Security at Agorapulse

Overview

Agorapulse respects our customers’ privacy, and keeping our customers’ data protected at all times is our highest priority.

This document provides a high-level overview of the security practices put in place to achieve that objective.

Have questions or feedback? Reach out to us at security-trust@agorapulse.com.

Infrastructure Security

All of our services run in the cloud. We don’t host or run our own routers, load balancers, DNS servers, or physical servers.

Our service is built on Amazon Web Services (AWS). They provide strong security measures to protect our infrastructure and are compliant with most certifications (Cloud Security Alliance Star Level 2, ISO 9001, 27001, 27017, 27018, PCI DSS Level 1, and SOC 1, 2, and 3). You can read more about their security here: https://aws.amazon.com/security/. You can read more about their compliance here: https://aws.amazon.com/compliance/programs/.

Network Level Security

Our network security architecture consists of multiple security zones. We monitor and protect our network, to make sure no unauthorized access is performed using:

  • A virtual private cloud (VPC), a bastion host, or VPN with network access control lists (ACLs) and no public IP addresses
  • IP address filtering
  • An Intrusion Detection and/or Prevention technologies (IDS/IPS) solution that monitors and blocks potential malicious packets

Data Level Security

Data Location Customer Data are hosted in AWS Ireland region.

Encryption in transit All data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS).

Encryption at rest All our user data (including passwords and access tokens) is encrypted using battled-proofed encryption algorithms in the database.

Availability and Reliability

Our goal is to avoid any downtime at all costs and provide 99.9% uptime. Our platform is built with full redundancy and isolation in mind to avoid any single point of failure.

You can follow in real time the current status of our services here: https://status.agorapulse.com/.

Business Continuity and Disaster Recovery

We back up all our critical assets and regularly attempt to restore the backup to guarantee a fast recovery in case of disaster. All our backups are encrypted.

Application Security

All Agorapulse apps and services are 100% developed internally by full-time employees without any outsourcing.

Development Best Practices

Developers participate in regular security training to learn about common vulnerabilities and threats.

We follow OWASP (Open Web Application Security Project) standard security controls for the application security.

We review our code for security vulnerabilities.

We regularly update our dependencies and make sure none of them has known vulnerabilities.

Application Security Monitoring

We use a full security monitoring solution to get visibility into our application security at runtime, identify attacks and automatically block them when possible,

We constantly monitor exceptions, logs and detect anomalies in our applications.

We collect and store logs to provide an audit trail of our applications activity.

Product Security

The Agorapulse product has incorporated data security and data privacy via multiple features as detailed below.

Access Permissions

Agorapulse uses a role-based access control (RBAC) approach to determine user access privileges required. Different configured roles are assigned to the users as per the requirement, for each organization.

Access Control

Authentication on Agorapulse can be handled via Facebook Connect and/or email+password.When Facebook Connect is enabled, no authentication data is stored on our side.

When email+password login is enabled, passwords are stored one-way hashed with random salt.

We collect and store logs to provide an audit trail of our authentication and security-related activity.

Two-Factor Authentication (2FA)

For an additional layer of security, users can enable multi-factor authentication, based on a dedicated mobile app such as Google Authenticator or Authy. 

HR, Security and IT

All new hires are provided with security on-boarding training, which includes setup and training on using a password manager and detecting phishing or social engineering.

Endpoints

We assume all networks are untrusted, and we focus instead on making sure our endpoints (e.g. laptops) are secure. 

Employee devices are managed by through a device management program to ensure that our fleet runs with the latest security fixes and secure configuration (encrypted disk, firewall, etc).

Development & Production

Access into both development and production environments requires both SSH keys and 2FA. Only our Engineering Ops team has access to our production environment. We have automated processes in place that monitor each host for unauthorized login attempts, and offending IP addresses are automatically blacklisted and alerted.

Mandatory 2FA

We enable mandatory 2FA for all employees on all strategic services where it is supported. Before deciding to use another third-party cloud service, we assess both the type of data that would be stored there, as well as that company’s security practices.

Security Audit

Testing & Research

We believe that security researchers make computing safer and more secure for everyone, and thus we encourage security testing and research on Agorapulse.

Please avoid automated testing and only perform security testing with your own data. Please do not disclose any information regarding the vulnerabilities until we fix them. Rewards are done at our discretion depending on the criticality of the vulnerability reported.

Reporting a Security Incident

Potential vulnerabilities can be reported through our private bug bounty program running on HackerOne.

Please contact us at security-trust@agorapulse.com and provide:

  • Your HackerOne username
  • A brief description of the vulnerability
  • Scope (impacted agorapulse.com subdomain)

Compliance and Certifications

GDPR

Agorapulse is GDPR compliant. You can read more about Agorapulse and GDPR here: https://www.agorapulse.com/gdpr/

PCI compliance

Agorapulse is PCI SAQ-A compliant. Payment transactions are outsourced to Chargebee which is certified as a PCI Level 1 Service Provider.

Official social media partnerships

Agorapulse is recognized as an official partner of Meta.

Have questions or feedback? Reach out to us at security-trust@agorapulse.com.