article image

How Argyle Reinforces User Consent as Industry Standard

When a user grants Argyle permission to access their employment records, they are authorizing Argyle to serve as their designated Data Transfer Agent. That means, Argyle does not view or retain that user’s data beyond its explicit purpose. Instead, we transfer  it to a third party explicitly consented by the user. It also means that we maintain a steadfast commitment to never aggregate, resell, or reuse a user’s private data under any circumstances.
A Data Transfer Agent is a legal framework enacted by the Dodd-Frank act of 2010 that allows data to be moved digitally from point A to point B with a consumer’s consent. When a user grants permission for their employment data to be transferred to a third party, Argyle helps ensure that their data is transferred securely to that intended party.

Our consent-based model gives people control over their personal information

According to Europe’s General Data Protection Regulation of 2018, personal data, including employment data, is owned by the individual it represents, and consent to process and share that data must be “freely given, specific, and informed.”
When a company integrates with Argyle, they are using our technology to ask their end-users for permissioned access to their employment data. In effect, Argyle enables a consent-based model of data transfer that helps real people exercise ownership over their employment data and avoid situations where it is sold or used without their permission or knowledge, something that unfortunately defines the status quo across the financial world today. 
Not only does it start with consent, it also ends with consent. Users choose who can access their employment data, but also how long they have access to it. Data access can be ongoing or can be terminated at any time to give control back to the user. 
diagram

We enforce strict security practices and protocols

In line with our responsibilities as a Data Transfer Agent, we have strict security policies in place to safeguard our users’ privacy. Here’s a high-level look at what we do to ensure our users’ ongoing protection. (You can also learn more about our security protocols here.)

Data retention and removal

Argyle gives all users complete control over the retention and removal of their own data. To that end, we make our user-permissioned user data available to our customers for electronic retrieval for a period of 30 days after the expiration or termination of the master service agreement. All data is then permanently removed from Argyle’s server, and any user can request the removal of their personal data at any time by contacting support team at [email protected] A user’s data will never be retained or transferred without their consent.
diagram

Encryption

We use industry-grade security powered by Google KMS and keep all user data encrypted at RSA 4096 with SHA-256 signing. All data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS). At rest, all data is encrypted using battle-proof encryption algorithms and stored using kubeseal secret management services. You can view our SSLLabs report here.
diagram

Compliance

Our security protocols and best practices form the core of our software development methodology, and we regularly organize pen testing and simulated external attack vectors to keep our teams vigilant. We are ISO 27001 certified and have obtained a SOC 2 Type I report.
Our application security monitoring and protections solutions give us the visibility to:
  • Identify attacks and respond quickly to a data breach
  • Monitor exceptions and logs and detect anomalies in our applications
  • Collect and store logs to provide an audit trail of our applications activity
We also deploy a runtime protection system that identifies and blocks OWASP Top 10 and business logic attacks in real time as well as security headers to protect our users from attacks. You can check our grade on SecurityHeaders.io.
diagram

Partnerships

Our high security standards extend to the companies we partner with. We follow a selective process that entails a rigorous audit of a potential partner’s security and business practices to guarantee that all companies in our orbit abide by the same ethics that we do. That includes opting not to work with potential partners or customers who rely on predatory or abusive practices.

All in service of our mission

At Argyle, we recognize that employment data is owned by the individual it represents. In building the leading employment data platform, we’ve unlocked a dataset that has been monopolized by credit bureaus for 70 years, enabling innovative companies to provide better products to their users. But our real responsibility is to our users, and our end goal is simple and in service of them: to help all workers—gig, independent, and salaried—leverage the power of their employment data to seek more financial freedom and opportunity.  
Learn more about employment data’s role in promoting financial inclusion here.

Newsletter sign up

Be first to get industry insights and news from Argyle.

Keep reading