Security and compliance at Argyle

We’re serious about safeguarding data.

Protecting personal information is our top priority. For the sake of our users and customers, we don't compromise or cut corners when it comes to data security. As part of that commitment, we operate with the utmost transparency. The following overview provides a high-level look at the ever-evolving security practices we have in place.

We’re compliant with the highest security and privacy standards.

SOC 2 Type II - Argyle has completed a SOC 2 Type II examination for security, availability, and confidentiality and is audited annually. SOC 2 Type II is the most comprehensive certification within the Systems and Organization Controls (SOC) protocol. Our successful SOC 2 Type II examination attests to our stringent compliance with these standards over a six-month look-back period. The report is available, upon request, for review by existing customers and prospects. As the information is confidential, we require a signed NDA to review the report.

ISO 27001 - Argyle has archived the ISO 27001 certificate and it can be available, upon request, for review by existing customers and new prospects without a signed NDA. By being audited and certified against the ISO 27001 standard, we demonstrate our commitment to identifying risks and putting in place robust, repeatable controls, ensuring that our organization maintains a strong secure posture.

GDPR & CCPA - Argyle is audited annually by external independent auditors against GDPR and CCPA privacy regulations. By complying with GDPR and CCPA we prove our commitment to protecting personal information and enforcing a consent based model to personal data processing.

PCI DSS - Our security and compliance practices ascertain the highest standard of security when we process or transmit credit card / cardholder data. By complying with PCI DSS we demonstrate our commitment to ensure the security of credit card data and cardholder data.

Our encryption protocols are national-security worthy.

Powered by Google KMS, we keep all data encrypted at RSA 4096 (the same grade used by the US military) with SHA-256 signing. Data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS). At rest, all data is subject to battle-proof encryption algorithms and stored using kubeseal secret management services. You can view our SSL Labs report.

Our consent-based model gives people control over their personal information.

According to Europe’s General Data Protection Regulation of 2018, personal data, including employment data, is owned by the individual it represents, and consent to process and share that data must be “freely given, specific, and informed.” We couldn’t agree more.

When a company uses Argyle, they are sending a request to an individual for permission to access their employment data, empowering the average person to exercise consent and data ownership.

Our security measures are ever evolving to keep pace with the changing threat landscape.

Our work on security and privacy efforts does not have an end; it's a continuous cycle of researching, revising, implementing, testing, fixing, scaling, blocking, and permissioning. We are constantly working to meet and exceed what is asked of us from regulators, investors, partners, and users, and we collectively live the security processes on a daily basis. Security and privacy are integral to our culture.

Data retention and removal is standardized and at the discretion of our users.

All permissioned user data held by Argyle is available to our customers for electronic retrieval for a period of 30 days after the expiration or termination of the Master Service Agreement. All data is then completely removed from Argyle’s server. Every user can request the removal of their personal data by contacting Argyle support. Read more about our privacy settings.

We establish strong defenses at points of entry

Argyle’s API, the main entry point of user data, only allows client requests using strong TLS protocols and ciphers. All communication between Argyle infrastructure and data platforms is transmitted over encrypted tunnels. Read more about our API in our technical documentation.

We take all necessary infrastructure precautions.

All of our services run in Google Cloud Platform (GCP). We don’t host or run our own routers, load balancers, DNS servers, or physical servers. GCP regularly undergoes independent verification of security, privacy, and compliance controls against the following standards: ISO/IEC 27001, ISO/IEC 27017, SOC 1, SOC 2, SOC 3, PCI DSS, HIPAA, CSA Star, FedRAMP, and many others. You can read more about their practices here.

Our application security monitoring and protection solutions are top rate.

Our application security monitoring and protections solutions allow us the visibility to:

  • Identify attacks and respond quickly to a data breach
  • Monitor exceptions and logs and detect anomalies in our applications
  • Collect and store logs to provide an audit trail of our applications activity

We also deploy a runtime protection system that identifies and blocks OWASP Top 10 and business logic attacks in real time, as well as security headers to protect our users from attacks. You can check our grade on Security Headers.

We practice stringent network-level security monitoring and protection.

Our network consists of multiple security zones, which we monitor and protect with trusted and next-generation firewalls, including IP address filtering, to insure against unauthorized access. We deploy an intrusion detection and/or prevention solution (IDS/IPS) that monitors and blocks potential malicious packets as well as distributed denial of service (DDoS) mitigation services powered by an industry-leading solution.

We develop according to security best practices and frameworks, including OWASP Top 10 and SANS Top 25.

The following protocols ensure the highest level of security in our software:

  • Developers participate in regular security training to learn about common vulnerabilities and threats
  • We review our code for security vulnerabilities
  • We regularly update our dependencies and make sure none of them have known vulnerabilities
  • We use static application security testing (SAST) to detect basic security vulnerabilities in our codebase
  • We use dynamic application security testing (DAST) to scan our applications

Our ultimate responsibility is to our end users.

When users grant Argyle permission to access their data, they are authorizing us to serve as their Designated Data Transfer Agent. That means, we don’t look at our users’ data, and we transfer it around only when an employee tells the system where to take it.

We boast an industry-leading security team.

Our security team comprises security experts dedicated to constantly improving the security of our organization. Our team is trained in security incident response, security threat detection, and latest security best practices.

We encourage responsible disclosure.

If you discover vulnerabilities in our application or infrastructure, we ask that you alert our team by contacting [email protected]. We also publish industry standard security.txt, including our PGP key, if you prefer encrypted communications. We will do our best to respond quickly as possible to your submission.

If you are investigating a potential vulnerability, we would appreciate it if you would: (1) avoid automated testing and only perform tests using your own/dummy data; (2) include a proof of concept in your email to us; (3) not disclose information regarding a vulnerability until we fix it.

Note that our bug bounty program is currently closed and we are not looking for new security researchers. We won’t pay rewards to anybody who is not part of the program.