kept accurate and up to date (“to the extent appropriate having regard to the context”) are also included, along with internal controls to detect, prevent and remedy data loss or unauthorised or accidental data access, destruction, use, modification, or disclosure, and to report such instances to oversight bodies.

5)Transparency: The general legal framework for government access is declared as “clear and easily accessible to the public so that individuals are able to consider the potential impact of government access on their privacy and other human rights and freedoms”. The document also states mechanisms exist for providing transparency about government access to personal data “that balance the interest of individuals and the public to be informed with the need to prevent the disclosure of information that would harm national security or law enforcement activities” — providing examples like public reporting by oversight bodies on government compliance with legal requirements; procedures for requesting access to government records; regular reporting by governments; and, “where applicable”, individual notification. Private sector entities may issue “aggregate statistical reports” regarding government access requests “in line with legal framework requirements”.

6) Oversight: Mechanisms exist for “effective and impartial” oversight to ensure that government access complies with the legal framework — provided through bodies including internal compliance offices; courts; parliamentary or legislative committees; and independent administrative authorities. Bodies acting according to individual mandates have powers to obtain and review relevant information; conduct investigations or inquiries; execute audits; engage with government entities on compliance and mitigation; and address non-compliance — also receiving and responding to reports of non-compliance (and potentially to individual complaints) to ensure that government entities are accountable. “In the exercise of their functions, oversight bodies are protected from interference and have the financial, human and technical resources to effectively carry out their mandate,” the declaration states. “They document their findings, produce reports, and make recommendations, which are made publicly available to the greatest extent possible.”

7) Redress: The legal framework provides individuals with “effective judicial and non-judicial redress” to “identify and remedy” violations of the national legal framework. The declaration says such redress mechanisms “take into account the need to preserve confidentiality of national security and law enforcement activities” — stipulating this may include “limitations on the ability to inform individuals whether their data were accessed or whether a violation occurred”. Available remedies (“subject to applicable conditions”) include terminating access; deleting improperly accessed or retained data; restoring the integrity of data; and the cessation of unlawful processing. Compensation for damages suffered by an individual is also included as a possibility — “depending on the circumstances”.

Thorny issues for cross-border data flows

In a press release accompanying the declaration the OECD says its hope is it will boost trust and get data moving, writing: “The principles set out how legal frameworks regulate government access; the legal standards applied when access is sought; how access is approved, and how the resulting data is handled; as well as efforts by countries to provide transparency to the public. They also tackle some of the thornier issues — such as oversight and redress — that have proved challenging to policy discussions for many years.”

“The project stemmed from growing concerns that the absence of common principles in the sensitive domains of law enforcement and national security could lead to undue restrictions on data flows,” it adds. “Another motivating factor is a desire to increase trust among rule-of-law democratic systems that, while not identical, share significant commonalities.”

“Being able to transfer data across borders is fundamental in this digital era for everything from social media use to international trade and cooperation on global health issues. Yet, without common principles and safeguards, the sharing of personal data across jurisdictions raises privacy concerns, particularly in sensitive areas like national security,” added OECD secretary-general Mathias Cormann in a supporting statement. “Today’s landmark agreement formally recognises that OECD countries uphold common standards and safeguards. It will help to enable flows of data between rule-of-law democracies, with the safeguards needed for individuals’ trust in the digital economy and mutual trust among governments regarding the personal data of their citizens.”

Cross-border data flows remain a very topical issue, with the EU — just yesterday — publishing a draft U.S. adequacy decision on transatlantic data exports. That still-yet-to-be-finalized EU-U.S. Data Privacy Framework is intended to replace two prior data transfer deals that were struck down by the bloc’s top court over concerns about U.S. government surveillance. And in the meanwhile, while EU institutions set to work scrutinzing the quality of redress the U.S. has offered its citizens who have concerns about what’s being done with their data once it’s over the pond, legal uncertainty — and even the risk of regional shutdown — hangs over U.S. cloud services in Europe.

One way to reduce the risk of further legal strikes — and, more broadly, to push back against a rising tide of data localization around the globe when/if countries feel moved to keep a sovereign hold on citizens’ data because of security concerns over foreign surveillance — is for likeminded nations to hew closer to a set of practices governing government access to private sector data.

