GDPR compliance, data security, and privacy by design
Security
Table of content
Introduction
Agillic’s compliance and security setup annually undergoes a rigorous independent audit by Deloitte, in accordance with the international ISAE 3000 Type 2 standard. You can read the latest report here. This audit is a testament to Agillic’s dedication to implementing industry-leading security practices and ensuring full compliance with GDPR and other regulatory requirements.
All data is encrypted in transit and at rest, hosted at high-security data centres – located in the EU – that conform to ISO 27001 information security standards with anti-DDOS measures in place. Daily backups are stored at multiple sites. Access permissions for services and users are granted using the principle of least privilege. Agillic performs risk assessments, vulnerability scans and penetration tests on a regular basis to stay ahead of potential threats.
The handling and control of the rules are part of Agillic’s Information Security Management System (ISMS) and based on the relevant ISO/IEC 27001:2022 controls and requirements related to the data processing agreement (DPA) between Agillic and its clients. All Agillic subcontractors and services are evaluated according to the policies given by the ISMS.
1. Information security framework
Agillic has security policies and other documents that form the basis of the information security framework. These policies and documents are reviewed on an annual basis. The policies apply to everyone who works for Agillic, including employees and freelancers, and everyone is educated and trained in the information security practices.
1.1 Information security policy
The goal of the information security policy is to protect all the data Agillic retain and process. Agillic aligns with current international regulatory and industry best-practice guidance, and have designed its security programme around best practice for cybersecurity.
1.2 Data incident policy
In the event of a data incident, Agillic has a documented policy and firm processes to guide its actions in accordance with ISO/IEC 27001/27002 standards. The data incident policy outlines how Agillic should document, investigate and report potential data incidents.
Agillic comply with the GDPR and will notify clients by email should Agillic become aware of a data breach that affects a client and requires notification. An email will be sent to the email addresses registered in the platform or as contact persons for the client’s subscription with Agillic.
1.3 Business continuity policy
Agillic ensures the continuity and timely recovery of our critical business processes and services in the event of a disaster, and to ensure that critical business processes operate at an appropriate level.
Agillic designs its platform to be highly available, fault-tolerant and fault-resilient. To achieve this, Agillic follows industry best practices which are continuously improved on and reviewed. The platform is hosted in a proven infrastructure, which helps minimise incidents, hacking, downtime, and recovery time of services.
As a principle, all Agillic processors and sub-processors are Software as a Service. This gives Agillic multiple advantages in the event of an incident or disaster, such as having teams work from anywhere and much faster being able to replace a (sub-)processor that is causing issues.
1.4 Contractual obligations
Clients’ use of Agillic services is governed by the Terms & Conditions, SLA, DPA and order forms, which sets out the rights and obligations for the client and for Agillic, including Agillic’s obligation to keep client information and data confidential and thoroughly protected.
1.5 ESG and anti-bribery anti-corruption (ABAC)
Agillic expects those who use the platform or do business with Agillic to make decisions that reflect strong ethics and are consistent with Agillic’s values. Agillic therefore requires its employees, sub-processors, processors, and business partners to adhere to the principles set out in Agillic’s ESG and ABAC policies.
Agillic is committed to maintaining a high ethical standard, and requires that employees and business partners comply with all the relevant anti-corruption laws of the countries that Agillic does business in and adhere to requirements and principles in the UK Modern Slavery Act 2015.
1.6 Human resources
All Agillic employees need to know what they can and cannot do when handling confidential information and personal data. Employees must observe strict confidentiality regarding Agillic’s affairs. This requirement is included in all employment contracts and in the Agillic employee handbook.
The obligation of confidentiality includes not only Agillic activities but also extends to relationships with businesses and clients. It continues to apply after termination of the employment contract.
If an employee breaches the confidentiality obligations, intentionally or negligently, Agillic considers it a material breach of the employment contract that can result in disciplinary action, including termination or immediate dismissal.
As part of the recruitment process for hiring new staff members, Agillic carry out reference checks. New employees go through a new hire programme that includes education and training about how to protect and handle information. New employees learn about Agillic’s commitment to information security and data privacy, the ESG and ABAC policies, and the requirements for handling and safeguarding information.
