Main menu

Privacy Policy

for what is this

This Privacy Policy outlines the policies and procedures for the collection, use, and disclosure of information when you use Agency Click’s services. This document explains your privacy rights and describes how the law protects you. Agency Click uses your personal data to deliver and enhance its services. By using Agency Click’s services, you consent to the collection and utilization of information per this Privacy Policy.

Security Policy

Purpose, Scope, and Organization
This document defines the behavioral, procedural, technical, and governance controls related to security at Agency Click that all personnel are required to implement to ensure the confidentiality, integrity, and availability of Agency Click’s service and data. This policy applies to:

  • All employees, contractors, consultants, and any third parties providing services to Agency Click.
  • Management of all systems (hardware and software) used to create, store, access, process, or transmit data for Agency Click, including those owned by Agency Click and systems connected to networks controlled by Agency Click or used in service to Agency Click’s business, including third-party providers.
  • Situations where Agency Click has a legal, contractual, or fiduciary obligation to protect data or resources under its control.

In case of conflicts, the stricter security measure shall apply.

1.1. Governance and Evolution

This Security Policy has been developed with input from and approval by Agency Click’s executive leadership. It is reviewed annually and updated to ensure clarity, relevance, and alignment with industry best practices and evolving security requirements, safeguarding both customer and personnel interests.

1.2. Security Team

Agency Click’s Security Team is responsible for implementing and enforcing this policy, covering:

  • Provisioning, maintenance, and retirement of corporate resources.
  • Service development and operation concerning security, privacy, and reliability.
  • Risk assessment, vulnerability management, and incident response.
  • Security training and controls for personnel.

1.3. Risk Management Framework

The Security Team manages a Risk Management Framework based on the NIST SP 800-39 and NIST SP 800-30 standards. This framework assists in assessing, prioritizing, and responding to risks. It includes:

Developing response plans for identified risks.

Identification of potential threats.

Evaluation of control effectiveness and current risk severity.

Personnel and Office Environment

Agency Click prioritizes protecting its customers, personnel, and partners. The security-focused culture emphasizes openness, integrity, and trust. Personnel behaviors play a critical role in maintaining data security, which is outlined in this policy and supplemented by the Employee Handbook.

2.1. Work Behaviors

Personnel are the first line of defense for data security. Required behaviors include:

  • Training: Annual security awareness and data handling training for all employees and contractors.
  • Unrecognized Persons and Visitors: Physical security must be maintained. Challenge unrecognized individuals in restricted areas and report suspicious behavior to security.
  • Clean Desk: Sensitive information should be secured at the end of the day.
  • Unattended Devices: Devices should be locked when unattended, with a screen lock activating after 15 minutes of inactivity.
  • Use of Corporate Assets: Agency Click’s systems and hardware are for business purposes. Only Agency Click-approved software may be used on company devices.
  • Removable Storage and Backups: Use of removable storage, like USB drives, is prohibited. Employees must store data on secure, company-approved cloud storage to ensure recoverability in case of device loss.

Prohibited Activities

Certain activities are strictly prohibited unless authorized by the Security Team as part of job responsibilities. Prohibited activities include, but are not limited to:

  • Engaging in illegal activities on Agency Click’s resources.
  • Unauthorized use or copying of copyrighted material.
  • Introducing malicious software or compromising network security.
  • Port scanning or security scanning outside authorized roles.
  • Unauthorized network monitoring or circumvention of user authentication.
  • Subverting security features of company-managed devices.

2.2. Personnel Systems Configuration, Ownership, and Privacy

Agency Click’s security team manages personnel devices through Mobile Device Management (MDM) software, enforcing configurations, encryption, and other security policies remotely.

  • Data and Device Encryption: All devices must have full-disk encryption to safeguard data in case of device loss, using technologies such as Apple FileVault 2 or comparable standards.

This Security Policy ensures that all members of Agency Click adhere to these standards to protect the company, its partners, and its clients effectively.

2.3. Human Resources Practices

Background Checks
Background checks are conducted for personnel with access to production infrastructure before their start date. Results may impact security privileges, employment offers, or even result in employment termination.

Training
A security awareness program is delivered annually to ensure all personnel understand their obligations. Key personnel responsible for maintaining security receive additional, technical training.

Termination Procedures
Upon termination or resignation, the security team, with HR, ensures the secure disablement of accounts, credentials, and access for outgoing personnel.