Hence the declaration reads like an attempt to lower protectionist barriers that the OECD sees as standing in the way of the digital transformation of the global economy — and all the economic upside the latter implies.

But this text is just the end of a lengthy and, by some accounts, rather fraught process. An older version of the text — which was not made public but which we’ve reviewed via a source — contained some substantially different wording on the topic of cross-border data flows that suggests there was appetite among some in the discussion room for the OECD to take a more aggressive approach to beating back barriers to transborder data flows.

The proposal text we reviewed included wording stating that member countries should “refrain” from restricting cross-border data flows over national security or law enforcement access concerns if the destination country, whether an OECD member or not, “substantially observes” and “effectively implements” the principles of the declaration — and suggested member countries should instead focus their concern on data flows to countries where national security or law enforcement access does not align with the principles or is otherwise inconsistent with democratic values, the rule of law and respect for humans rights.

The final OECD declaration scrubs the suggested text — in favor of a considerably less ambitious statement of recognition that “where our legal frameworks require that transborder data flows are subject to safeguards, our countries take into account a destination country’s effective implementation of the principles as a positive contribution towards facilitating transborder data flows in the application of those rules”.

So the idea of signatories agreeing to, essentially, ignore their own rule of law — in the case of the EU (given the General Data Protection Regulation requires local regulators to suspend data exports to third countries if they believe citizens’ data will not get essentially equivalent legal protection at the destination country as it does in the EU — a scenario which is still, currently, the case for the U.S., an OECD member and signatory to this declaration) — in the name of maximizing data flows and economic upside between OECD members has, rather unsurprisingly, been dropped in the final text.

Such a suggestion would have been anathema to the EU — which sent high-level representatives to the Ministerial meeting of the Committee on Digital Economy Policy, in Gran Canaria, Spain, where the declaration was adopted on Wednesday afternoon. So the bloc seems pleased enough with the final outcome. (The Commission’s spokesperson service did not respond to questions about the earlier wording proposing to supplant the GDPR’s regulation of data transfers to third countries with an alternative, lower OECD standard.)

Some implicit inter-OECD member drama aside, it’s worth noting that an OECD declaration is not legally binding in any case. So while this high level statement by members contains commitments they “uphold democracy and the rule of law and protect privacy and other human rights and freedoms” (vis-a-vis government access to data), it’s not clear how much practical impact the declaration could have on surveillance practice and, well, surveillance overreach.

Nor whether any reconfiguring of Western democracies’ troublesome appetite for mass surveillance (to something, er, less legally risky to cross border data flows) is even intended for a declaration that talks about wanting to boost trust in data flows while simultaneously claiming: “[O]ur countries’ approach to government access is in accordance with democratic values; safeguards for privacy and other human rights and freedoms; and the rule of law including an independent judiciary” — despite several OECD members having legislated for state surveillance powers that human rights groups have denounced as anti-democratic and antithetical to privacy, and which continue tenacious sticking with data retention regimes that courts keep finding unlawful.

You won’t find those kind of awkward details recognized in this declaration — despite a claim by members to reject “any approach to government access to personal data held by private sector entities that, regardless of the context, is inconsistent with democratic values and the rule of law, and is unconstrained, unreasonable, arbitrary or disproportionate”.

While stakeholders’ calls for more work by governments to protect privacy and freedom of expression only gets a passing “note[d]” in the text.

The closed door nature of the negotiations to draw up the declaration have also been raised as a concern by civil society groups (aka stakeholders) — who have complained they were prevented from fully participating in the discussion process, with no ability for such groups to comment on the final draft ahead of publication for example.

CSISAC, which acts as the voice of civil society at the OECD’s Committee on the Digital Economy Policy — helping to get information flowing between the oraganization and civil society groups with the aim of achieving better policy outcomes — put out a statement following the declaration’s publication expressing concern at the “lack of procedural guardrails” on the talks on government access and lamenting that the usual formal multi-stakeholder OECD process was not followed in this case.

“The removal of civil society’s voice in one of the most sensitive and important projects at the OECD sets a dangerous precedent,” the committee goes on, pointing out that the reason given by the OECD for this exclusion — namely, the participation of members of the intelligence community in the negotiations for the declaration — need not have led to the exclusion of civil society from later stages of the process. Any future “similarly sensitive discussions” should not see a repeat of civil society input being shut out, it further urges.

