Security and compliance at Argyle

We’re serious about safeguarding data.

Protecting personal information is our top priority. For the sake of our users and customers, we don't compromise or cut corners when it comes to data security. As part of that commitment, we operate with the utmost transparency. The following overview provides a high-level look at the ever-evolving security practices we have in place.

We’re compliant with the highest security and privacy standards

SOC 2 Type II - Argyle has most recently completed a SOC 2 Type II examination for security, availability, and confidentiality and is audited annually. SOC 2 Type II is the most comprehensive certification within the Systems and Organization Controls (SOC) protocol. Our successful SOC 2 Type II examination attests to our stringent compliance with these standards over a six-month look-back period. The report is available, upon request, for review by existing customers and new prospects. As the information is confidential, we require a signed NDA to review the report.

ISO 27001 - Argyle has archived the ISO 27001 certificate and it can be available, upon request, for review by existing customers and new prospects without a signed NDA. By being audited and certified against the ISO 27001 standard, we demonstrate our commitment to identifying risks and putting in place strong, repeatable controls ensuring that our organization maintains a secure posture.

GDPR & CCPA - Argyle is audited annually by external independent auditors against GDPR and CCPA privacy regulations. By complying with GDPR and CCPA we prove our commitment to protecting personal information and enforcing a consent based model to personal data processing.

Our encryption protocols are national-security worthy

Powered by Google KMS, we keep all data encrypted at RSA 4096 (the same grade used by the U.S. military) with SHA-256 signing. Data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS). At rest, all data is subject to battle-proof encryption algorithms and stored using kubeseal secret management services. You can view our SSLLabs report here.

Our consent-based model gives people control over their personal information

According to Europe’s General Data Protection Regulation of 2018—a piece of legislation we steadfastly respect—personal data, including employment data, is owned by the individual it represents, and consent to process and share that data must be “freely given, specific, and informed.”

When a company uses Argyle, they are sending a request to an individual for permission to access their employment data, empowering the average person to exercise consent and data ownership. In turn, we’re helping real people avoid situations where their employment data is sold or used without their permission or knowledge (an all-too-common practice).

Data retention and removal is standardized and at the discretion of our users

We make all permissioned user data held by Argyle available to our customers for electronic retrieval for a period of 30 days after the expiration or termination of the Master Service Agreement. All data is then completely removed from Argyle’s dashboard and server. Every user can request the removal of their personal data by contacting Argyle support. Read more about our privacy settings.

We establish strong defenses at points of entry

Argyle’s API—the main entry point of user data—only allows client requests using strong TLS protocols and ciphers. All communication between Argyle infrastructure and data platforms is transmitted over encrypted tunnels. Read more about our API in our official documentation.

Our security measures are ever evolving to keep pace with the changing threat landscape

Our work on security and privacy efforts does not have an end; it's a continuous cycle of researching, revising, implementing, testing, fixing, scaling, blocking, and allowing. We are constantly working to meet and exceed what is asked of us from regulators, investors, partners, and users, and we collectively live the security processes on a daily basis. Security and privacy are integral to our culture.

We take all necessary infrastructure precautions

All of our services run in Google Cloud Platform (GCP). We don’t host or run our own routers, load balancers, DNS servers, or physical servers. GCP regularly undergoes independent verification of security, privacy, and compliance controls against the following standards: ISO/IEC 27001, ISO/IEC 27017, SOC 1, SOC 2, SOC 3, PCI DSS, HIPAA, CSA Star, FedRAMP, and many others. You can read more about their practices here.

We practice stringent network-level security monitoring and protection

Our network consists of multiple security zones, which we monitor and protect with trusted and next-generation firewalls, including IP address filtering, to insure against unauthorized access. We deploy an intrusion detection and/or prevention solution (IDS/IPS) that monitors and blocks potential malicious packets as well as distributed denial of service (DDoS) mitigation services powered by an industry-leading solution.

Our application security monitoring and protection solutions are top rate

Our application security monitoring and protections solutions allow us the visibility to:

  • Identify attacks and respond quickly to a data breach
  • Monitor exceptions and logs and detect anomalies in our applications
  • Collect and store logs to provide an audit trail of our applications activity

We also deploy a runtime protection system that identifies and blocks OWASP Top 10 and business logic attacks in real time, as well as security headers to protect our users from attacks. You can check our grade on SecurityHeaders.io.

We develop according to security best practices and frameworks, including OWASP Top 10 and SANS Top 25.

The following protocols ensure the highest level of security in our software:

  • Developers participate in regular security training to learn about common vulnerabilities and threats.
  • We review our code for security vulnerabilities.
  • We regularly update our dependencies and make sure none of them have known vulnerabilities.
  • We use static application security testing (SAST) to detect basic security vulnerabilities in our codebase.
  • We use dynamic application security testing (DAST) to scan our applications.

Our ultimate responsibility is to our end users.

When users grant Argyle permission to access their data, they are authorizing us to serve as their Designated Data Transfer Agent. That means, we don’t look at our users’ data, and we transfer it around only when an employee tells the system where to take it. Our designation also entails a steadfast commitment to never aggregate, resell, or re-use users’ private data under any circumstances.

We boast an industry-leading security team.

Our security team comprises security experts dedicated to constantly improving the security of our organization. Our team is trained in security incident response, security threat detection, and latest security best practices.

We encourage responsible disclosure.

If you discover vulnerabilities in our application or infrastructure, we ask that you alert our team by contacting [email protected]. Please include a proof of concept in your email. We will respond as quickly as possible to your submission and won’t take legal action if you follow the rules:

  • Please avoid automated testing and only perform security tests with your own data.
  • Please include a proof of concept in your email.
  • Do not disclose any information regarding the vulnerabilities until we fix them.

Note that our bug bounty program is currently closed and we are not looking for new security researchers. We won’t pay rewards to anybody who is not part of the program.