Security

AgencyOS is built for creative agencies that manage sensitive client work, proprietary assets, and confidential business data. We take a defense-in-depth approach to security, applying protections at every layer of our infrastructure and application.

Data Encryption

All data transmitted between your browser and AgencyOS is encrypted using TLS 1.2 or higher. We enforce HTTPS on all connections with HSTS headers to prevent protocol downgrade attacks.

Data at rest is encrypted using AES-256 encryption across all storage systems, including databases, file storage, and backups. Encryption keys are managed through our infrastructure providers' key management services and are rotated regularly.

Infrastructure

AgencyOS is hosted on trusted, enterprise-grade cloud infrastructure with automatic DDoS protection, edge caching, isolated serverless execution environments, encryption at rest, point-in-time recovery, and isolated tenant data.

All infrastructure providers maintain SOC 2 Type II compliance and undergo regular third-party security audits.

Access Controls

AgencyOS implements role-based access control (RBAC) at the application level, allowing organizations to assign granular permissions to team members. Administrative functions, including user management, billing, and organizational settings, are restricted to authorized roles.

On the engineering side, access to production systems is restricted to authorized personnel, requires multi-factor authentication, and follows the principle of least privilege. All access to production data is logged and auditable.

Authentication

AgencyOS authentication provides:

• Secure password hashing with bcrypt
• Multi-factor authentication (MFA / 2FA) support
• Session management with automatic expiration
• Brute-force and credential-stuffing protection
• OAuth and SSO integration capabilities

Organization administrators can enforce authentication policies for their team, including requiring multi-factor authentication.

Data Isolation

Each organization's data is logically isolated within our database. Access control checks are enforced at the query level to prevent cross-tenant data access. All API requests are authenticated and authorized before any data is returned.

Compliance

SOC 2 Type II: We are currently pursuing SOC 2 Type II certification. Our our infrastructure providers each maintain their own SOC 2 Type II compliance.

GDPR: We process data in compliance with the General Data Protection Regulation for users in the European Economic Area. See our Privacy Policy for details on data processing, transfers, and user rights.

CCPA: We comply with the California Consumer Privacy Act. We do not sell personal information.

Incident Response

We maintain an incident response plan for security events. In the event of a data breach or security incident that affects Customer Data, we will notify affected customers within 72 hours of confirmation, in accordance with applicable laws and regulations.

Responsible Disclosure

We value the work of security researchers and welcome responsible disclosure of vulnerabilities. If you discover a security issue in AgencyOS, please report it to us privately:

When reporting, please include:

• A description of the vulnerability and its potential impact
• Steps to reproduce the issue
• Any relevant screenshots or proof-of-concept code

We ask that you:

• Allow us reasonable time to investigate and address the issue before public disclosure
• Do not access, modify, or delete data belonging to other users
• Act in good faith and avoid actions that could disrupt the platform or harm other users

We commit to acknowledging your report within 2 business days and will work with you to understand and resolve the issue. We will not take legal action against researchers who follow this responsible disclosure policy.