Very Good Security (VGS), a data-privacy platform that helps companies such as financial and healthcare services protect their customers’ data, has raised $35 million in a series B round of funding led by Goldman Sachs’ merchant banking division, with participation from Andreessen Horowitz, Vertex Ventures, among other existing investors.
Founded out of San Francisco in 2016, VGS’s core selling point lies in the notion that most companies don’t actually want to store people’s private data. They don’t want to keep social security numbers (SSNs) or bank card details on file — but they have to if they want to check up on customers’ credit history, or take money from their bank for a monthly subscription. And this is where VGS comes into play, as it provides a “developer-friendly” platform that enables businesses to offload sensitive data to a third-party custodian (VGS) that specializes in protecting data and ensuring regulatory compliance.
“For most companies, data is simply an input to achieve a business outcome such as getting paid, underwriting a loan, or running a background check,” noted VGS cofounder and CEO Mahmoud Abdelkader. “VGS provides specialized SaaS infrastructure to make it easy for developers and businesses to achieve their objectives while offloading the risk that comes with data custodianship.”
Using VGS, companies can leverage the value of data without having access to the data itself — for example, they can take money from a customer’s bank account without ever knowing their bank account details. VGS effecitvely “wraps around” companies’ systems, alleviating them from ever coming into direct contact with private data. The platform redacts and tokenizes sensitive information, giving the business a hashed “aliased” version instead, consisting of random characters.
Above: VGS: Illustration of how data is collected
Thus, the core premise behind VGS is fairly straight forward: “you can’t hack what isn’t there,” as the company puts it.
“VGS sits at the network layer — as data comes in and goes out — transforming any sensitive data into non-sensitive ‘aliased’ data that the customer can keep in their systems and use just like the real thing,” Abdelkader told VentureBeat.
Moreover, the company said that there isn’t any requirement to integrate with an API to use VGS. “They simply change their network settings to route traffic through VGS, and we automatically protect them from sensitive data,” Abdelkader added.
Although many of VGS’s clients operate in the fintech sphere, including Brex, Travel Bank, Deserve, and LendUp, it also claims customers in other industries such as food delivery – Amazon-backed Deliveroo is among VGS’s customers. In truth, any company that handles private customer data could use a platform such as VGS, from Netflix to Spotify and beyond.
Above: VGS cofounder and CEO Mahmoud Abdelkader
Prior to now, VGS had raised $8.5 million from notable backers including PayPal cofounder Max Levchin. With another $35 million in the bank, it said that it simply plans to continuing investing in its “rapid growth.”
Privacy push
Barely a day goes without at least some form of high-profile data breach hitting the headlines, and in the past few months alone hotel giant Marriott was hit with a £99 million ($123 million) fine in Europe over a breach that exposed the personal details of 339 million guests, while British Airways (BA) was slapped with a provisional £183.39 million ($230 million) fine over a 2018 security lapse that compromised the personal data of around 500,000 customers.
Both BA and Marriott’s fines came under the auspices of Europe’s General Data Protection Regulation (GDPR), which took effect last May. In effect, companies operating in Europe now face record fines for mishandling their customers’ data, which has contributed to a growing number of privacy-focused startups coming to the fore to cash in on these new regulations. New York-based BigID, for example, helps enterprises find sensitive data held on internal servers and databases, analyzes it, de-risks it, and ensures that organizations are complying with data protection regulations. BigID closed a $50 million round last month.
A quick peek around the world reveals that data privacy and residency regulations are only growing. China and Russia are already enforcing tight data residency requirements on companies that operate in their country, while Europe is currently weighing up a new ePrivacy Regulation that covers individuals’ privacy in relation to electronic communications. And in the U.S., the California Consumer Privacy Act (CCPA), which comes into effect in January, is designed to enhance privacy rights of consumers living in the state.
While VGS isn’t necessarily targeting these regulations specifically, what it is targeting is a growing concern and awareness of the need to safeguard users’ data, though it said that it does provide complementary tools to help companies comply with various regulations.
“VGS’ infrastructure, reporting, and audit tools, make it much easier for companies to comply with major privacy regulations, including GDPR and CCPA,” Abdelkader said, adding that the company is currently working on specific compliance services for these regulatory frameworks later this year.
While some will undoubtedly question whether handing private data to a third-party (VGS) simply passes the buck, opening a new avenue for hackers to target, the underlying issue that VGS is looking to solve is that despite their best efforts, not all companies can become specialists in data security when their core focus is on selling music subscriptions or food. VGS, on the other hand, exists for one thing, and one thing only.
“Data security is our sole focus and core competency, so unlike most companies who are forced to build their security posture from scratch, VGS provides specialized infrastructure solely dedicated to keeping data safe,” Abdelkader added.