• Local Data Processing: Operations that involve interaction with an end-user's account (e.g., Sign In, Provisioning, Privilege Control, etc.), are executed directly on the end-user's device.
• Zero Trust Encryption: Aglide uses a Zero Trust encryption model to ensure sensitive Customer Data is secure. This means that even on Aglide’s servers, data is encrypted in such a way that only authorised end-users can decrypt it.
• Local & Cloud Environments: Depending on the specific type of data, encryption occurs either within the Cloud Environment or on the end-user's device. The zero-trust model ensures that even when data is processed or stored on the Cloud Environment, it remains inaccessible to unauthorised parties, including Aglide itself.

a. Application

• Source Code: Only approved employees have access to Aglide's repositories, and they all must have multi factor authentication enabled. Deployment is safeguarded by a mandatory pull request (PR) procedure, requiring all code changes to undergo peer review.

b. Environment Access

• Access Controls: Access to Customer Data is limited to approved employees, authenticated into their corporate Aglide account, with a unique key. Access to the Cloud Environment is restricted to a limited number of Aglide employees, and is controlled by AWS IAM policies. Aglide's Zero Trust architecture ensures that even approved Aglide employees cannot access sensitive Customer Data.
• Environment Isolation: Customer Data is never stored in non-production environments. Customer accounts are logically separated in Aglide's production environment. Aglide has separate development, staging and production environments.

c. Monitoring & Logging

• Network Monitoring: Systems and alarms are setup to monitor the performance and key metrics for Aglide's servers, database, and other network components. These alert when services are acting irregularly to help identify issues or attacks.
• Error Logging: Aglide captures logs of certain activities and changes to detect malicious activity and errors. Logs are only accessible to necessary Aglide employees and care is taken to ensure that sensitive data is not logged.
• User Logging: Data about end-users interacting with the Aglide Services is collected to improve performance. Logs are only accessible to necessary Aglide employees and care is taken to ensure sensitive, session-specific data is not captured.

d. Vulnerability Detection

• Vulnerability Scans: Vulnerability scanning and package monitoring are performed on all Aglide infrastructure, with services being patched on a regular basis.
• Penetration Testing: Aglide will conduct regular penetration tests to identify and address potential vulnerabilities in its infrastructure. These tests will be conducted by third-party security experts and are designed to simulate real-world attacks.

a. Training & Legal

• Employee Training: Aglide maintains a mandatory security awareness and training program for its employees.
• Confidentiality: All Aglide employees sign non-disclosure and confidentiality agreements.
• Responsibility: Employees are required to sign Aglide's information security policy, which includes acknowledging responsibility for reporting security incidents involving Customer Data.

b. Privilege & Access

• Access Reviews: Aglide internally leverages the principle of Least Privilege for access. Regular access reviews are conducted to ensure that continued access to critical systems is still required.
• Access Controls: Employees can only access Aglide systems through Single Sign On or using credentials stored in a password manager, with Multi-Factor Authentication enforced where possible. Employees must use high entropy passwords and 2-factor authentication to access Single Sign On applications or the password manager.

c. Physical Security

• Aglide Premises: Equipment capable of accessing Aglide services is only available in Aglide's office, which is secured with a keycard system.
• Data Centres: Aglide defers all data center physical security controls to AWS. Details of AWS’s physical security controls can be found on their website.

Reporting:

If Aglide becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Data (a "Security Incident"), Aglide shall notify Customer without undue delay, and in any case, where feasible, notify Customer within 72 hours after becoming aware.

Investigation:

In the event of a Security Incident as described above, Aglide shall promptly take reasonable steps to contain, investigate, and mitigate any Security Incident. Any logs determined to be relevant to a Security Incident shall be preserved for at least one year.

Communication:

Aglide shall provide Customer timely information about the Security Incident to the extent known to Aglide, including, but not limited to, the nature and consequences of the Security Incident, the measures taken and/or proposed by Aglide to mitigate or contain the Security Incident, the status of Aglide's investigation, a contact point from which additional information may be obtained, and the categories and approximate number of data records concerned. Notwithstanding the foregoing, Customer acknowledges that because Aglide personnel do not have visibility to the content of Customer Data, it will be unlikely that Aglide can provide information as to the particular nature of the Customer Data, or where applicable, the identities, number, or categories of affected data subjects. Communications by or on behalf of Aglide with Customer in connection with a Security Incident shall not be construed as an acknowledgment by Aglide of any fault or liability with respect to the Security Incident.