Data Security

Infrastructure Security

Agilify is hosted on Amazon Web Services (AWS) in the AP-Southeast-1 region (Singapore). AWS maintains SOC 2, ISO 27001, and PCI DSS certifications for its infrastructure. We leverage AWS security features including Virtual Private Cloud (VPC) isolation, security groups, WAF (Web Application Firewall), and DDoS protection via AWS Shield.

Data Encryption

At Rest

All Customer Data stored in Agilify databases and object storage is encrypted using AES-256. Encryption keys are managed via AWS Key Management Service (KMS) with automatic annual rotation.

In Transit

All data transmitted between your browser/app and Agilify servers is protected by TLS 1.2 or higher. We enforce HTTPS across all endpoints and reject unencrypted connections. Our SSL certificates are renewed automatically.

Access Control

• Role-based access: Granular roles (owner, admin, staff, viewer) ensure employees only access data relevant to their function.
• Multi-factor authentication (MFA): Available for all accounts; recommended for admin users.
• Session management: Sessions expire after inactivity. Concurrent logins are monitored.
• Internal access: Agilify staff access to Customer Data is restricted to authorized personnel for support purposes only, and is logged.

Application Security

• Regular vulnerability scanning and dependency audits.
• OWASP Top 10 protections built into our development process.
• Input validation and parameterized queries to prevent SQL injection and XSS.
• Rate limiting and brute-force protection on all authentication endpoints.
• Security patches applied within 72 hours of critical vulnerability disclosure.

Backups and Recovery

Customer Data is backed up automatically every 24 hours. Backups are stored in a separate AWS region and retained for 30 days. We conduct quarterly restore drills to verify backup integrity. Our Recovery Time Objective (RTO) is 4 hours and Recovery Point Objective (RPO) is 24 hours for standard incidents.

Payment Security

Agilify does not store card numbers or sensitive payment credentials. All payment processing is handled by PCI DSS Level 1 certified providers (Midtrans and Xendit). Payment data flows directly between you and the payment processor and never touches our servers.

Employee Security

• All Agilify employees sign confidentiality agreements.
• Access to production systems follows the principle of least privilege.
• Internal access to Customer Data requires explicit authorization and is audit-logged.
• Security awareness training is conducted annually for all staff.

Incident Response

In the event of a security incident that affects your data, we will:

• Notify affected customers within 72 hours of confirming a breach, as required by UU PDP.
• Provide a clear description of what data was affected and the steps we are taking.
• Work with you to mitigate any potential impact.
• Publish a post-incident report for significant incidents.

To report a suspected security vulnerability, email info@agilify.id with the subject line "Security Report". We will respond within 24 hours.

Compliance

Agilify is designed to help you comply with:

• UU PDP (No. 27/2022): Indonesia's Personal Data Protection Law.
• UU ITE: Indonesia's Electronic Information and Transactions Law.
• PP PSTE: Government Regulation on Electronic System and Transaction Operators.

We are committed to maintaining compliance as Indonesian data protection regulations evolve.

Questions

For security questions or to report a vulnerability:
Email: info@agilify.id
WhatsApp: +62 851 2190 9109