Agorapulse respects our customers’ privacy and keeping our customers’ data protected at all times is our highest priority.
This document provides a high-level overview of the security practices put in place to achieve that objective.
All of our services run in the cloud. We don’t host or run our own routers, load balancers, DNS servers, or physical servers.
Our service is built on Amazon Web Services (AWS). They provide strong security measures to protect our infrastructure and are compliant with most certifications (Cloud Security Alliance Star Level 2, ISO 9001, 27001, 27017, 27018, PCI DSS Level 1, and SOC 1, 2, and 3).
You can read more about their security here: https://aws.amazon.com/security/
You can read more about their compliance programs, such as PCI-DSS, ISO or SOC, here: https://aws.amazon.com/compliance/programs/
Our network security architecture consists of multiple security zones. We monitor and protect our network, to make sure no unauthorized access is performed using:
Customer Data is hosted in the AWS Ireland region.
Encryption in transit
All data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS).
Encryption at rest
All our user data (including passwords and access tokens) is encrypted using battled-proofed encryption algorithms in the database.
Our goal is to avoid any downtime at all costs and provide 99.99% uptime.
Therefore, our platform is built with full redundancy and isolation to avoid any single point of failure.
You can follow the real-time status of our services here: https://status.agorapulse.com/
We back up all our critical assets and regularly attempt to restore the backup to guarantee a fast recovery in case of disaster.
All our backups are encrypted.
All Agorapulse apps and services are 100% developed internally by full-time employees without any outsourcing.
Developers participate in regular security training to learn about common vulnerabilities and threats.
We follow OWASP (Open Web Application Security Project) standard security controls for the application security.
We review our code for security vulnerabilities.
We regularly update our dependencies and make sure none of them has known vulnerabilities.
We use a full security monitoring solution to get visibility into our application security at runtime, identify attacks and automatically block them when possible.
We constantly monitor exceptions, logs and detect anomalies in our applications.
We collect and store logs to provide an audit trail of our applications activity.
Agorapulse product has incorporated data security and data privacy via multiple features as detailed below.
Agorapulse uses a role-based access control (RBAC) approach to determine user access privileges required. Different configured roles are assigned to the users as per the requirement, for each organization.
Authentication on Agorapulse can be handled via Facebook Connect and/or email+password.
When Facebook Connect is enabled, no authentication data is stored on our side.
When email+password login is enabled, passwords are stored one-way hashed with random salt.
We collect and store logs to provide an audit trail of our authentication and security-related activity.
For an additional layer of security, users can enable multi-factor authentication, based on a dedicated mobile app such as Google Authenticator or Authy.
All new hires are provided with security on-boarding training, which includes setup and training on using a password manager and detecting phishing or social engineering.
We assume all networks are untrusted, and focus instead on making sure our endpoints (e.g. laptops) are secure.
Employee devices are managed through a device management program to ensure that our fleet runs with the latest security fixes and secure configuration (encrypted disks, firewalls, etc).
Access into both development and production environments requires both SSH keys and 2FA.
Only our Engineering Ops team has access to our production environment.
We have automated processes in place that monitor each host for unauthorized login attempts, and offending IP addresses are automatically blacklisted and alerted.
We enable mandatory 2FA for all employees on all strategic services where it is supported. Before deciding to use another third party cloud service, we assess both the type of data that would be stored there, as well as that company’s security practices.
We believe that security researchers make computing safer and more secure for everyone, and thus we encourage security testing and research on Agorapulse.
Please avoid automated testing and only perform security testing with your own data.
Please do not disclose any information regarding the vulnerabilities until we fix them. Rewards are done at our discretion depending on the criticality of the vulnerability reported.
Potential vulnerabilities can be reported through our private bug bounty program running on HackerOne.
Please contact us at email@example.com and provide:
Agorapulse is GDPR compliant.
You can read more about Agorapulse & GDPR here: https://www.agorapulse.com/gdpr
Agorapulse is PCI SAQ-A compliant.
Payment transactions are outsourced to Recurly which is certified as a PCI Level 1 Service Provider.
Agorapulse is recognized as an official partner of Facebook, Instagram and LinkedIn.
Have questions or feedback? Reach out to us at firstname.lastname@example.org.