Protecting personal information is our top priority. For the sake of our users and customers, we don't compromise or cut corners when it comes to data security. As part of that commitment, we operate with the utmost transparency. The following overview provides a high-level look at the ever-evolving security practices we have in place.
SOC 2 Type II - Argyle has most recently completed a SOC 2 Type II examination for security, availability, and confidentiality and is audited annually. SOC 2 Type II is the most comprehensive certification within the Systems and Organization Controls (SOC) protocol. Our successful SOC 2 Type II examination attests to our stringent compliance with these standards over a six-month look-back period. The report is available, upon request, for review by existing customers and new prospects. As the information is confidential, we require a signed NDA to review the report.
ISO 27001 - Argyle has archived the ISO 27001 certificate and it can be available, upon request, for review by existing customers and new prospects without a signed NDA. By being audited and certified against the ISO 27001 standard, we demonstrate our commitment to identifying risks and putting in place strong, repeatable controls ensuring that our organization maintains a secure posture.
GDPR & CCPA - Argyle is audited annually by external independent auditors against GDPR and CCPA privacy regulations. By complying with GDPR and CCPA we prove our commitment to protecting personal information and enforcing a consent based model to personal data processing.
Powered by Google KMS, we keep all data encrypted at RSA 4096 (the same grade used by the U.S. military) with SHA-256 signing. Data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS). At rest, all data is subject to battle-proof encryption algorithms and stored using kubeseal secret management services. You can view our SSLLabs report here.
According to Europe’s General Data Protection Regulation of 2018—a piece of legislation we steadfastly respect—personal data, including employment data, is owned by the individual it represents, and consent to process and share that data must be “freely given, specific, and informed.”
When a company uses Argyle, they are sending a request to an individual for permission to access their employment data, empowering the average person to exercise consent and data ownership. In turn, we’re helping real people avoid situations where their employment data is sold or used without their permission or knowledge (an all-too-common practice).
We make all permissioned user data held by Argyle available to our customers for electronic retrieval for a period of 30 days after the expiration or termination of the Master Service Agreement. All data is then completely removed from Argyle’s dashboard and server. Every user can request the removal of their personal data by contacting Argyle support. Read more about our privacy settings.
Argyle’s API—the main entry point of user data—only allows client requests using strong TLS protocols and ciphers. All communication between Argyle infrastructure and data platforms is transmitted over encrypted tunnels. Read more about our API in our official documentation.
All of our services run in Google Cloud Platform (GCP). We don’t host or run our own routers, load balancers, DNS servers, or physical servers. GCP regularly undergoes independent verification of security, privacy, and compliance controls against the following standards: ISO/IEC 27001, ISO/IEC 27017, SOC 1, SOC 2, SOC 3, PCI DSS, HIPAA, CSA Star, FedRAMP, and many others. You can read more about their practices here.
Our application security monitoring and protections solutions allow us the visibility to:
We also deploy a runtime protection system that identifies and blocks OWASP Top 10 and business logic attacks in real time, as well as security headers to protect our users from attacks. You can check our grade on SecurityHeaders.io.
The following protocols ensure the highest level of security in our software:
Our security team comprises security experts dedicated to constantly improving the security of our organization. Our team is trained in security incident response, security threat detection, and latest security best practices.
If you discover vulnerabilities in our application or infrastructure, we ask that you alert our team by contacting [email protected]. Please include a proof of concept in your email. We will respond as quickly as possible to your submission and won’t take legal action if you follow the rules:
Note that our bug bounty program is currently closed and we are not looking for new security researchers. We won’t pay rewards to anybody who is not part of the program.