Products

Pricing

Open Source

Resources

About Us

akuity logo

Security and Compliance

— Last update: October 20, 2023 —
  1. Compliance
    1. SOC 2
  2. Data Security
    1. Data classification
    2. Encryption at rest
    3. Secrets and encryption key management
    4. Separation of environments
  3. Product security
    1. Secure development
    2. External security testing
  4. Infrastructure and network security
    1. Transport security
    2. External attack surface
    3. Network segmentation
    4. Intrusion detection and prevention
  5. Organizational security
    1. Security training
    2. Asset inventory
    3. Security incident management
    4. Information security policies
    5. Background Checks
  6. Operational security
    1. Backups and disaster recovery
    2. Endpoint security
    3. Risk management and assessment
    4. Contingency Planning
  7. Enterprise security
    1. Single sign-on (SSO)
    2. Role-based access control (RBAC)
    3. Email Security
  8. Security vulnerability disclosure

    Compliance

    SOC 2

    SOC 2 is a globally recognized auditing standard for service organizations that demonstrates adequate controls and processes. Akuity has successfully completed the SOC 2 Type 2 audit. Akuity’s SOC 2 report covers the trust services principles and criteria security and availability. A copy of the most recent audit report is available in our Trust Report.

    Data Security

    All of Akuity’s services are hosted in Amazon Web Services (AWS) facilities in the United States. Services are distributed across multiple AWS availability zones. These zones are hosted in physically separate data centers, protecting services against single data center failures.

    More information about AWS security practices is on their cloud security page.

    Data classification

    Akuity classifies the data we own, use, create, and maintain into the following categories:

    • Confidential – Customer and personal data
    • Internal – Akuity-internal operational data that should not be disclosed
    • Public – For example, the marketing material and content on this website

    Encryption at rest

    Akuity uses the AWS-managed data stores Aurora RDS and S3 to store customer data, including backups. All these AWS services have been configured to use encryption at rest using AES with 256-bit keys.

    Secrets and encryption key management

    Akuity uses AWS Secret Manager for securely storing and managing secrets used by services. Akuity uses AWS Key Management Service (KMS) to encrypt and decrypt these secrets as well as manage all encryption keys in use by Akuity services. Access to secrets and encryption keys are restricted to the services on a least privilege basis and are managed by the Akuity infrastructure team.

    Separation of environments

    Akuity fully separates and isolates our production, staging, and development networks and environments.

    Product security

    Secure development

    Akuity practices continuous delivery. Our processes and automation allow us to safely and reliably roll out changes to our cloud infrastructure and web-based applications rapidly. We deploy new changes to production multiple times a day.

    • All code changes are requested through pull requests and are subjected to code reviews and approval before being merged into the master and production branches.
    • Akuity uses GitHub and Dependabot to automatically create pull requests to update outdated dependencies.
    • Akuity uses static source code analysis tools like Sonar Cloud to analyze source code changes to identify potential code quality issues or security weaknesses.
    • Akuity uses Sentry to track errors in the web and backend services.

    External security testing

    In addition to our internal security scanning and testing program, Akuity employs third-party firms to conduct extensive penetration tests of all applications and cloud infrastructure on a regular basis. Findings from these penetration tests are prioritized, triaged, and remediated by Akuity’s engineering team. Akuity also runs weekly automated Penetration testing against our websites to ensure we are always staying on top of new threats.

    Infrastructure and network security

    Transport security

    Akuity requires the use of TLS to secure the transport of data, both on the internal network between services as well as the public network between the Akuity applications and the Akuity cloud infrastructure. Akuity’s TLS configuration requires at least TLS version 1.2 and the use of strong cipher suites, which support important security features such as Forward Secrecy.

    External attack surface

    Akuity only exposes public (web) applications and APIs to the public internet. All other services are only available on the internal network and accessible by employees using a VPN. The external attack surface is monitored for changes by a third-party service.

    Network segmentation

    Network segmentation is a foundational aspect of Akuity’s cloud security strategy. Akuity achieves segmentation boundaries at various layers of its cloud infrastructure. Akuity uses a multi-account strategy within AWS to isolate production, development, test environments, and domains such as logging, security, and marketing. Within AWS, Akuity uses VPCs, security groups, network access control lists, and subnets to isolate services further.

    Intrusion detection and prevention

    Akuity maintains an extensive centralized logging environment in which network, host, and application logs are collected at a central location. Akuity has also enabled detailed audit trails with critical service providers like Google Workspaces, GitHub, and AWS (CloudTrail). These logs and audit trails are analyzed by automated systems for security events, anomalous activity, and undesired behavior. If any suspicious activity is observed, our engineering team is alerted, and they will review and prioritize the issues to ensure they are resolved within our specified SLAs.

    Organizational security

    Security training

    All new hires must attend the security awareness training as part of their onboarding. All employees are required to attend the annual security awareness training. Akuity engineers must attend an annual security training designed specifically for engineers.