OECD adopts declaration on trusted government access to private sector data by Natasha Lomas originally published on TechCrunch

To get a roundup of TechCrunch’s biggest and most important stories delivered to your inbox every day at 3 p.m. PDT, subscribe here.

Hello, and happy Wednesday! As I write this, I am also enjoying a virtual “holiyay” celebration with my fellow TechCrunchers. Haje is leaving on a jet plane, but he’ll be back tomorrow. Let’s dive into the news. — Christine

The TechCrunch Top 3

You can’t handle the jet: Elon Musk stated that he was going to protect free speech, even for the person behind Elon Jet, the Twitter account tracking his flights, but alas the account has been permanently suspended. Amanda has more.
If you can’t beat ’em, join ’em: It used to be that Apple fought what they call “sideloading” alternative app stores on the iPhone, but in order to comply with European laws, the consumer tech giant is now reportedly looking at allowing them with iOS 17, which will come out next year, Ivan reports.
Cash flow conundrum: Mary Ann reports on Nilus, a startup that secured $8.5 million to automate financial workflows for companies to more easily manage customer payments.

Startups and VC

Wow, you all were eating up the fintech news today. Okay, here is another one. Bondaval, a London-based B2B company providing credit teams with assurance that customers will pay their bills, raised $15 million in Series A funding, with Catherine writing that Bondaval has now expanded into new use cases for credit managers at large companies, including those in the energy sector.

And we have four more for you:

You look mahvelous: Bollywood star Deepika Padukone has a hit on her hands with her skincare startup, which took in $7.5 million, Manish writes.
Taking off: Ingrid reports on another round of funding for Shield AI, which gives it a $2.3 billion valuation. The company, with its military autonomous flying tech, is a bright spot in the defense sector, which continues to attract investments.
I need a dollar, or 1 billion of them: Visa is committing $1 billion to Africa over the next five years to target partnerships and invest in businesses tackling problems ranging from food insecurity to the underbanked, Tage writes.
You can bet on this: Blockchain has faced its fair share of challenges this year, between crypto winter and other scandals, Mike writes, but it seems to be finding its stride in the sports betting market.

Dear Sophie: When can I register my employee for the H-1B lottery?

Dear Sophie,

We’re a pre-seed startup thinking about sponsoring an early employee’s H-1B visa to stay in the U.S. and work for us.

How does the process work?

— Seeking in San Mateo

Three more from the TC+ team:

Round, round, Getaround: Alex has been following Getaround and why the SPAC route makes sense for the consumer car rental marketplace.
Sunny days are hopefully here again: Solar panels are great, when they work. Haje writes about SmartHelio raising $5 million to continue developing its AI technology to catch when solar panels need fixing, before they break.
Jumping on the SaaS bandwagon: Guidewheel has plans to turn $9 million of new funding into SaaS that boosts manufacturing and trims carbon emissions, writes Tim.

TechCrunch+ is our membership program that helps founders and startup teams get ahead of the pack. You can sign up here. Use code “DC” for a 15% discount on an annual subscription!

Big Tech Inc.

The U.S. National Security Agency warned that Chinese hackers were exploiting a zero-day bug in two of Citrix’s networking products. Carly writes that “the critical-rated vulnerability allows an unauthenticated attacker to remotely run malicious code on vulnerable devices — no passwords needed.” Ooof!

Another warning that Twitter news is coming. Natasha L writes that Elon Musk reportedly forcing tracking ads on Twitter is putting him on the short list for a talking-to by the European Union. Also, Twitter co-founder Jack Dorsey had a good one-day run posting on Revue, Twitter’s newsletter platform, before the social media giant announced it was shutting it down. Amanda has more on that.

And we have four more for you:

Fancy meeting you here: It’s good to have goals. Do you have a goal? Well, Tinder is taking a nod from sister dating app Hinge and wants its users to make relationship goals, Lauren reports.
All your subscriptions in one place: Lauren also writes about Verizon testing a subscription service aggregator called +Play.
Give a gift, get a gift: If you are looking for some last-minute gift ideas for some of your more picky pals, Matt has some high-tech gift ideas for the cannabis users in your life, while Darrell gathered seven for that person who is a smart-home smartypants.
Here’s something you can bet on: You can get a lot of things delivered to your hotel, and Las Vegas visitors can now add semi-autonomous EVs, writes Rebecca.

