Argo Fortis Trust

At Argo Fortis, we recognize the critical role we play in the cyber supply chain. We are committed to being the strongest link in this chain, proactively safeguarding our clients’ assets and data against evolving threats. By partnering with us, you can rest assured that your organization is fortified against cyber risks, enabling you to focus on your core business objectives.

Data Management and Cybersecurity at Argo Fortis

The following is an attestation of cybersecurity, data protection, and data privacy policies, procedures, and requirements for Argo Fortis, including client service delivery and the internal organization.

COMPLIANCE

Argo Fortis maintains an information security management system (ISMS) in accordance with the requirements found within the ISO/IEC 27001 standard.

ISO/IEC 27001:2013

ISO 27001 is an information security standard originally published in 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). In September 2013, ISO 27001:2013 was published, and it supersedes the original 2005 standard. ISO 27001 is a globally recognized, standards-based approach to security that outlines requirements for an organization’s information security management system (ISMS).

CYBERSECURITY

Audit Logs
Argo maintains administrative logs as well as logs for account establishment and modifications, including adding or removing users, segments, sources, and destinations. Argo’s customers may obtain logs of internal Argo matters related to internal changes to the state of their respective Argo accounts. Common changes are CRUD Operations (Create, Update, Delete) of Accounts, Admin User, etc.

Multi-Factor Authentication
Argo makes it easy for you to add multi-factor authentication to your Argo account login process to bolster account security.

Role-Based Access Control (RBAC)
Customer account administrators can easily add and remove account users. Argo has various defined user roles with respective permissions.

Secure Transmission and Sessions
Connection to the Argo environment is via SSL/TLS cryptographic protocols, using global step-up certificates, ensuring that our users have a secure connection from their browsers to our service. Individual user sessions are identified and re-verified with each transaction, using a unique token created at login or similar controls.

DATA SECURITY

Data Encrypted At-Rest
Data is encrypted at-rest using AES-256.

Data Encrypted In-Transit
We encrypt data in transit using HTTPS/TLS. The TLS version supported is currently TLS 1.3 or newer.

Passwords Encryption
Users’ account passwords are encrypted and hashed with a SHA 256 algorithm.

PRIVACY

Privacy Policy
Argo Fortis is concerned about your privacy and the security of your organization’s information. This page is designed to inform you as to the type of information we collect from you, how we use this information, and how you can control the use of this information.

We specifically do not collect any personally identifiable information from children under thirteen.

The applicable services are restricted to users that are from the United States and is not intended to be governed by the privacy policies of the European Union. Users from the European Union are asked not to disclose any personally identifiable information on this site.

What We Collect
In the course of providing you with managed services, we may request that you supply us with personal information, including your name, e-mail address, site registration, etc.

We use the information you supply for legitimate business purposes and the information we compile may be supplied to third parties but it contains no personally identifiable information and only for the purpose of managed service delivery.

Disclosure of Your Information
We will not disclose your information to third parties without your consent unless it is required by law enforcement or pursuant to a government investigation. We do not sell, rent, or transmit your information to third parties.

Protection of Your Information
When you provide information to Argo Fortis, we offer the use of secure services to ensure data confidentiality. Please utilize the proper channels to send sensitive information. If you have questions regarding the procedure for sharing sensitive information, contact the operations center via email at support@argofortis.com.

Links to Other Sites
Our managed service portal may contain links to other sites. While we make every effort to only link to sites that have high standards and respect the privacy of users, we cannot be responsible for the content and privacy policies of the sites we are linking to.

Data Retention Policy
Argo retains customer data in accordance with customer instructions contained in their respective services agreements. Following customer account termination, access is removed, and the customer data associated with the account is logically deleted and then overwritten. When media that hosted customer data is no longer useful, it is destroyed in compliance with NIST SP 800-88 Revision 1 Guidelines for Media Sanitation and DoD security guidelines.

Data Removal Requests
Customers can request data removal by contacting Argo’s operations center. Any data removal request received from a data subject associated with a customer will be referred to the customer in questions. For any concerns, requests, or to exercise your data protection rights, please contact: support@argofortis.com

Data Protection Officer (DPO)
Our appointed Data Protection Officer is responsible for ensuring that all our data protection measures are up-to-date and all procedures are followed. The DPO works with experienced security professionals (CISO, CISM, CRISC, CISSP, CISA, CIPM, CEH, CIPPE, CDPSE).

INCIDENT MANAGEMENT AND RESPONSE

Data Breach Notification
In the event of any actual or reasonably suspected information security breach or other incident affecting the security or integrity of your data, Argo will adhere to the policies defined in the Argo Information Security Incident Response Plan and will notify you in accordance with applicable law.