In addition to upholding their employment contract (including confidentiality requirements), employees must read and comply with Agillic’s policies for information security, legal compliance, ESG, and ABAC.
When employees leave, Agillic revoke their access to its services as soon as it is no longer relevant.
2. Privacy
Agillic use the terms “personal data”, “data controller”, “processor” and “sub-processor” below as defined in the EU’s General Data Protection Regulation (“GDPR”).
2.1 Data processing agreement
Agillic’s data processing agreement (DPA) follows the guidelines and templates from the Danish Data Protection Authority (Datatilsynet) to meet all the requirements of the GDPR and can be accessed here. The data controller (Agillic’s clients) and the processor (Agillic), and the processor and the sub-processors, are required to have a “data processing agreement” (“DPA”) in place that documents the data processing activities being carried out.
2.2 Personal data
Agillic considers any data relating to an identified or identifiable person as “personal data” – e.g. name, address, email address, IP-numbers, and internal Agillic ID, etc. Agillic processes personal data about clients’ recipients solely on the client’s behalf, and use the data solely for the purpose of providing services to the client. Agillic kindly ask clients to limit the data shared to what is needed for the client to use the platform.
2.3 Sub-processors
Agillic uses specialised companies to assist with delivering its services to clients, such as hosting the platform. Pursuant to the GDPR, these companies are described as “sub-processors”.
Before engaging a processor or a sub-processor, Agillic performs a thorough security and privacy risk assessment of the company’s services as required by the GDPR. As part of this process, Agillic evaluates the company’s privacy and security practices, and carry out a risk assessment of the personal data that Agillic would be sharing with the company, and review the company’s DPA. Agillic follows this process to determine whether the company is competent to process personal data in line with the legislation and meets Agillic’s requirements and standards. Agillic will only share personal data of clients’ users with a company provided that these requirements are in place.
Agillic monitors the performance and applicability of processors and sub-processors on an ongoing basis, and review the risk assessments on an annual basis. Agillic may find it necessary to add or replace a company as a processor or sub-processor, and if so, Agillic will notify clients in advance as stated in our DPA.
When Agillic stops using a company as a processor or sub-processor, Agillic will remove the company from the platform and infrastructure, and will ensure the deletion of all client data retained by the company.
Data to and from Agillic’s processors and sub-processors is encrypted during transit, and to safeguard the traffic between clients and the platform. Agillic secures the emails send through the platform with encryption, DMARC, SPF, and DKIM.
Access to sub-processors is protected by secure multi-factor authentication to the extent possible. Agillic operates on principles of least privilege first, which means that access is limited to those employees who have a genuine work-related need, which is monitored continuously.
Agillic’s sub-processors are:
- Amazon Web Services, Ireland, reg. no. B186284, for hosting.
- GlobalConnect, Denmark, reg. no. 26759722, for network and hosting.
- Unit IT, Denmark, reg. no. 44298937, for data hosting and backup.
- SAC-IT, Denmark, reg. no. 28892977, for hosting.
- Code4Nord, Romania, reg. no. RO33361133, for code development.
- LINK Mobility Group, Norway, reg. no. 984066910, for mobile gateway.
- Sinch AB,Sweden, reg. no.556882-8908, for mobile gateway.
- Viatel Sweden AB,Ostmästargränd 8A, Årsta, Sweden,reg. no. 556601-6571for mobile gateway.
3. The platform
3.1 Infrastructure security
The setup of Agillic’s infrastructure is as restricted as possible, including access, firewall configuration, IP restrictions, disabling of non-used features (hardening), and use of the most secure ciphers as possible. The firewalls only allow internet connection to the allowed ports and our NAT masks the IP address of Agillic’s servers. The lines and servers are protected from DDoS and similar attacks.
Agillic patches and upgrades applications and servers regularly to ensure the best possible protection from exploits. Furthermore, Agillic performs regular vulnerability and penetration tests of its networks.
Client data and Agillic’s production environments are all hosted at high-security, Tier3+ equivalent data centres that conform to ISO 27001 Information Security Standards located inside the EU.
Access to the data centres where the application is running and the data is persisting is limited to authorised personnel only. Physical security measures include on-premises security guards, closed-circuit video monitoring and additional intrusion protection measures.
Agillic operates on principles of least privilege, which means that access is limited to employees who have a genuine work-related need, which is monitored and aligned continuously.
