Very Good Security (VGS), a data privacy platform that helps financial and healthcare service providers and others protect their customers’ data, has raised $35 million in a series B round of funding led by Goldman Sachs’ merchant banking division, with participation from Andreessen Horowitz and Vertex Ventures, among other existing investors.
Founded out of San Francisco in 2016, VGS is built on the notion that most companies don’t actually want to store people’s private data. They don’t want to keep social security numbers (SSNs) or bank card details on file — but they have to if they want to check up on customers’ credit history or collect money for a monthly subscription. This is where VGS comes into play, providing a “developer-friendly” platform so businesses can offload sensitive data. VGS bills itself as a third-party custodian that specializes in protecting data and ensuring regulatory compliance.
“For most companies, data is simply an input to achieve a business outcome, such as getting paid, underwriting a loan, or running a background check,” noted VGS cofounder and CEO Mahmoud Abdelkader. “VGS provides specialized SaaS infrastructure to make it easy for developers and businesses to achieve their objectives while offloading the risk that comes with data custodianship.”
Using VGS, companies can leverage the value of data without having access to the data itself — for example, they can take money from a customer’s bank account without ever knowing their bank account details. VGS effecitvely “wraps around” companies’ systems, keeping them from ever coming into direct contact with private data. The platform redacts and tokenizes sensitive information, giving the business a hashed “aliased” version that consists of random characters.
The premise is fairly straightforward: “You can’t hack what isn’t there,” as the company puts it.
“VGS sits at the network layer — as data comes in and goes out — transforming any sensitive data into non-sensitive ‘aliased’ data that the customer can keep in their systems and use just like the real thing,” Abdelkader told VentureBeat.
Moreover, the company said customers don’t need to integrate with an API to use VGS. “They simply change their network settings to route traffic through VGS, and we automatically protect them from sensitive data,” Abdelkader added.
Although many of VGS’ clients operate in the financial tech sphere, including Brex, Travel Bank, Deserve, and LendUp, it also claims customers in other industries, such as food delivery — Amazon-backed Deliveroo is a customer. In truth, any company that handles private customer data could use a platform such as VGS, from Netflix to Spotify and beyond.
VGS had previously raised $8.5 million from notable backers that include PayPal cofounder Max Levchin. With another $35 million in the bank, the company plans to continuing investing in its “rapid growth.”
Barely a day goes without at least some form of high-profile data breach hitting the headlines, and in the past few months alone hotel giant Marriott was hit with a £99 million ($123 million) fine in Europe over a breach that exposed the personal details of 339 million guests, while British Airways (BA) was slapped with a provisional £183.39 million ($230 million) fine for a 2018 security lapse that compromised the personal data of around 500,000 customers.
Both fines came under the auspices of Europe’s General Data Protection Regulation (GDPR), which took effect last May. In a nutshell, companies operating in Europe are now facing record fines for mishandling their customers’ data, which has contributed to a growing number of privacy-focused startups eager to cash in on these new regulations. New York-based BigID, for example, helps enterprises find sensitive data held on internal servers and databases, analyzes it, de-risks it, and ensures that organizations are complying with data protection regulations. BigID closed a $50 million round last month.
A quick peek around the world reveals that data privacy and residency regulations are only growing. China and Russia are already enforcing tight data residency requirements on companies that operate in their country, while Europe is currently weighing a new ePrivacy Regulation that covers individuals’ privacy in relation to electronic communications. In the U.S., the California Consumer Privacy Act (CCPA), which goes into effect in January, is designed to enhance privacy rights of consumers living in the state.
While VGS isn’t necessarily targeting these regulations specifically, it is catering to the growing demand for safeguarding users’ data. And the company says it provides complementary tools to help companies comply with various regulations.
“VGS’ infrastructure, reporting, and audit tools make it much easier for companies to comply with major privacy regulations, including GDPR and CCPA,” Abdelkader said, adding that the company is currently working on specific compliance services for these regulatory frameworks.
While some will undoubtedly wonder whether handing private data to a third party such as VGS simply passes the buck, opening a new avenue for hackers to target, the underlying issue VGS is looking to solve is that despite their best efforts, not all companies can become specialists in data security, especially when their core focus is selling music subscriptions or food. VGS, on the other hand, exists for one thing and one thing only.
“Data security is our sole focus and core competency, so unlike most companies who are forced to build their security posture from scratch, VGS provides specialized infrastructure solely dedicated to keeping data safe,” Abdelkader added.