Agiloft has been a strategic tool,
allowing us to grow
over the last few years.

– Mike Miller, Data Intensity

Agiloft takes the issue of security very seriously. We work to ensure that the Agiloft application, infrastructure, and organization implement the best practices necessary to provide military-grade security to our customers. And we engage third party security specialists to actively test compliance.

Agiloft employs a multi-layered security policy, summarized below:

Development process

The code is developed in accordance with the CERT Secure Coding Standard for Java and the OWASP Enterprise Security API (ESAPI) is used within the application to implement security best practices.


3rd Party Validation

The product was tested by a security team from the U.S. Air Force and approved for deployment on the Secure Network at the U.S. Department of Defense. We then asked the team for their recommendation for further security testing. The U.S. Air Force security team recommended Knowledge Consulting Group (KCG, now part of ManTech International Corporation).

Agiloft engages KCG/ManTech to perform in-depth penetration assessments of the Agiloft application and our hosting infrastructure after all major upgrades. This assessment uses both manual and automated techniques to search for technical vulnerabilities. In addition, we engage KCG to test the organization for resilience against social engineering attacks, a critical area of security which is too often overlooked. A copy of the most recent security audit can be provided upon receipt of a signed NDA.

Skyhigh Enterprise-ReadyThe product was audited by Skyhigh Networks and received the highest possible rating of Enterprise-Ready. The Skyhigh CloudTrust™ Program provides an objective and comprehensive evaluation of a service’s security controls and enterprise readiness based on a detailed set of criteria developed in conjunction with the Cloud Security Alliance (CSA). Skyhigh evaluates thousands of cloud services and awards the Skyhigh Enterprise-Ready™ rating to only those services that fully satisfy the most stringent requirements for data protection, identity verification, service security, business practices, and legal protection.

We welcome additional security audits that current or potential customers may wish to perform and will provide any assistance required to conduct a rigorous evaluation.


Hosting Infrastructure

We offer hosting at Amazon Web Services (AWS) for SSAE 16 and FedRAMP compliance.

The hosting infrastructure is firewall protected and the individual servers are hardened by the application of security best practices.


Build/QA process

The build process includes scanning for malware using both Symantec Endpoint Protection and NOD32. In addition, the build process includes virus scanning by Clam.

QA uses Burp Suite Pro to test security against exploits by malicious external users or internal power users.


Security Policy

Security policies and procedures reinforce the software security and infrastructure, and are documented here.


Deployment

As detailed here, the software provides precise access control at the record and field level, all managed by extensible group permissions. It implements security best practices such as encrypting passwords using the SHA-2 one-way hash function and protecting all communications with SSL encryption.


Privacy Policy

Our privacy policy ensures that you retain full ownership of your data and is not shared with third parties. It is documented here.