Daily Crunch: Twitter backpedals on CEO’s promise, permanently bans user who tracked his private jet by Christine Hall originally published on TechCrunch

Over the last decade or so, the once-clubby world of startup investing has been cracked wide open by a number of innovations, including special purpose vehicles (SPVs), which are essentially pop-up venture funds that come together quickly with monies from all kinds of accredited investors — from institutions to VCs to dentists — to nab a stake in a single privately held company.

Yet as the market has soured, many investors are learning the hard way that SPVs are complicated, expensive, and not the sure-fire path to riches they once appeared to be. In fact, some who began assembling these SPVs were just left high and dry by a popular SPV administration platform, Assure, which announced somewhat abruptly in late November that it is shutting down and that its customers need to find a new home for their funds by the end of the year.

The move has left many scrambling, and furious. Says Eric Bahn, a co-founder of the seed-stage firm Hustle Fund, which turned to Assure five years ago to set up some SPVs: “We were very unhappy there for some time; the software felt janky to use. But to be told Assure is shutting down right before Thanksgiving — it’s the worst timing possible. If you’re going to run a search for a new provider, you don’t want to do it at the end of the year.”

The shutdown is also costing Assure customers money at a time when many are already feeling the pinch of an economic downturn. Eric Seufert, the sole general partner of Heracles Capital, an Austin-based pre-seed stage fund that is managing $10 million, says he paid the outfit $8,000 per SPV that it managed on his behalf to service the vehicle over its life span. “It was a one-time fee for them to handle all the taxes and all that.”

When Assure said it was shutting down, however, it added that it wouldn’t be refunding those fees, no matter that it didn’t deliver on its promise. “That means we have to pay another provider another fee,” says Seufert, and while investors in each SPV helped cover the initial cost, “it’s not like I’m going to reach out to investors and have them pay again,” he adds. “For me, that’s tens of thousands of dollars unexpectedly that’s coming out of my pocket.”

We’ve reached out to Assure in recent days for comment and haven’t received a response. We also reached out to Jason Calacanis, an investor who formed an SPV to invest in Assure, then heavily promoted its services on his “This Week in Startups” podcast.

In response to our request for help, Calacanis replied via email to “feel free to ask me on Twitter.”

Based on conversations we had with Bahn, Seufert and numerous other Assure customers who spoke with us on background, Assure’s offering was never the sophisticated option. The advantage that the 10-year-old, Salt Lake City firm offered was that it was priced competitively. Whereas some customers paid $8,000 per SPV, others say they paid even less for Assure’s management of their SPVs, including $2,000 and $3,000 per SPV in some cases.

Compared to AngelList — the investment platform that helped popularize SPV investing and that charges a setup fee of $8,000 plus the cost of add-ons, including $4,000 for follow-on investments, $1,000 for international investments, $2,000 for crypto investments that involve tokens, and $10,000 to manage the SPV’s financial statements — Assure seemed to some like a steal.

Alas, because Assure didn’t charge more upfront, the company relied on a steady stream of new clients in order to cover all of its operating costs. When the market turned and investors lost their appetite for SPVs, those new clients slowed to a trickle, prompting Assure’s shutdown.

Says one fund manager, who spoke anonymously about his experience with Assure, which managed tens of SPVs for his firm: “As much as Assure talked about its products, it was a services business that had to keep bringing in [employees]. When the market slowed down and it was facing churn,” that revenue shortfall killed it.

Not that anyone feels sorry for Assure or its founder and CEO, Jeremy Neilson, who was previously a managing director at the Utah Fund of Funds, the state of Utah’s private equity program. On Twitter, Assure customers have variously vented about forming a class action lawsuit and their wish to see Neilson behind bars.

Bahn says that part of that anger ties to the way the company shut down — without apparent contrition or an explanation of what happened. Further, Assure offered “no real migration path,” says Bahn. “‘You’ll figure it out’ was the messaging from Assure,” he says.