Incident Response Plan (IRP)
Argo operates a formal security incident management process under a related policy and procedure. Escalation procedures exist to ensure the timely communication of any security incident through the management chain and to any affected customers without undue delay.

Availability And Reliability
Our infrastructure is divided into multiple, geographically dispersed facilities in data centers designed for maximum security and availability. All locations employ industry best-practices, including badge and biometric access entry systems, extra power sources, extra air conditioning units, and fire suppression systems. Security personnel and cameras monitor these locations 24 hours a day, 365 days a year. Only authorized personnel are allowed inside these data centers and all visits are logged.

Denial Of Service (Dos) Protection
Argo has deployed Cloudflare Security Services for both Web Application Firewall, Denial of Service protection, and Content Delivery Network.

Quality Assurance Testing
Argo follows a change management process for changes to the production environment. All code changes must undergo a peer code review and include automated unit, functional, and security testing. Testing is performed after deployments to validate application functionality. If validation fails, the application is rolled back to its previous version.

Service Monitoring
Argo uses Sumo Logic Log Analytics and application insights to monitor its systems to detect service-related issues. The Argo team is alerted 24/7 when the threshold criteria are exceeded.

ORGANIZATIONAL CYBERSECURITY

Confidentiality Agreements
Our service agreements enable the confidential treatment of confidential customer information, including customer data. We require all our employees and contractors as well as vendors to sign confidentiality agreements to ensure the absolute protection of confidential information.

Employee Security Training
We train all new employees about their confidentiality, privacy, and information security obligations as part of their onboarding training. A compulsory annual security and privacy training ensures employees refresh their knowledge and understanding. Engineering teams receive further training related to their work duties and access.

Employee Workstations Automatically Locked
Our employee workstations are automatically locked after a pre-determined period of non-use via the MDM system we have implemented.

Employee Workstation Encryption
All employee workstations are encrypted and wiped at the time of decommission using DoD standards.

Limited Employee Access (Principle Of Least Privilege)
Argo follows the principle of “least privilege” in governing employee access to our systems. Access to our customers’ data is limited to legitimate business needs, including activities needed to support our customers’ use of our services. We map network accounts directly to our employees using a unique identifier; generic administrative accounts are not used. We periodically review employee access to internal systems to ensure that employees’ access rights and patterns are in line with their current positions. A formal employee termination notification process exists, which is initiated by our Human Resources (“HR”) department. Upon notice by HR, all physical and system accesses are promptly revoked.

Physical Access Control
Argo has implemented appropriate controls to restrict physical access to its offices. Our cloud service providers have implemented robust security measures to control physical access to the data processing facilities we use.

Secure Remote Network Access
Argo’s employee workstations use Zero Trust controls to provide end-to-end network encryption, layered security, and identity access management with MFA in-order to provide a private, secure connection both to the internet and to Argo’s work-related network assets. All remote connections are monitored regularly, and employees are alerted if they are disconnected from the network, or if any other security notifications are triggered.

Secure Data Storage And Transfer
To ensure data is stored, received, and transferred between workstations in a secure manner, Argo employees use vaults.

Password Manager
Argo understands the importance of managing user passwords and has implemented a secure password management system cross-company in order to protect and manage employee and the organization’s passwords.

BUSINESS CONTINUITY

Business Continuity Plan
Argo has implemented an integrated Business Continuity and Disaster Recovery Policy and maintains related plans under the policy. Please see the text under ‘Disaster Recovery Plan’ for more information on this topic.

Disaster Recovery Plan
Argo maintains essential disaster avoidance, readiness, and recovery planning capabilities through the use of multiple geographically dispersed data centers, our platform architecture, offsite data backup, and remote access capabilities. We also maintain a Business Continuity and Disaster Recovery Policy and related plans and test them on a regular basis.

Data Backups
Argo stores all customer data on systems on which incremental backups are performed daily and all backups are stored offsite.

Multi-Tenant Architecture
Argo provides its subscription services using a multi-tenant architecture with the data in each customer account logically separated from other accounts. The data is encrypted at-rest using AES-256.

THREAT MANAGEMENT

Penetration Testing
We have an independent, third-party security vendor who conducts manual penetration testing of our internal and external infrastructure and services on a quarterly basis. This manual testing is complemented by automated testing using a variety of commercially available testing tools executed monthly.

Vulnerability Scanning
Argo uses several automated scanning tools to scan for both infrastructure and application security vulnerabilities on a frequent basis. Scans are applied to every code build and prior to code mergers.

Requesting Argo Customer Details
Argo’s customer data and privacy are of utmost importance and are handled in accordance with our Privacy Policy. For that reason, Argo is not able to provide any information about any of its users or accounts without a court order, subpoena, or another form of a legal process.

Subprocessor List
Please contact support@argofortis.com for a comprehensive list of subprocessors utilized in conjunction with services we provide.