Agiloft takes the issue of security very seriously. We work to ensure that the Agiloft application, infrastructure, and organization implement the best practices necessary to provide military-grade security to our customers. And we engage third party security specialists to actively test compliance.
Agiloft employs a multi-layered security policy, summarized below:
The code is developed in accordance with the CERT Secure Coding Standard for Java and the OWASP Enterprise Security API (ESAPI) is used within the application to implement security best practices.
Security testing of Agiloft’s code is an integral component of the software development lifecycle. Code security analysis and testing verify and ensure the security and quality of the Agiloft platform against various types of attacks. Senior developers and the Code Security Officer analyze scan reports, classify vulnerabilities, and can apply meaningful prioritization policies to identified vulnerabilities. The Code Security Officer is also responsible for the design, implementation, maintenance, and adherence to secure coding best practices in the engineering teams and QA and for the implementation of software security assurance.
3rd Party Validation
The product was tested by a security team from the U.S. Air Force and approved for deployment on the Secure Network at the U.S. Department of Defense.
Agiloft engages third party security companies to perform in-depth penetration assessments of the Agiloft application and our hosting infrastructure annually and after all major upgrades. This assessment uses both manual and automated techniques to search for technical vulnerabilities. In addition, we engage external parties to test the organization for resilience against social engineering attacks, a critical area of security which is too often overlooked. A copy of the most recent security audit can be provided upon receipt of a signed NDA.
We commission an independent security audit every year (changing auditors regularly to ensure a fresh look) to provide an objective and comprehensive evaluation of our security controls and enterprise readiness. The audit focuses on a detailed set of criteria that fully address the most stringent security requirements for data protection, identity verification, service security, business practices, and legal protection.
Additionally, Agiloft is SOC 2 Type 2 certified by the AICPA (Association of International Certified Professional Accountants). SOC 2 is today’s standard for certifying that a service provider implements and maintains stringent policies that ensure privacy and security of customer data stored in the cloud. With the SOC 2 certification, Agiloft’s customers can be confident that their data is secure.
We welcome additional security audits that current or potential customers may wish to perform and will provide any assistance required to conduct a rigorous evaluation.
With our Hosted Service, you have the choice between two different options— a hybrid Cologix/AWS hosting solution or an AWS-only hosting solution. Both Cologix and AWS offer full regulatory compliance with key standards such as SSAE 18, SOC 2 Type 2, HIPAA, and GDPR. For more complete security and compliance details, refer to the information listed on each provider’s website. For further information about Agiloft’s Hosted Service, see our Agiloft Hosted Service datasheet.
The hosting infrastructure is firewall protected and the individual servers are hardened by the application of security best practices.
The build process includes scanning for malware using both Symantec Endpoint Protection and NOD32. In addition, the build process includes virus scanning by ClamAV.
QA uses Burp Suite Pro to test security against exploits by malicious external users or internal power users.
Our security policies and procedures reinforce the security of our software and hosting infrastructure. For more information, see the Security Policy page.
As detailed on the Agiloft Features page, our software provides precise access control at the record and field level, all managed by extensible group permissions. It implements security best practices such as encrypting passwords using the SHA-2 one-way hash function and protecting all communications with SSL encryption.
For a downloadable and printer-friendly version of this page, refer to our Security datasheet.