That’s no exaggeration, seemingly. Assure’s surprise November announcement came only with a 30-minute-long pre-recorded video in which Neilson reports flatly: “This is an Assure transition presentation. As you’ve heard, Assure is shutting down. Assure will be handing back to you all of your SPVs funds. So these things are being handed back to you. You’re going to now have the ownership. You’re now going to be responsible for maintenance and be responsible for taxes and all post-close activities . . . of course you can find a third-party to assist . . .”

Afterward, customers say, the firm stopped responding to them almost completely.

Not everyone has gotten their money out of Assure, either. Seufert says one of his SPVs produced a return for investors in October, but while Assure issued checks to two-thirds of the individuals who contributed capital to the SPV, Assure stopped wiring money after that and became wholly unresponsive to Seufert until he mentioned this week that he was talking with TechCrunch.

After sending Assure a “pleading email to beg them to finish the distributions for the SPV that exited, they have agreed to do that,” he says, though of this writing, that money has not been transferred.

Meanwhile, Neilson’s timing could scarcely be worse. Though newer platforms are advertising their related services right now — Vauban, an online investing platform recently acquired by Carta, has been promoting its services heavily; Assure meanwhile pointed customers to the nascent private markets platform Allocations — other providers “aren’t excited to talk to you,” says Bahn, because they are “already doing tax and auditing work for Q1.”

They also don’t want to take on unnecessary risk from a company that clearly did not have its ducks in a row.

Bahn, for example, was able to turn to AngelList, but the company is turning away many other managers for its own safety, explains AngelList venture CEO Avlok Kohli. “We’ve been reserved about blanket taking on any customer precisely because we are very deliberate about the types of customers and products we want to support, and in our view, there are some unknown unknowns in taking on products from another provider.”

Unfortunately, that leaves a lot of SPV managers without a lot of good options while also needing to take action quickly.

Jason Burke, the Boston-based founder and CEO of a software platform called All Stage that paid Assure to manage more than 30 SPVs on his behalf, is among those still mulling over his options. What he knows for certain is that he can’t do nothing.

“I think we’ll find some who put a blindfold on and just ignore this for now, but people will regret doing that,” says Burke. “The government, the IRS, isn’t going to ignore this stuff. People put money into these SPVs and they want a return or to able to write off losses, so it falls to the syndicate group lead to find a path.”

Seufert hears much of the same from others of Assure’s frustrated customers; he started a Slack group for them several weeks ago that now counts 35 members. Still, it’s mid-December and Seufert — who in addition to managing a venture fund also publishes a mobile advertising trade blog — is himself still trying to figure out a plan for his SPVs as he juggles his other responsibilities.

There are a “bunch of other companies vying for this business, a bunch of startups chasing this space,” he observes. But he wonders whether, like Assure, they really know what they are doing. Says Seufert, “How do I know I won’t have to do this again a few years from now?”

Frustration and anger after SPV platform Assure dumps users at the curb ahead of holidays by Connie Loizos originally published on TechCrunch

Two weeks ago, the password manager giant LastPass disclosed its systems were compromised for a second time this year.

Back in August, LastPass found that an employee’s work account was compromised to gain unauthorized access to the company’s development environment, which stores some of LastPass’ source code. LastPass CEO Karim Toubba said the hacker’s activity was limited and contained, and told customers that there was no action they needed to take.

Fast forward to the end of November, and LastPass confirmed a second compromise that it said was related to its first. This time around, LastPass wasn’t as lucky. The intruder had gained access to customer information.

In a brief blog post, Toubba said information obtained in the August incident was used to access a third-party cloud storage service that LastPass uses to store customer data, as well as customer data for its parent company GoTo, which also owns LogMeIn and GoToMyPC.

But since then, we’ve heard nothing new from LastPass or GoTo, whose CEO Paddy Srinivasan posted an even vaguer statement saying only that it was investigating the incident, but neglected to specify if its customers were also affected.

GoTo spokesperson Nikolett Bacso Albaum declined to comment.

Over the years, TechCrunch has reported on countless data breaches and what to look for when companies disclose security incidents. With that, TechCrunch has marked up and annotated LastPass’ data breach notice with our analysis of what it means and what LastPass has left out — just as we did with Samsung’s still-yet-unresolved breach earlier this year.

