Payment data encryption startup Evervault Inc. said today it’s aiming to become the internet’s “clearing house for sensitive data” after raising $25 million in a Series B round of funding.
The round was led by Ribbit Capital and saw participation from Sequoia Capital and Index Ventures, bringing the company’s total amount raised to date to $46 million.
The startup has created a novel “secure-by-default” approach to encrypting sensitive data such as credit card numbers, transaction details and personally identifiable information. Targeted at payment companies, it ensures sensitive data is never stored in plaintext – neither in its client’s systems nor in those of merchants – making it virtually impenetrable to hackers. Instead, it relies on a “dual custody” model, where clients store the encrypted data and it holds the encryption keys.
At the point of collection, Evervault uses secure and compliant iframes to gather sensitive card data from the user’s web browser and immediately encrypt it using a public encryption key, preventing that information from passing through any merchant’s server in plaintext. All cryptographic operations take place exclusively within Amazon Web Services Inc.’s Nitro Enclaves. Those are hardened, isolated virtual machines designed to protect data as it’s being processed.
The company uses industry-standard encryption algorithms such as AES-256-GCM for data symmetric encryption and Elliptic Curve Diffie-Hellman (ECDH) for key exchange. The encryption keys are split using Shamir’s Secret Sharing, with half being stored on the client’s infrastructure and the other half secured on its own. This means hackers would have to breach both Evervault’s and the client’s systems to access the full encryption key.
Evervault’s Relay technology serves as a configurable network proxy that automatically encrypts sensitive data in HTTP requests before they reach the server. It decrypts that information only when it reaches a trusted third-party application programming interface owned by the payment processor. All cryptographic operations take place exclusively within Amazon Web Services Inc.’s Nitro Enclaves, which are hardened, isolated virtual machines designed to protect data as it’s being processed. Once the transaction has been processed, the data is permanently deleted from the enclave.
Evervault founder and Chief Executive Shane Curran said his company’s platform doesn’t just make sensitive data bulletproof, but also eases the compliance burden for its customers. They can reduce their PCI DSS compliance scope to the simplest level, simply because their infrastructure never sees any raw payments data.
That allows its clients to save about $100,000 per year on compliance-related costs, he said. “Most compliance frameworks assume sensitive data will exist in plaintext somewhere, but with automated, high-velocity data, that’s a liability,” he explained. “We believe sensitive data should be treated like hazardous material. Systems must be designed so it isn’t touched in the first place.”
Constellation Research analyst Holger Mueller said it’s always good to see more innovation on the security front, as commerce and finance increasingly becomes digital, expanding the attack surface of credit card and transaction data.
“It’s not easy to keep customer’s credit card data safe and secure, and as the number of threats increase, it becomes a massive burden for anyone trying to do business online,” the analyst explained. “Quite simply, dealing with this is not their core business, it’s just a distraction from the real business. If Evervault can help businesses focus more on what they’re supposed to be doing and less on the security side, it’s going to be good for business.”
The startup says it has enjoyed a lot of traction in the card payments industry and already serves “hundreds” of customers, including companies such as Overwolf, Ramp and Rippling. In the last year, its revenue has increased by more than four times, and it has safely processed more than $5 billion in total transaction volume over that period.
It claims to have more than 7,000 integrations with banks and financial institutions. Going forward, it’s planning to expand its encryption infrastructure to make it even more secure, invest in the development of new products and grow its product and engineering teams.
Ribbit Capital General Partner Justin Saslaw believes there’s going to be a lot more demand for Evervault’s services in future, because the amount of sensitive data flowing through digital systems is exploding as more commerce moves online. “Everyone has to figure out how to handle that data safely,” he said. “This is a massive, global problem that touches every industry, and Evervault is building the core infrastructure to move and process that data securely.”
Image: Evervault
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
