Agiloft takes the issue of security very seriously. We work to ensure that the Agiloft application, infrastructure, and organization implement the best practices necessary to provide world-class security to our customers. And we engage third-party security specialists to actively test compliance.

Agiloft employs a multi-layered security policy, summarized below:

Development process

The code is developed in accordance with the CERT Secure Coding Standard for Java and the OWASP Enterprise Security API (ESAPI) is used within the application to implement security best practices.

Security testing of Agiloft’s code is an integral component of the software development lifecycle. Code security analysis and testing verify and ensure the security and quality of the Agiloft platform against various types of attacks. Senior developers and the Code Security Officer analyze scan reports, classify vulnerabilities, and can apply meaningful prioritization policies to identified vulnerabilities. The Code Security Officer is also responsible for the design, implementation, maintenance, and adherence to secure coding best practices in the engineering teams and QA and for the implementation of software security assurance.

3rd Party Validation

Agiloft engages third party security companies to perform in-depth penetration assessments of the Agiloft application and our hosting infrastructure annually and after all major upgrades. This assessment uses both manual and automated techniques to search for technical vulnerabilities. In addition, we engage external parties to test the organization for resilience against social engineering attacks, a critical area of security which is too often overlooked. A copy of the most recent security audit can be provided upon receipt of a signed NDA.

Sky High Enterprise-Ready badgeWe commission an independent security audit every year (changing auditors regularly to ensure a fresh look) to provide an objective and comprehensive evaluation of our security controls and enterprise readiness. The audit focuses on a detailed set of criteria that fully address the most stringent security requirements for data protection, identity verification, service security, business practices, and legal protection.

Agiloft is both SOC 1 Type 2 and SOC 2 Type 2 certified by the AICPA (American Institute of Certified Public Accountants). SOC 1 and SOC 2 certifications confirm Agiloft’s security management protocols and access controls continue to meet today’s highest international security standards and provides further recognition of Agiloft’s enterprise-class CLM security and ongoing commitment to protecting customer data at all levels.

ISO27001 badgeAgiloft has also achieved ISO/IEC 27001:2013 (E) Certification, which is the global information security standard published by the International Organization for Standardization (ISO), the world’s largest developer of voluntary international standards, and the International Electrotechnical Commission (IEC). Agiloft’s certification was issued by A-LIGN, an independent and accredited certification body, on successful completion of a formal audit process, which ensured that the security of all the data and information held within Agiloft’s CLM is properly maintained and access to that data is controlled in all areas of a user’s organization.

With SOC 1, SOC 2, and ISO 27001 certification, Agiloft’s customers can be confident that their data is secure.

We welcome additional security audits that current or potential customers may wish to perform and will provide any assistance required to conduct a rigorous evaluation.

Hosting Infrastructure

With our Hosted Service, you get fully redundant AWS service whether inside or outside the USA.  AWS offers full regulatory compliance with key standards such as SSAE 18, SOC 2 Type 2, HIPAA, and GDPR. For more complete security and compliance details, refer to the information listed on each provider’s website. For further information about Agiloft’s Hosted Service, see our Agiloft Hosted Service page.

The hosting infrastructure is firewall protected and the individual servers are hardened by the application of security best practices.

Security Policy

Our security policies and procedures reinforce the security of our software and hosting infrastructure. For more information and to read our security policy, please reach out to [email protected]


Our software provides precise access control at the record and field level, all managed by extensible group permissions. It implements security best practices such as encrypting passwords using the SHA-2 one-way hash function and protecting all communications with SSL encryption.

Last updated: 12/26/2023