What LastPass said in its data breach notice

LastPass and GoTo share their cloud storage

A key part of why both LastPass and GoTo are notifying their respective customers is because the two companies share the same cloud storage .

Neither company named the third-party cloud storage service but it’s likely to be Amazon Web Services, the cloud computing arm of Amazon, given that an Amazon blog post from 2020 described how GoTo, known as LogMeIn at the time, migrated over a billion records from Oracle’s cloud to AWS.

It’s not uncommon for companies to store their data — even from different products — on the same cloud storage service. That’s why it’s important to ensure proper access controls and to segment customer data, so that if a set of access keys or credentials are stolen, they cannot be used to access a company’s entire trove of customer data.

If the cloud storage account shared by both LastPass and GoTo was compromised, it may well be that the unauthorized party obtained keys that allowed broad, if not unfettered access to the company’s cloud data, encrypted or otherwise.

LastPass doesn’t yet know what was accessed, or if data was taken

In its blog post, LastPass said it was “working diligently” to understand what specific information was accessed by the unauthorized party. In other words, at the time of its blog post, LastPass doesn’t yet know what customer data was accessed, or if data was exfiltrated from its cloud storage.

It’s a tough position for a company to be in. Some move to announce security incidents quickly, especially in jurisdictions that obligate prompt public disclosures, even if the company has little or nothing yet to share about what has actually happened.

LastPass will be in a far better position to investigate if it has logs it can comb through, which can help incident responders learn what data was accessed and if anything was exfiltrated. It’s a question that we ask companies a lot and LastPass is no different. When companies say that they have “no evidence” of access or compromise, it may be that it lacks the technical means, such as logging, to know what was going on.

A malicious actor is probably behind the breach

The wording of LastPass’ blog post in August left open the possibility that the “unauthorized party” may not have been acting in bad faith.

It is both possible to gain unauthorized access to a system (and break the law in the process), and still act in good faith if the end goal is to report the issue to the company and get it fixed. It might not let you off a hacking charge if the company (or the government) isn’t happy with the intrusion. But common sense often prevails when it’s clear that a good-faith hacker or security researcher is working to fix a security issue, not cause one.

At this point it’s fairly safe to assume that the unauthorized party behind the breach is a malicious actor at work, even if the motive of the hacker — or hackers — is not yet known.

LastPass’ blog post says that the unauthorized party used information obtained during in the August breach to compromise LastPass a second time. LastPass does not say what this information is. It could mean access keys or credentials that were obtained by the unauthorized party during their raid on LastPass’ development environment in August, but which LasPass never revoked.

What LastPass didn’t say in its data breach

We don’t know when the breach actually happened

LastPass did not say when the second breach happened, only that it was “recently detected” , which refers to the company’s discovery of the breach and not necessarily the intrusion itself.

There is no reason why LastPass, or any company, would withhold the date of intrusion if it knew when it was. If it was caught fast enough, you would expect it to be mentioned as a point of pride.

But companies will instead sometimes use vague terms like “recently” (or “enhanced”), which don’t really mean anything without necessary context. It could be that LastPass didn’t discover its second breach until long after the intruder gained access.

LastPass won’t say what kind of customer information could have been at risk

An obvious question is what customer information is LastPass and GoTo storing in their shared cloud storage? LastPass only says that “certain elements” of customer data were accessed. That could be as broad as the personal information that customers gave LastPass when they registered, such as their name and email address, all the way through to sensitive financial or billing information and customers’ encrypted password vaults.

LastPass is adamant that customers’ passwords are safe due to how the company designed its zero knowledge architecture. Zero knowledge is a security principle that allows companies to store their customers’ encrypted data so that only the customer can access it. In this case, LastPass stores each customer’s password vault in its cloud storage, but only the customer has the master password to unlock the data, not even LastPass.

The wording of LastPass’ blog post is ambiguous as to whether customers’ encrypted password vaults are stored in the same shared cloud storage that was compromised. LastPass only says that customer passwords “remain safely encrypted” which can still be true, even if the unauthorized party accessed or exfiltrated encrypted customer vaults, since the customer’s master password is still needed to unlock their passwords.