    Asset inventory

    Akuity maintains an accurate and up-to-date inventory of all its networks, services, servers, and employee devices. Access to Akuity customer data is provided on an explicit need-to-know basis and follows the principle of least privilege. Customer data is audited and monitored by the security team. All Akuity employees have signed a non-disclosure agreement.

    Security incident management

    The security team at Akuity aggregates logs and audit trails from various sources at a central location and uses tools to analyze, monitor, and flag anomalous or suspicious activity. Akuity’s internal processes define how alerts are triaged, investigated, and, if needed, escalated. Both customers and non-customers are encouraged to disclose any potential security weaknesses or suspected incidents to Akuity Security.

    Information security policies

    Akuity maintains several information security policies that form the basis of our information security program. All Akuity employees are required to review these policies as part of their onboarding. These security policies cover the following topics and are available to our customers on our Trust page.

    Background Checks

    Akuity conducts background checks for all new hires, including verification on the following:

    • Identity verification
    • Global watchlist check
    • National criminal records check
    • County criminal records check
    • (U.S. only) Sex offender registry check

    Operational security

    Backups and disaster recovery

    All Akuity customer data is stored redundantly at multiple AWS data centers (availability zones) to ensure availability. Akuity has well-tested backup and restoration procedures in place, allowing quick recovery in the case of single data center failures and disasters. Customer data is continuously backed up and stored off-site (At a secondary AWS region). The restoration of backups is fully tested each quarter to ensure that our processes and tools work as expected.

    Endpoint security

    Akuity exclusively uses Apple MacBook devices. These devices are all centrally managed through the internal mobile device management solution, which allows us to enforce security settings such as full disk encryption, network and application firewall, automatic updates, screen time-outs, and anti-malware solutions.

    Risk management and assessment

    Akuity performs periodic risk analysis and assessment to ensure that our information security policies and practices meet the requirements and applicable regulatory obligations.

    Contingency Planning

    The Akuity operations team includes service continuity and threat remediation among its top priorities. We keep a contingency plan in case of unforeseen events, including risk management, disaster recovery, and customer communication sub-plans that are tested and updated on an ongoing basis and thoroughly reviewed for gaps and changes at least annually.

    Enterprise security

    Akuity Enterprise includes all our general security measures, plus additional features and enhancements to provide even more customization and privacy.

    Single sign-on (SSO)

    Akuity supports single sign-on (SSO) for Enterprise customers. Using the customer’s existing identity management solution, Akuity provides an easy and secure way for companies to manage their team members’ access. Akuity supports identity providers like Google Workspaces, Azure Active Directory, and Okta. Akuity also supports both SAML and OAuth-based OpenID Connect.

    Role-based access control (RBAC)

    Akuity supports role-based access control, which means the access of team members within an organization is dictated by their role (member, administrator, or owner). Administrators can assign team members specific roles or revoke access using the Akuity account dashboard.

    Email Security

    The Akuity service includes email notifications. Sender policy framework (SPF) is a system to prevent email address spoofing and minimize inbound spam. We have SPF records set through AWS Route53, our domain name service (DNS), and domain-based message authentication, reporting, and conformance (DMARC) set up for monitoring reports to prevent the possibility of phishing scams. Akuity users can see the TXT records on dmarc.Akuity.io and akuity.io:

    $ dig _dmarc.akuity.io TXT +short "v=DMARC1;p=none;sp=none;adkim=r;aspf=r;pct=100;fo=1;rua=mailto:4v9sefpm@ag.us.dmarcian.com;ruf=mailto:4v9sefpm@fr.us.dmarcian.com;" $ dig akuity.io TXT +short | grep spf "v=spf1 include:_spf.google.com include:amazonses.com include:21537535.spf10.hubspotemail.net include:mailer.shopifyemail.com ~all"

    Security vulnerability disclosure

    If you want to disclose a potential security vulnerability or have concerns about an Akuity product, please contact security@akuity.io. Please include a description of the security vulnerability, steps to reproduce, and the impact the vulnerability may have.

    Products

    Akuity Platform

    Akuity Enterprise

    Security-Hardened Argo CD

    Pricing

    Argo Project

    What is Argo

    GitHub Awesome Argo List

    ArgoCon

    Resources

    Getting Started

    Akuity Documentation

    Akuity Blog

    GitOps with Akuity

    GitOps and Kubernetes

    Talks and Webinars

    Akuity Community Discord

    About us & Support

    Company & Mission

    Contact us

    Careers (We're Hiring!)

    Akuity Support Portal

    System Status

    Trust Report

    Security & Compliance

    Partnering with

    Upbound

    Nirmata

    440 N. Wolfe Road Sunnyvale, CA 94085, USA.
    +1-510-771-7837



    Terms of servicePrivacy policy


    Copyright © 2024