Agility CMS

Security at Agility

At Agility, the security of your data is our top priority. Our Security Committee has oversight across all departments of the organization and has the mandate to ensure our ongoing accountability with regard to our data footprint, competence, and capabilities.

Here you can review our security policies and procedures that Agility takes to secure your data on the Agility CMS platform.
System Status Trust Center Report a Vulnerability
View real-time availability and performance Access compliance reports and documentation Contact our security team

Agility is SOC 2 Type 2 Compliant

SOC 2 Certification

Agility is certified as a SOC 2 Type 2 compliant organization, verified by our independent auditor, as of December 1, 2021, with recertification happening annually. We monitor our systems on an ongoing basis using services provided by Vanta to ensure no exceptions occur.

For access to our SOC 2 Type 2 report, security questionnaires, and detailed policy documentation, visit our Trust Center.

How Your Content is Secured

Our infrastructure runs on Microsoft Azure, a top cloud infrastructure and service provider. Azure is trusted by leading companies, government institutions, and the US military to host their data storage, processing, and computing needs.

Since Agility is hosted 100% in the cloud, there is no specific physical location where your data is located. Instead, Microsoft Azure provides primary and secondary data regions where the storage services responsible for your data are located. These are protected by a high level of physical security.

Encryption and Data Storage

Your data is stored in a combination of Azure storage resources, including Azure SQL Databases and Blob Storage. Industry-standard encryption and hashing is used, with all keys managed using Azure KeyVault.

All data is stored in an encrypted state (encrypted at rest) as part of the base functionality of Azure Storage and Azure SQL Database.

Any data that needs to be secured beyond rest encryption is further encrypted or hashed as necessary using industry-standard methodology. This includes passwords, data connection information, API keys, tokens, and other sensitive credentials.

How Your Data is Backed Up

Because Agility CMS data is stored in Azure SQL Database, it is automatically backed up and restorable using point-in-time technology to an alternate region. Any data stored in Azure Blob Storage is also replicated by the Azure subsystem to a secondary region, in addition to having 3 local copies within the primary data region. Azure is also responsible for encrypting these backups at rest.

Message Encryption

All data transmitted between Agility CMS and your services, or third parties, is done using TLS 1.2 over HTTPS. Agility CMS uses a combination of Azure CDN and Stackpath CDN for Content Delivery Services of static files and REST API content. These services are protected by TLS 1.2 encryption at all levels. This ensures that no data transferred both internally in the Azure system, and externally to the CDN nodes, or to your servers and clients, can be intercepted or altered by a third party.

Security Testing and Assessments

Penetration Testing

While we operate our own penetration testing performed by third parties, we also provide our enterprise customers—including leading e-commerce, government, and banking institutions—the opportunity to collaborate with us on custom penetration testing to satisfy any extraordinary requirements.

Ongoing Security Assessments

Agility utilizes Azure Security Center on an ongoing basis to assess ongoing shifts and improvements in our security posture. This allows our engineers and support staff to actively update our systems to comply with deeper levels of security based on new threats and attack methodology.

Access Control

Getting Access to Backend Data

Access to backend data outside of the normal application flow is extremely limited. Only Agility product and support engineers with training and security clearance are granted this permission. These identities are protected by Azure Active Directory using multi-factor authentication.

If you require access to your backend data or have questions about your data, our support staff are happy to answer any questions or escalate any concerns to our engineers.

Audits and Monitoring

All access and activity, including any changes to configuration within our Azure systems, is audited and monitored with a history trail. Any code changes are performed via Azure DevOps using slot-based deployment.

Compliance

PCI Compliance

Agility's Content Manager is declared to be PCI Compliant. We do not store or process card or payment credential information. We utilize tokenization and provider-specific vaults to validate, process, and capture transactions.

Ongoing Reliability

Microsoft Azure Infrastructure

Our infrastructure runs in Microsoft Azure, where all components are deployed in at least three resource areas, minimizing disruptions caused by any failure and keeping your content constantly available. All services are deployed on load-balanced App Services, a Platform-as-a-Service (PaaS) system that keeps multiple instances of our code running at the same time. In addition, Azure Traffic Manager is used to geo-locate our services across multiple regions with failover in case of a failure in the primary region.

Auto-Scale

The Azure App Service Plans used to host the Agility CMS services are auto-scaling such that they can continue to operate in situations with extreme load or abnormal circumstances.

Responsible Disclosure

We value the security research community and welcome reports of potential vulnerabilities. If you've discovered a security issue with Agility CMS, please contact us at support@agilitycms.com with details of the vulnerability.

We ask that you:

  • Give us reasonable time to investigate and address the issue before any public disclosure
  • Avoid accessing or modifying customer data
  • Act in good faith to avoid privacy violations and service disruption

We're committed to working with researchers to verify and address any legitimate issues.

Security Incident Reporting

No matter the systems or procedures that are in place, a security incident is still possible. If such an event does occur, Agility is ready to manage this using a pre-defined process. We will notify any affected parties and work closely with them to both mitigate the risk immediately and resolve the problem moving forward.

Please contact us at support@agilitycms.com to report any incident.

Additional Resources

  • System Status – Real-time availability and performance monitoring
  • Trust Center – SOC 2 reports, security questionnaires, and policy documentation
  • Privacy Policy – How we handle your personal data
  • GDPR – Our commitment to data protection regulations