Security at Agility
At Agility, the security of your data is top priority. Our Security Committee has oversight across all departments of the organization and has the mandate to ensure our ongoing accountability with regard to our data footprint, competence and capabilities.
Here you can review our security policies and procedures that Agility takes to secure your data on the Agility CMS platform.
Agility is SOC 2 Type 2 Compliant
Agility is certified as a SOC 2 Type 2 compliant organization, verified by our independent auditor, as of Dec 1, 2021, with recertification happening annually. We monitor our systems on an ongoing basis using services provided by Vanta to ensure no exceptions occur.
How your content is secured
Our infrastructure runs on Microsoft Azure, a top cloud infrastructure and service provider. Azure is trusted by leading companies, government institutions, and the US military to host their data storage and processing and computing needs.
Since Agility is hosted 100% in the cloud, there is no specific physical location where your data is located. Instead, Microsoft Azure provides primary and secondary data regions where the storage services responsible for your data are located. These are protected by a high level of physical security.
Encryption and Data storage
Your data is stored in a combination of Azure storage resources, including Azure SQL Databases and Blob Storage. Industry-standard encrypting and hashing is used, with all keys managed using Azure KeyVault.
All data is also stored in an encrypted state (encrypted at rest), as part of the base functionality of Azure Storage and Azure SQL database.
Any data that needs to be secured beyond rest encryption is further encrypted or hashed as necessary using industry-standard methodology. This includes passwords, data connection information, API keys, tokens, etc.
How your data is backed up
Because Agility CMS data is stored in Azure SQL Database, it is automatically backed up and restorable using point-in-time technology to an alternate region. Any data stored in Azure Blob storage is also replicated by the Azure sub-system to a secondary region, in addition to having 3 local copies within the primary data region. Azure is also responsible for encrypting these backups at rest.
All data that is transmitted between Agility CMS and your services, or 3rd party, is done using TLS 1.2 over HTTPS. Agility CMS uses a combination of Azure CDN and Stackpath CDN for Content Delivery Services of static files and REST API content. These services are protected by TLS 1.2 encryption at all levels. This ensures that no data that is transferred both internally in the Azure system, and externally to the CDN nodes, or to your servers and clients, can be intercepted or altered by a 3rd party.
While we operate our own penetration testing, performed by 3rd parties, we also provide our enterprise customers, including leading ecommerce, government, and banking institutions, the opportunity to collaborate with us on custom PEN testing to satisfy any extraordinary requirements.
Getting access to backend data
Access to backend data outside of the normal application flow is extremely limited. Only Agility product and support engineers with training and security clearance are granted this permission. These identities are protected by Azure Active Directory using multi-factor authentication.
If you require access to your backend data or have questions about your data, our support staff are happy to answer any question or to escalate any concerns to our engineers.
Ongoing security assessments
Agility utilizes Azure Security Center on an ongoing basis to assess ongoing shifts and improvements in our possible security posture. This allows our engineers and support staff to actively update our systems to comply with deeper levels of security based on new threats and attack methodology.
Audits and monitoring
All access and activity, including any changes to configuration, within our Azure systems is audited and monitored with a history trail. Any code changes are performed via Azure DevOps using slot-based deployment.
Agility's Content Manager is declared to be PCI Compliant. We do not store or process card or payment credential information. We utilize tokenization and provider-specific vaults to validate, process, and capture transactions.
Our infrastructure runs in Microsoft Azure, where all components are deployed in at least three resource areas, minimizing disruptions caused by any failure and keeping your content constantly available. All services are deployed on load-balanced App Services, a Platform-as-a-Service (PaaS) system that keeps multiple instances of our code running at the same time. In addition, Azure Traffic Manager is used to geo-locate our services across multiple regions with failover in case of a failure in the primary region.
The Azure App Service Plans used to host the Agility CMS services are auto-scaling such that they can continue to operate in situations with extreme load or abnormal circumstances.
Security incident reporting
No matter the systems or procedures that are in place, a security incident is still possible. If such an event does occur, Agility is ready to manage this using a pre-defined process. We will notify and affected parties and work closely with them to both mitigate the risk immediately and resolve the problem moving forward.
Please contact us firstname.lastname@example.org to report any incident.