Security and compliance at Argyle

SOC 2 Type II - Argyle has completed a SOC 2 Type II examination for security, availability, and confidentiality and is audited annually. SOC 2 Type II is the most comprehensive certification within the Systems and Organization Controls (SOC) protocol. Our successful SOC 2 Type II examination attests to our stringent compliance with these standards over a six-month look-back period. The report is available, upon request, for review by existing customers and prospects. As the information is confidential, we require a signed NDA to review the report.

ISO 27001 - Argyle has archived the ISO 27001 certificate and it can be available, upon request, for review by existing customers and new prospects without a signed NDA. By being audited and certified against the ISO 27001 standard, we demonstrate our commitment to identifying risks and putting in place robust, repeatable controls, ensuring that our organization maintains a strong secure posture.

GDPR & CCPA - Argyle is audited annually by external independent auditors against GDPR and CCPA privacy regulations. By complying with GDPR and CCPA we prove our commitment to protecting personal information and enforcing a consent based model to personal data processing.

PCI DSS - Our security and compliance practices ascertain the highest standard of security when we process or transmit credit card / cardholder data. By complying with PCI DSS we demonstrate our commitment to ensure the security of credit card data and cardholder data.

Powered by Google KMS, we keep all data encrypted at RSA 4096 (the same grade used by the US military) with SHA-256 signing. Data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS). At rest, all data is subject to battle-proof encryption algorithms and stored using kubeseal secret management services. You can view our SSL Labs report.

According to Europe’s General Data Protection Regulation of 2018, personal data, including employment data, is owned by the individual it represents, and consent to process and share that data must be “freely given, specific, and informed.” We couldn’t agree more.

When a company uses Argyle, they are sending a request to an individual for permission to access their employment data, empowering the average person to exercise consent and data ownership.

Our work on security and privacy efforts does not have an end; it's a continuous cycle of researching, revising, implementing, testing, fixing, scaling, blocking, and permissioning. We are constantly working to meet and exceed what is asked of us from regulators, investors, partners, and users, and we collectively live the security processes on a daily basis. Security and privacy are integral to our culture.

All permissioned user data held by Argyle is available to our customers for electronic retrieval for a period of 30 days after the expiration or termination of the Master Service Agreement. All data is then completely removed from Argyle’s server. Every user can request the removal of their personal data by contacting Argyle support. Read more about our privacy settings.

Argyle’s API, the main entry point of user data, only allows client requests using strong TLS protocols and ciphers. All communication between Argyle infrastructure and data platforms is transmitted over encrypted tunnels. Read more about our API in our technical documentation.

All of our services run in Google Cloud Platform (GCP). We don’t host or run our own routers, load balancers, DNS servers, or physical servers. GCP regularly undergoes independent verification of security, privacy, and compliance controls against the following standards: ISO/IEC 27001, ISO/IEC 27017, SOC 1, SOC 2, SOC 3, PCI DSS, HIPAA, CSA Star, FedRAMP, and many others. You can read more about their practices here.

Our application security monitoring and protections solutions allow us the visibility to:

• Identify attacks and respond quickly to a data breach
• Monitor exceptions and logs and detect anomalies in our applications
• Collect and store logs to provide an audit trail of our applications activity

We also deploy a runtime protection system that identifies and blocks OWASP Top 10 and business logic attacks in real time, as well as security headers to protect our users from attacks. You can check our grade on Security Headers.

Our network consists of multiple security zones, which we monitor and protect with trusted and next-generation firewalls, including IP address filtering, to insure against unauthorized access. We deploy an intrusion detection and/or prevention solution (IDS/IPS) that monitors and blocks potential malicious packets as well as distributed denial of service (DDoS) mitigation services powered by an industry-leading solution.

The following protocols ensure the highest level of security in our software:

• Developers participate in regular security training to learn about common vulnerabilities and threats
• We review our code for security vulnerabilities
• We regularly update our dependencies and make sure none of them have known vulnerabilities
• We use static application security testing (SAST) to detect basic security vulnerabilities in our codebase
• We use dynamic application security testing (DAST) to scan our applications

When users grant Argyle permission to access their data, they are authorizing us to serve as their Designated Data Transfer Agent. That means, we don’t look at our users’ data, and we transfer it around only when an employee tells the system where to take it.

Our security team comprises security experts dedicated to constantly improving the security of our organization. Our team is trained in security incident response, security threat detection, and latest security best practices.

If you discover vulnerabilities in our application or infrastructure, we ask that you alert our team by contacting [email protected]. We also publish industry standard security.txt, including our PGP key, if you prefer encrypted communications. We will do our best to respond quickly as possible to your submission.

If you are investigating a potential vulnerability, we would appreciate it if you would: (1) avoid automated testing and only perform tests using your own/dummy data; (2) include a proof of concept in your email to us; (3) not disclose information regarding a vulnerability until we fix it.

Note that our bug bounty program is currently closed and we are not looking for new security researchers. We won’t pay rewards to anybody who is not part of the program.