Vault Security

Within the VGS Vault, your company’s sensitive data is located in a logically segregated, exclusive “customer vault”, that belongs only to you. Your data is always protected with multiple layers of security, but you may configure your own unique account-based access rules. There is no direct access from the Internet to your vault.

Inside the VGS Vault, data is encrypted at rest with the Advanced Encryption Standard, adopted by the US Government in 2001 and now used worldwide. VGS uses AES-256-GCM, the longest and most robust AES key size. Your data is further protected with the latest Authenticated Encryption with Associated Data (AEAD) mode symmetric ciphers.

VGS key management is state-of-the-art. We use dedicated hardware security modules (HSM) for key storage. Encryption and decryption keys are kept in highly-secure, separate envelopes that are segmented from your vaulted data. Keys are rotated on a regular basis. Key access requires multiple layers of authentication. Role-based access controls ensure that only the VGS Vault application processes can touch the encrypt and decrypt operations. Data thieves and hackers cannot make use of any stolen information without the keys.

Clients have two choices for data aliasing: multiple token formats as defined by ANSI X9.119-2-2017 (Tokenization), in which your sensitive data is replaced with a data token; and NIST SP800-38G (Format Preserving Encryption), in which the output preserves the format of your original data.

The VGS Vault is continuously hardened against infrastructure, system level, and configuration vulnerabilities and exposures. It is shielded against viruses and other forms of malware. We regularly test our systems, and always apply the latest applicable security patches and secure configurations to all operating systems, containers, applications, and infrastructure, to minimize exposure to vulnerabilities.

The VGS platform is continuously scanned using best-of-breed security experts and tools, including HackerOne. We undergo regular application and network vulnerability assessments, including architecture reviews, performed by independent Managed Security Services Providers (MSSP). VGS conducts annual internal/external penetration tests and bi-annual segmentation tests. All vulnerabilities discovered are documented and immediately remediated, including post-mortem analyses to identify root causes and implement future controls.

VGS employs 24/7 threat monitoring, intrusion detection, anomaly analysis, threat analytics, end-to-end event correlation, audit logging, change management controls, and traceability. VGS monitors, tests, and reviews all employees, customers, vendors, and operations, and we investigate all suspicious behavior and unauthorized activities.

The VGS incident response program includes clearly documented escalation and notification procedures. All incidents and vulnerabilities are immediately escalated to our security team, evaluated, risk ranked, and assigned for resolution by trained VGS personnel. Remediation takes place with minimal customer impact and interaction. We provide detailed customer post-mortems for all major incidents within 3 business days.