# VGS Vault

The VGS Vault is a customer-configurable, PCI-compliant storage zone where organizations can securely collect, store, and exchange sensitive data such as payment credentials, personal information, or any other confidential records.

Each data element stored in a Vault is replaced with a VGS Alias, a unique token that represents the original value but carries no inherent value to bad actors.

This aliasing process ensures that your systems, logs, and databases only ever handle non-sensitive representations, while VGS retains the responsibility for safeguarding the real data in a secure and compliant environment.

Vaults can be accessed and integrated through the VGS Secure Data suite of tools, including the [HTTPS Proxies](/vault/http-proxy.md), [Batch File Transmission Mechanisms](/vault/batch-file-transmission.md), and [TCP Proxy](/vault/iso-proxy.md). Vaults can also be accessed securely using the [VGS Vault API](/vault/developer-tools/apis/vault-api.md).

This flexibility enables secure data exchange across applications, services, and external partners, while preserving end-to-end data privacy and governance.

## Managing Vaults

Organizations can operate multiple VGS Vaults to support different business units, environments, and compliance boundaries. Each Vault is isolated and independently configurable, allowing teams to separate data flows according to security, regulatory, or operational needs.

### **Sandbox vs. Live Vaults**

VGS provides two Vault environment categories to support the full software development lifecycle:

#### **Sandbox Vaults**

Sandbox Vaults are designed for development, testing, and automation.  They simulate live data flows without exposing real customer data, allowing developers to safely experiment with integrations, proxy routes, and API configurations. Sandbox Vaults support end-to-end automation, including CI/CD pipelines, QA environments, and contract testing, helping teams validate data flows before promoting to production.

#### **Live Vaults**

Live Vaults handle production traffic and real sensitive data. These Vaults are hosted in VGS’s fully compliant production infrastructure, ensuring adherence to PCI DSS, SOC 2, and other regulatory standards.

Live Vaults are used when applications need to tokenize, store, or exchange real data with downstream partners, such as payment processors, banks, or identity providers.

Together, Sandbox and Live Vaults create a safe progression path for building, testing, and deploying secure data operations.

Organizations can freely migrate configurations and routes between Vaults using the VGS Dashboard or CLI, maintaining consistent policies while isolating environments for compliance and control.

## How to Create a Vault

<figure><img src="/files/UaneSBIikZ6kpCQikIOM" alt=""><figcaption></figcaption></figure>

Vaults are managed via the VGS Dashboard or VGS CLI. There is no limit to the number of Vaults you can create.

## How Do I Control Access to Vaults

Users can be provisioned to a Vault with a `read`, `write` or `admin` role. Each role provides a different level of access. To implement strong SDLC, customers will typically provide engineers with `write` permissions to Sandbox Vaults and then use a service account to manage promoting the configuration of a Sandbox vault to their Live vault via an automated system.

## Where Are Vaults Located?

VGS supports multiple global deployment regions, allowing customers to meet data residency requirements and minimize latency across geographies.

Regional Vault options enable you to store and process data within your preferred jurisdiction, ensuring minimal network travel time as well as alignment with privacy regulations like GDPR and other local data protection frameworks.

VGS currently supports deployments in North America, Europe, and Asia Pacific. More details on regional deployments and availability zones can be found [here](/vault/vaults.md).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.verygoodsecurity.com/vault/vault.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.