Scaled Agile | Trust Center

Scaled Agile | Trust Center

Scaled Agile Trust Center

Scaled Agile prioritizes your data's confidentiality, integrity, and availability. Our Trust Center offers insights into our data management, security measures, and compliance.

Compliance

SOC 2 Type 2

Service Organization Controls (SOC 2) (Type II) Trust Services Principles

GDPR

Protect the personal data and privacy of EU citizens for transactions that occur within EU member states

CCPA

California Consumer Privacy Act

Resources

SOC 2 Type II

Scaled Agile undergoes an annual SOC 2 Type II audit. Request here to see our report.

Privacy Policy

Scaled Agile's Privacy Policy

Terms of Use

Scaled Agile's Terms of Use

Data Sharing Addendum

Scaled Agile's Data Sharing Addendum

Monitoring

Continuously monitored by Secureframe

Subprocessors

Enterprise Subprocessors

Amazon Web Services, Inc.

Amazon Web Services, Inc.

Cloud services hosting and storage. SOC 2 ISO/IEC 27001:2022

Data location: United States

Credly, Inc.

Credly, Inc.

Optional digital credentialing services. ISO 27001/ ISO 27701

Data location: United States

Exoscale

Exoscale

Cloud services - hosting and storage. - HIPAA / HITECH Act - ISO/IEC 27001-2005 - NISTSP800-53 - FedRAMP

Data location: Switzerland

Functional Software, Inc. d/b/a Sentry.

Functional Software, Inc. d/b/a Sentry.

Experience management. SOC 2 ISO 27001

Data location: United States

Functional Software, Inc. d/b/a Sentry.

Experience management. SOC 2 ISO 27001

Data location: United States

Pendo.io, Inc.

Pendo.io, Inc.

Analytics SOC 2

Data location: United States

Qualtrics

Qualtrics

Experience management. SOC 2 ISO 27001, 27017, 27018, and 27701

Data location: United States

Questionmark Corp.

Questionmark Corp.

Test delivery. ISO 27001

Data location: United States

Salesforce

Customer Relationship Management. - ISO 27001 - SOC 1,2,3

Data location: United States

FAQs

Get answers to common questions about our security practices, data protection measures, and how we keep your information safe.

Yes, you can request a copy above. Before providing our SOC 2 Type 2 report, we require a signed mutual NDA (mNDA).

Scaled Agile upholds strong security practices to safeguard our customers' data with the highest standards.

Change Management

Baseline Configurations

Baseline configurations and codebases for production infrastructure, systems, and applications are securely managed.

Segregation of Environments

Development, staging, and production environments are segregated.

Availability

Uptime and Availability Monitoring

System tools monitors for uptime and availability based on predetermined criteria.

Backup Restoration Testing

Backed-up data is restored to a non-production environment at least annually to validate the integrity of backups.

Testing the Business Continuity and Disaster Recovery Plan

The Business Continuity and Disaster Recovery Plan is periodically tested via tabletop exercises or equivalents. When necessary, Management makes changes to the Business Continuity and Disaster Recovery Plan based on the test results.

Organizational Management

Information Security Program Review

Management is responsible for the design, implementation, and management of the organization’s security policies and procedures. The policies and procedures are reviewed by management at least annually.

Background Checks

Background checks or their equivalent are performed before or promptly after a new hires start date, as permitted by local laws.

New Hire Screening

Hiring managers screen new hires or internal transfers to assess their qualifications, experience, and competency to fulfill their responsibilities. New hires sign confidentiality agreements or equivalents upon hire.

Organizational Chart

Management maintains a formal organizational chart to clearly identify positions of authority and the lines of communication, and publishes the organizational chart to internal personnel.

Independent Advisor

The board of directors or equivalent entity function includes senior management and external advisors, who are independent from the company's operations. An information security team has also been established to govern cybersecurity.

Internal Control Monitoring

A continuous monitoring solution monitors internal controls used in the achievement of service commitments and system requirements.

Cybersecurity Insurance

Cybersecurity insurance has been procured to help minimize the financial impact of cybersecurity loss events.

Vulnerability Management

Third-Party Penetration Test

A 3rd party is engaged to conduct a network and application penetration test of the production environment at least annually. Critical and high-risk findings are tracked through resolution.

Incident Response

Tracking a Security Incident

Identified incidents are documented, tracked, and analyzed according to the Incident Response Plan.

Incident Response Plan Testing

The Incident Response Plan is periodically tested via tabletop exercises or equivalents. When necessary, Management makes changes to the Incident Response Plan based on the test results.

Lessons Learned

After any identified security incident has been resolved, management provides a "Lessons Learned" document to the team in order to continually improve security and operations.

Risk Assessment

Risk Register

A risk register is maintained, which records the risk mitigation strategies for identified risks, and the development or modification of controls consistent with the risk mitigation strategy.

Risk Assessment

Formal risk assessments are performed, which includes the identification of relevant internal and external threats related to security, availability, confidentiality, and fraud, and an analysis of risks associated with those threats.

Network Security

Endpoint Security

Company endpoints are managed and configured with a strong password policy, anti-virus, and hard drive encryption

Access Security

Complex Passwords

Personnel are required to use strong, complex passwords and a second form of authentication to access sensitive systems, networks, and information

Administrative Access is Restricted

Administrative access to production infrastructure is restricted based on the principle of least privilege.

User Access Reviews

System owners conduct scheduled user access reviews of production servers, databases, and applications to validate internal user access is commensurate with job responsibilities.

Encryption-at-Rest

Service data is encrypted-at-rest.

Access to Product is Restricted

Non-console access to production infrastructure is restricted to users with a unique SSH key or access key

Unique Access IDs

Personnel are assigned unique IDs to access sensitive systems, networks, and information

Communications

Communication of Security Commitments

Security commitments and expectations are communicated to both internal personnel and external users via the company's website.

Confidential Reporting Channel

A confidential reporting channel is made available to internal personnel and external parties to report security and other identified concerns.

Description of Services

Descriptions of the company's services and systems are available to both internal personnel and external users.

Terms of Service

Terms of Service or the equivalent are published or shared to external users.

Privacy Policy

A Privacy Policy to both external users and internal personnel. This policy details the company's privacy commitments.