Agile | Home

Security

Certifications

GDPR

We comply with the European Union’s General Data Protection Regulation, which governs data protection and privacy for all individuals citizens of the European Union and the European Economic Area.

Infrastructure Security

We contract our digital hardware to cloud vendors that adhere to the applicable data regulations and compliances. Our infrastructure runs on data centers provided by Amazon Web Services (AWS), which is SOC2 and PCI Level 1 certified among others. AWS, as a platform provider, has a number of security and privacy focused features, which we leverage wherever applicable.

Our servers run on stable, regularly patched, versions of Amazon Linux with carefully configured security groups, isolated VPC environments with well-defined network segmentation, role-based access control, and advanced web application firewall protection.

Physical and Environmental Security

We do not have in-house data centers. Amazon Web Services (AWS) manages the physical and environmental security of our data centers. Our internal security program covers physical security at our offices.

For more details, please review AWS' control and security measures.

Product and Service Security

We distribute and serve our products and services exclusively over HTTPS and secure WebSockets. All network interactions use TLS with 2048-bit digital signatures and 128-bit AES encryption. Additionally, we use HTTP Strict-Transport-Security to ensure the applications never interact with the servers on an insecure network path.

More details are available at https://aws.amazon.com/compliance/data-center/controls/

Software Security

Our applications run on the latest stable version of Node.js. We reduce the attack surface by isolating our processes hardened containerization technology. Our security team sets architectural guidelines, conducts code reviews, and deploys every software system that can interface with customer data.

Our developers are trained with specific attention toward security. Our automated and manual code review processes look for any code that could potentially violate security policies. We have also instituted a standardized security stack that complies with software composition analysis tools.

Vulnerability Management

Our security team performs Vulnerability Assessment and Penetration Testing (VAPT) of our ongoing releases, interfacing with products and services.

Employee Access

To manage employee access, we have implemented an audited security policy (IAM) that includes access control, a secure password policy, BYOD, and secure network access.

All internal services require single sign-on, with 2FA RSA Authentication. All SSH-based access has a mandatory key-file driven policy that requires storing keys securely, rotating them frequently, and logging all access to them.

Data Security

All customer data is stored in databases on Amazon, which are configured securely. Data is stored with at least dual redundancy, with 15-day backups, and is accessible only within the private cloud. We have also instituted per-service access protection and isolation of data.

We maintain all internal testing and validation data in a production-stack equivalent internal stack populated with fictitious data. Agile Ready, LLC does not distribute actual customer data for internal testing or validation purposes.

We have instituted a role-based access process to govern access to any customer data required for customer support (or otherwise). This process is audited and recorded and includes a human arbitration done by a core team. Consisting of the founders and CEO. This team validates the requirement hypothesis and ensures data is obfuscated and sanitized before communicating back to customer support or engineering. Customer data classified as sensitive is not accessible by any party except the customer.

Attack Prevention and Mitigation

We maintain intelligent, web application firewalls on our load balancers which, along with the elastic scaling capacity of our compute instances, mitigate attacks at the application layer.

We log activity across our platform, from individual API requests to infrastructure configuration changes. Logs are aggregated for monitoring, analysis, and anomaly detection and archived in vaulted storage. We implement measures to detect and prevent log tampering or interruptions. In order to determine security breaches, we monitor access patterns and network data flow patterns using automated systems that alert us in case of an anomaly. We also keep track of private contacts and public channels from our open-source and third-party technology stacks for any security-related reports. In case of a customer-reported breach, the CEO are notified automatically and the report is responded to within a few hours as per set policies.

Incident Response

We have incident response policies and procedures to address service availability, integrity, security, privacy, and confidentiality issues. As part of our incident response procedures, we have trained our teams to:

Promptly respond to alerts of potential incidents.
Determine the severity of the incident.
Analyze and assess the extent of the incident.
If necessary, execute mitigation and containment measures.
Communicate with relevant internal and external stakeholders, including notifying affected customers so as to comply with relevant laws and regulations and meet contractual obligations around breach or incident notifications.
Gather and preserve evidence for investigative efforts
Conduct and document a postmortem and develop a permanent triage plan.

Payment Processing

We process all payments using STRIPE, which is PCI Certified.

Reach out to Agile Ready Security

Our security team ensures the security of data stored with Agile Ready, LLC.

If you’ve found a vulnerability in our service or website or want additional information about our security policies, you can reach us at info@agileready.net. We will review it and respond to you within 24 hours.