Very Good Security

“Never answer an anonymous letter”
—Yogi Berra

Did you ever wonder why doctor offices ask for your social security number?

They don’t want to keep your SSN, but it’s the primary “key” that identifies you to an insurance company. In computer science/math terms, they need to call a function. Let’s call it: int reimbursement(char * ssn)

When they plug your SSN into said function it returns a result (success, failure, more information needed, etc). Why does a lending company ask for your social? Same thing, but to look up your credit report. Why does Netflix need your credit card number? Same thing, but to get money from your bank. The problem is that these “keys” never change, are presented in the clear (your SSN never changes and you always write it down!), and function as a sort of bearer instrument — if you have the key, you can make a purchase, apply for a loan, etc.

It turns out none of these companies want to store this “confidential” and sensitive data (SSNs, credit cards, etc). They just want to perform operations on them.

Enter Very Good Security, aka VGS. (Cryptography people might recognize the name as a play on PGP, aka Pretty Good Privacy.) What VGS does is effectively redact and tokenize structured sensitive data — think credit cards, social security numbers, etc — returning a hashed form to the requestor. So instead of a doctor’s office storing your social, they might store a random string of letters returned to them by VGS (that is called the “tokenized” version, because it maps to the real version stored by VGS, and is not the same even across different VGS customers). When it’s time to bill your insurance company, their “reimbursement” code goes through VGS which “reveals” the token and sends the real version to the insurance company. VGS functions as a proxy server that scrambles/unscrambles sensitive information in real time.

Why is this important? For one, comparative advantage — VGS is built by security and cryptography experts whose only job is to store this stuff, not get hacked, and comply with often-complex regulatory requirements like PCI DSS and HIPAA (so companies don’t have to worry about it). For another, it provides provider portability. Many credit card processors bundle compliance, storage/tokenization, and processing — but if VGS is providing the first two, you can then easily change your “secure operations” provider and switch between reimbursement companies, card processors, credit report companies, etc.

It’s a very big idea, and the founders, Marshall and Mahmoud, built the company recognizing what a pain it was to deal with PCI compliance — why not outsource that to somebody? And this problem is not unique to PCI or the credit card processing world; it applies to all types of sensitive data and the secure operations that must be performed on said data.

We are incredibly excited to partner with VGS and help them build a category-defining enterprise platform.




The views expressed here are those of the individual AH Capital Management, L.L.C. (“a16z”) personnel quoted and are not the views of a16z or its affiliates. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by a16z. While taken from sources believed to be reliable, a16z has not independently verified such information and makes no representations about the enduring accuracy of the information or its appropriateness for a given situation.

This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. You should consult your own advisers as to those matters. References to any securities or digital assets are for illustrative purposes only, and do not constitute an investment recommendation or offer to provide investment advisory services. Furthermore, this content is not directed at nor intended for use by any investors or prospective investors, and may not under any circumstances be relied upon when making a decision to invest in any fund managed by a16z. (An offering to invest in an a16z fund will be made only by the private placement memorandum, subscription agreement, and other relevant documentation of any such fund and should be read in their entirety.) Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by a16z, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Andreessen Horowitz (excluding investments and certain publicly traded cryptocurrencies/ digital assets for which the issuer has not provided permission for a16z to disclose publicly) is available at

Charts and graphs provided within are for informational purposes solely and should not be relied upon when making any investment decision. Past performance is not indicative of future results. The content speaks only as of the date indicated. Any projections, estimates, forecasts, targets, prospects, and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others. Please see for additional important information.

Stay on top of fintech

Sign up for our fintech newsletter to get the a16z take on the future of fintech.