VGS

01Who they are, now

On a quiet block off Union Square, a company you've probably never heard of is holding the credit card numbers of people you definitely have. The cards belong to customers of Brex, Mercury, Sprout Social, SumUp and a long list of Fortune 500s. The numbers themselves sit in a vault run by a 460-person company called VGS - short, with a wink, for Very Good Security.

VGS does not issue cards. It does not process payments. It does not lend, score, or underwrite. What it does is more boring and more useful: it stands between its customers and the most dangerous data those customers handle, swaps that data for tokens, and quietly takes on the regulatory weight of holding the real thing. As of 2025 it had crossed five billion tokens under management. Most people, including most of the people whose cards are in there, will never know.

The pitch is unusually honest: hand us your worst liability and we'll keep it for you. - the entire VGS thesis, in one line

02The problem they saw

In 2015, the way most companies handled card data was, to put it charitably, optimistic. A fintech with twelve employees would routinely take on the same PCI obligations as a global bank - a 200-page checklist, an annual auditor, and the kind of insurance premium that makes founders cry. The unspoken assumption was that every company touching payments would, eventually, become a security company on the side.

Mahmoud Abdelkader and Marshall Jones noticed this is a strange assumption. The companies didn't want to be security companies. They wanted to ship features. The data was a hot potato everyone had to keep juggling, and dropping it was career-ending. Someone, they figured, should just hold the potato.

Compliance has always been a tax. VGS treats it like a product. - on why a vault is a business

03The founders' bet

The bet was specific and a little contrarian: customers will route sensitive data through a third party rather than store it themselves, even when that third party is a tiny startup. In return, that startup carries the audits, the certifications, and the liability. The customer's own engineers literally never see the card number. They see a string of characters where a card number used to be.

Andreessen Horowitz wrote the first big check. Goldman Sachs joined. Vertex Ventures US led the $60 million Series C in December 2020, bringing total funding to $103.5 million. None of that was money for a moonshot. It was money to make a specific kind of plumbing very, very reliable.

Mahmoud Abdelkader

Co-founder, ran the company as CEO through its first decade. Background in trading infrastructure and security.

Marshall Jones

Co-founder and CTO. Engineer-entrepreneur, the architect of the original forward-proxy approach that makes VGS work.

Chuck Yu

Stepped in as CEO in 2023 to scale the company into its enterprise era. Hired specifically for the operator chapter.

Three people, one increasingly large vault.

04The product, in plain English

VGS sits as a forward proxy between a company's app and the rest of the internet. Sensitive fields - card numbers, bank credentials, SSNs - hit VGS first. VGS swaps them for tokens, hands the tokenized payload to the customer's own systems, and stores the real values inside a PCI-compliant vault. When the customer needs to actually charge a card or update an account, they ask VGS to swap the token back, briefly, for the duration of an outbound API call.

Stacked on top of that vault is the rest of the catalog: a composable Card Management Platform for orchestrating across PSPs, Network Tokens issued in partnership with Visa, Mastercard and Amex, an Account Updater that keeps stored credentials fresh, a single-API 3DS integration shipped in late 2025, and Agent Connect, an AI-driven commerce tool announced in January 2026 that pushes the model into agentic checkout.

Five billion tokens. Each one a small act of refusing to look at something dangerous. - the company's milestone, deadpanned

VGS Vault

PCI Level 1 storage for cards, SSNs and other structured sensitive data. The product the rest of the catalog rests on.

Card Management

Composable platform that lets one set of credentials work across multiple payment processors.

Network Tokens

Visa, Mastercard and Amex tokens provisioned through VGS to lift authorization rates.

Account Updater

Keeps stored card credentials current when issuers reissue, expire or replace them.

3DS

Single-API 3-D Secure shipped November 2025 to reduce fraud and raise approvals.

Agent Connect

The 2026 wager - putting the VGS stack underneath AI agents that buy on behalf of users.

A decade of holding other people's data

2015

Abdelkader and Jones found Very Good Security in San Francisco.

2018

$8.5M Series A led by Andreessen Horowitz.

2019

$35M Series B with Goldman Sachs joining.

2020

$60M Series C led by Vertex Ventures US.

2023

Chuck Yu introduced as CEO.

2024

3 billion tokens managed milestone.

2025

5 billion tokens. Single-API 3DS ships.

2026

Agent Connect launches for AI commerce.

05The proof

The argument for VGS lives in a chart, not a pitch deck. The number of tokens under management has roughly doubled every year since 2020. That growth has nothing to do with marketing budget and everything to do with the fact that every additional customer signs up to never delete a record - the vault is sticky by design.

Tokens under management (cumulative, approx.)

2020

~300M

2022

~1.1B

2024

3.0B

2025

5.0B+

Source: VGS press releases (May 2024, June 2025). 2020 and 2022 figures are approximations from public company statements.

The customer list reads like a tour of the post-2018 fintech boom and the parts of the Fortune 500 that have decided to act like one.

BrexMercuryDeserveHM Bradley UnitSprout SocialSumUpBilt Texas Capital BankFivestarsDoNotPay

A partial list. The full one is, mercifully for everyone involved, not public.

The point of a vault is that you don't talk about what's in it. - why this customer list is shorter than the real one

06The mission

Stated baldly: let companies operate on sensitive data they never have to see, store, or be liable for. Stated less baldly: VGS is trying to make data ownership a choice rather than an inevitability. The company calls this "zero-data" - the architectural idea that the safest record is the one you never had in the first place.

This is unfashionable in an era where most companies hoard data like dragons. VGS sells the opposite of hoarding. It sells deliberate forgetting, with receipts.

In a decade of AI-powered everything, the most radical product might be a vault that says no. - on the strange counter-trend in fintech

07Why it matters tomorrow

The release of Agent Connect in January 2026 hints at where the next decade goes. If AI agents are going to make purchases on behalf of users - and a lot of credible people are betting they will - someone needs to hold the credentials those agents use, with the same boring rigor that VGS already applies to cards. The agent should not see the card. The merchant should not see the card. Possibly no human at all should see the card. That is the world VGS has been quietly building toward since 2015.

The other reason it matters tomorrow is regulatory. PCI 4.0, GDPR enforcement, US state-level privacy laws and the patchwork of new fintech rules are all moving in the same direction: more liability for whoever holds the data. VGS has built a business on being the entity that volunteers.

You will use a VGS-tokenized card today. You will not know it. That is precisely the deal. - closing thought

Back to that quiet block off Union Square. The vault is still there. It is bigger now - five billion records bigger - and it is about to start holding credentials for AI agents on behalf of people who will never meet either the vault or the agent. The original bet has aged unusually well: most companies, given the chance, would rather not hold the potato.

08Links & resources

Website LinkedIn GitHub YouTube Blog Press releases Crunchbase Product demos (YouTube) Founder interviews Email Marshall Jones