Very Good Security is our name, and data security is our business. We're committed to using the best possible security practices. If you have any questions or encounter any issues, please let us know. You can find a more detailed description of our controls in our full Security Statement.
VGS is a certified Level 1 PCI Service Provider. Similarly VGS has achieved SOC2 (Service Organization Controls 2) Type 2 certification as well as Experian Ei3PA certification. To maintain compliance for each of these, VGS is audited by qualified independent third-party auditors on a yearly basis. We utilize market-leading security tools, practices and procedures to maintain the highest level of security at VGS.
VGS requires HTTPS for all services using TLS 1.2 (SSL), including our public website and Dashboard.
We regularly audit the details of our implementations, including the certificates we serve, the certificate authorities we use, and the ciphers we support.
We encrypt all sensitive data (including card numbers) at the database field level using AES-256 encryption. Decryption keys are stored on separate devices, completely segmented from the data. Our internal servers and applications are designed so that it is impossible for VGS applications or employees to obtain plaintext card numbers or other sensitive fields. Applications or employees are only able to request that this data be shared with a pre-vetted service provider on a static whitelist. Finally, our systems for storing, decrypting and transmitting card numbers run in separate hosting infrastructure and do not share any credentials with our primary services (Proxy, Vaults, APIs, websites, etc.).