If it comes to be that customers’ encrypted password vaults were exposed or subsequently exfiltrated, that would remove a significant obstacle in the way of accessing a person’s passwords, since all they would need is a victim’s master password. An exposed or compromised password vault is only as strong as the encryption used to scramble it.

LastPass hasn’t said how many customers are affected

If the intruder accessed a shared cloud storage account storing customer information, it’s reasonable to assume that they had significant, if not unrestricted access to whatever customer data was stored.

A best case scenario is that LastPass segmented or compartmentalized customer information to prevent a scenario like a catastrophic data theft.

LastPass says that its development environment, initially compromised in August, does not store customer data. LastPass also says its production environment — a term for servers that are actively in use for handling and processing user information — is physically separated from its development environment. By that logic, it appears that the intruder may have gained access to LastPass’ cloud production environment, despite LastPass saying in its initial August post-mortem that there was “no evidence” of unauthorized access to its production environment. Again, it’s why we ask about logs.

Assuming the worst, LastPass has about 33 million customers. GoTo has 66 million customers as of its most recent earnings in June.

Why did GoTo hide its data breach notice?

If you thought LastPass’ blog post was light on details, the statement from its parent company GoTo was even lighter. What was more curious is why if you searched for GoTo’s statement, you wouldn’t initially find it. That’s because GoTo used “noindex” code on the blog post to tell search engine crawlers, like Google, to skip it and not catalog the page as part of its search results, ensuring that nobody could find it unless you knew its specific web address.

Lydia Tsui, a director at crisis communications firm Brunswick Group, which represents GoTo, told TechCrunch that GoTo had removed the “noindex” code blocking the data breach notice from search engines, but declined to say for what reason the post was blocked to begin with.

Some mysteries we may never solve.

Parsing LastPass’ data breach notice by Zack Whittaker originally published on TechCrunch

Apple’s new “Emergency SOS” service that lets off-grid iPhone users call for help via satellite has led to what may very well be its first successful rescue operation, certainly the first to be documented live.

As related by the Montrose Search & Rescue Team, which conducted the operation, two people were in a vehicle driving through the Angeles National Forest yesterday afternoon when their car went off the road and “off the side of the mountain, approximately 300′.” The impact was serious enough to strip the front bumper off the car, which seems to have then tumbled or slid into a narrow valley well below the highway.

With no cell coverage (they were about 19 miles into the forest) and possibly injured, the pair made the decision to try out the new satellite communication service introduced in September for the iPhone 14 and 14 Pro.

The service requires users to point their phone at a passing partner satellite, and when a connection is established their location is sent along with any circumstances, like whether someone is hurt. The message goes to a relay service, which then passes it to the appropriate authorities — in this case LA county fire department, sheriffs, and the SAR team in Montrose. (I’ve contacted the team to see how the experience was from their end and will update if I hear back.)

“The call center gave us an accurate latitude and longitude for the victims,” wrote the rescue team. “[Helicopter] Rescue 5 was able to locate the victims and insert a paramedic. The paramedic learned the patients, a male and female in their 20s, had mild to moderate injuries. The helicopter was able to hoist the victims out of the canyon and transport them to a local area hospital.”

Apple’s service is just one of several ways people may soon be able to use satellites directly from their phones. Lynk promises a regular exchange of data for SMS and emergency alert purposes, and T-Mobile is partnering with Starlink to enable something like that for subscribers as well.

Apple’s Emergency SOS via satellite prompts rescue after car goes off a cliff north of LA by Devin Coldewey originally published on TechCrunch

The conversation in startup land has shifted from building in public to, hey, maybe let’s just figure things out internally before we scream to the masses.

At least that’s what I’m gleaning from the growth story of Murmur, a startup that wants to make decision-making easier for private companies. Built by entrepreneur Aaron Dignan, Murmur launched its closed beta in 2021 with a vision to create a public forum of private work agreements so companies could scale remote policies faster.

Now Dignan is back, nearly two years later, to say that early-stage founders on Murmur’s beta had a separate-yet-related product request that has now taken priority: they want a better way to make collaborative decisions, no meeting required.

Murmur is currently working on a collaborative platform that helps companies make decisions in an open and feedback-oriented way. Employees and executives can go in and propose a change, make a work agreement around it and then ask for approvals with a deadline ticking in the background.