Agillic tests all software changes. Upon successful testing and quality assurance the changes are promoted into production.
Encryption keys are securely stored. Regular reviews are conducted to maintain the integrity of key management.
Clients are welcome to conduct their own security scans and penetration tests of Agillic’s services, as long as these are of a non-malicious nature and pre-approval is requested. Agillic needs the pre-approval solely because client’s scans and tests could trigger monitoring anomalies on that Agillic would like to react appropriately to.
3.2 Malicious code management
Agillic continuously monitors the infrastructure and platform for errors in order to detect and address these quickly.
3,3 Software patch management and malware
Agillic has a formal process for management and correction of vulnerabilities (bugs, quality issues, etc.). Vulnerabilities should be reported to privacy@agillic.com. When Agillic has identified the vulnerability as legitimate and requiring remediation, Agillic logs it as an issue, prioritises it according to severity, assigns an owner and address it according to priority. Agillic tracks the vulnerabilities and follow up frequently until it can be verified that the vulnerability has been remediated.
3.4 Logging
All activities are logged and tracked for auditing purposes. The activity is logged with date/time, type of activity, source IP, and other relevant transactional information. Logs are stored in a secure, tamper-proof manner and cannot be manipulated or changed. Agillic retains our audit logs for 120 days.
3.5 Data backup
Backups are done daily and are stored for two months off-premise at multiple sites. To stay compliant with the “right-to-be-forgotten”, an internal recipient ID is stored and used to re-delete deleted customers after a restore. All user data is fully encrypted at rest, ensuring the highest level of data security. Data backups also employ encryption to safeguard sensitive information. Agillic performs backup recovery tests regularly. Backups are retained for a maximum of one month, after which a backup is deleted.
4. Agillic’s IT
Agillic’s engineering team manages internal accounts, password security, access to systems and data, and IT assets – covering both hardware and software.
4.1 Provisioning of access
All employees are granted an individual personal user account. Agillic does not allow any two employees to share or use the same personal user account.
Access permissions for individual services and user roles are granted from Agillic’s role-based access control model, using least privilege first principles and granted according to work-related needs. Before access is granted, the internal owner of the respective service must approve the assignment of access rights and roles. Agillic requires a segregation of duties between the person requesting access and the person approving.
Agillic maintains a detailed access log which is continually monitored. In cases of inappropriate access or red flags, Agillic has mechanisms in place to promptly block users from accessing the system.
4.2 Review and removal of access
Access rights to Agillic services and data are reviewed on a regular basis, and employee access is removed or downgraded when it is no longer required to carry out duties and responsibilities.
When an employee leaves, their user accounts are immediately disabled and, once they are no longer subject to other legal requirements, deleted. Any information security and legal responsibilities held by the employee remains valid after they leave.
4.3 Passwords
All internal user accounts are protected with a password which must meet the rules described in Agillic’s password policy that aligns with the recommendations of the National Institute of Standards and Technology (NIST). Agillic only grants access for authorised employees with work-related need access.
4.4 Office networks
Office networks are secured and segregated to ensure least privileged access, and access are centrally managed. The personal computer for each employee is centrally managed and updated (incl. antivirus, patches and enforcement of automatic access lock).
4.5 Assets
Agillic broadly define network equipment, stationary devices, mobile devices, software, and removable media as IT assets. Agillic identify, register, and assign owners for all IT assets. Agillic monitor all required software updates, security patches and firmware upgrades.
Agillic’s operations team ensures that disk encryption and screen lock timeout is enabled on all devices used to access the technical environment.
Employees are instructed not to carry out unauthorised downloads, store or share personal data, copyrighted or intellectual material, or install or run unauthorised, untested, or unlicensed software without prior approval from Agillic’s DPO.
4.6 Physical security
The Agillic office cannot be accessed directly from the street and entry requires access to a keycard and pin code.
4.7 Paper documents
Agillic maintains a paper-free environment and documents are not printed unless necessary. Agillic does not unnecessarily retain paper documents. When disposed of, all paper documents containing personal data are shredded. Agillic has a clean desk policy and data is not stored on on-premise media.
5. Contact
For any questions or concerns about Agillic’s privacy or security practices, please send an email at privacy@agillic.com.