It’s a smarter Google doc, meant to be built with a decision-making framework in mind — whether that be figuring out a way to productize the back-and-forth of a compromise, or optimize for more eyes before an agreement is set in stone. Fundamentally, the product is a bet on the idea that companies want a smarter way to work in a remote-first environment, one that factors in time zones as more than an inconvenience.

“People do not like to read and they do not like to write — you have to think about that when you build a product and that means that people are looking for a way to make decisions with less work,” Dignan said. While Murmur is still focused on transparency and public agreements, it’s also working on an artificial intelligence writer that will allow employees to whip up a proposal for, say, a four-day work week within minutes. Dignan also hinted at a Slack tool that will listen to conversations and, if someone writes the word “should” or “what if” in a channel, pop up a bot in a private DM that’ll ask if they want to make a proposal around the idea. While that certainly raised some questions for me around privacy, Dignan stressed that users will be able to choose which channels the feature pops up on and train it to be more thoughtful over time. The Slack feature is not available for general users right now, to be clear — only alpha users.

Murmur’s goal, and biggest challenge, is figuring out the right entry point for its product. Should it sell to decentralized autonomous organizations? Universities? Big Tech? Early-stage startups? Each potential customer has an entirely different goal and incentive structure around decisions. At this point, out of the 100 most active accounts on Murmur, less than a quarter would be considered tech companies, according to Dignan. Top customers include Adidas, Bitly and Philippine Space Agency.

Dignan thinks interest in a tool like Murmur boils down to how serious a company is about building inclusion and transparency into their remote work policies.

“It’s a weird cross-section where some people in the startup game have this mindset, but a lot don’t,” he said. “In general when we have tech founders on Murmur, they’re a second-time founder because they’ve been to the puppet show, they’ve seen the strings, they see how things go wrong at scale and how when you blitzscale, it gets even worse.” Dignan added that, when he’s talking to some founders, his message is that “this is going to seem like a little bit of overkill to you, but I promise, it’s not.”

While waiting for tech to hit a point where the weight of remote work is too much, Dignan doesn’t seem to be sweating his industry’s complacency. And neither do his investors.

Murmur’s broader product vision has helped it close an $8 million round co-led by Asymmetric and Greenfield, with participation from all the investors in its prior round, including Lerer Hippeau, SemperVirens, Human Ventures and Vitalize. For just a murmur, that’s a pretty loud sign of validation.

Murmur gets a loud ask: reinvent closed door decisions by Natasha Mascarenhas originally published on TechCrunch

Even as Sam Bankman-Fried, the former CEO of the collapsed crypto exchange FTX, was arrested and denied bail earlier this week, the questions around the case — and what lies ahead — continue to linger.

“The arrest of Bankman-Fried was both overdue and jumping the gun,” Matthew Barhoma, founder of Barhoma Law and Power Trial Lawyers, told TechCrunch.

What we have seen may just be the beginning, Barhoma hinted: “Expect more charges against Bankman-Fried and others associated with FTX.”

On Tuesday, the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) all filed charges against Bankman-Fried for defrauding investors. He’s also being investigated for other securities law violations, alongside other pending investigations against others involved.

As the situation unfolds, Miles Fuller, head of government solutions for Taxbit, agrees with Barhoma that more charges will arise. “SBF’s arrest was not unexpected,” he said.

Damian Williams, the U.S. attorney for the Southern District of New York, was asked during a press conference on Tuesday afternoon whether the entities will bring charges against other individuals allegedly involved in the FTX collapse, to which he replied, “I can only say this: Clearly, we are not done.”

“Of the eight counts in the indictment, five are conspiracy counts,” Fuller said. “A criminal conspiracy, by definition, requires more than one individual, so we should anticipate that at least some other individuals will need to be identified and possibly charged as co-conspirators.”

There is much speculation around the extent of the criminal action and who was involved in the FTX saga, according to Joby Carpenter, global head of crypto assets and illicit finance at ACAMS. “The unsealed indictment from the U.S. Department of Justice references massive fraud, money laundering and violations of campaign finance laws in the U.S. There’s more to play out, though,” he told TechCrunch.

Despite the FTX mess, the crypto market looks to the future by Jacquelyn Melinek originally published on TechCrunch