2.4. Physical Office Environment

Controlled Access
Agency Click offices are secured through staffed front offices and programmable door controls, keeping all doors locked unless temporarily unlocked by security for specific needs. Internet-based security cameras record ingress and egress, and footage is stored off-site.

2.5. Office Network

Network Access and Security
Devices connect to the internet via secured Ethernet and WPA2 Wi-Fi. Networking equipment is secured in a locked closet, accessible only to the security team, with additional access granted by approval. A network firewall blocks all WAN-sourced traffic, with no WAN-hosted services in the office environment.

3. Personnel Identity and Access Management

3.1. User Accounts and Authentication
Each employee has a unique G Suite user account with a unique, strong password and two-factor authentication (2FA). Logins are allowed only from managed devices. Flozy uses Google’s account management system, which detects suspicious login attempts and locks accounts after repeated failed login attempts. Third-party authentication is delegated to G Suite when available, or otherwise managed securely with strong passwords and 2FA.

3.2. Access Management
Agency Click enforces least privilege access through role-based access controls (RBAC) managed with Google’s organizational tools. Browser use for accessing corporate data is restricted, and only specific browser extensions are allowed on a whitelist basis.

3.3. Account Revocation
User accounts are immediately revoked upon personnel separation, and a quarterly audit is performed to revoke inactive accounts.

3.4. Access Reviews
Access control policies are reviewed regularly to refine access permissions, with additional reviews triggered by changes in personnel roles.

4. Provenance of Technology

4.1. Software Development
Source code and configuration files are stored in private GitHub repositories, and code commits undergo both static analysis and code reviews. Security-sensitive modules receive additional scrutiny, and sensitive data is protected with hashing and encryption.

4.2. Configuration and Change Management
Configurations for systems and services, whether internal or third-party, are documented and reviewed annually. Configuration changes are documented and risk-based controls, such as encryption, malware detection, and event logging, are required.

4.3. Third-Party Services
Agency Click’s compliance team reviews third-party services annually to verify alignment with company security standards. AWS services are used for infrastructure, with all data center security managed according to AWS’s security policies.

5. Data Classification and Processing

5.1. Data Classification Levels
Agency Click defines four levels of data confidentiality: Confidential, Restricted, Internal, and Public, each with its own access controls and encryption requirements.

5.2. Employee Access to Customer Data
Employee access to customer data is strictly controlled, allowed only under specific conditions, and is logged for auditing purposes. No customer data is used in development environments.

5.3. Customer Access
Agency Click provides interfaces for customers to access their data securely.

5.4. Google Workspace APIs Usage
Agency Click’s use of Google Workspace APIs is limited to intended service purposes and does not involve generalized AI or ML model training.

5.5. Data Encryption
All data is protected in transit with TLS 1.2 and at rest with AES-256, using KMS with key rotation.

5.6. Data Retention and Deletion
Upon service expiration, Agency Click will delete customer data from its systems as soon as legally permitted.

5.7. Data Disposal
Data-bearing media is securely decommissioned according to AWS policies, following NIST 800-88 guidelines.

6. Vulnerability and Incident Management

6.1. Vulnerability Detection
Agency Click uses automated scanning tools and annual third-party penetration testing to identify vulnerabilities, along with static code analysis for each commit. Detected vulnerabilities are prioritized based on risk using the CVSS and remediated according to severity.

6.2. Incident Response
Agency Click has an Incident Response Plan that includes monitoring and alerts, containment procedures, and forensic analysis to address incidents. High-severity incidents trigger immediate containment.

6.3. Post-Incident Review
After each incident, Agency Click performs a post-incident review to identify improvements for future response. Training is provided annually to the security team to ensure personnel are prepared for incidents.

6.4. Vendor Coordination
Agency Click coordinates with third-party vendors when incidents involve external systems and conducts regular vendor security audits.

7. Business Continuity and Disaster Recovery

7.1 Availability and Resiliency

Agency Click services are configured to withstand long-term outages of individual servers, availability zones, and geographic regions. The infrastructure and data are replicated across multiple geographic regions to ensure high availability. Availability and status information can be found at status.agencyclick.com.

7.2 Disaster Recovery

Agency Click targets a Data Recovery Point Objective (RPO) of near-zero for at least 7 days and can extend up to 24 hours beyond that period.

Due to the distributed nature of services, Recovery Time Objectives (RTO) are near-zero for geographic disasters. For systemic disasters involving data recovery, the targeted RTO is 6 hours.

Backup and recovery processes are tested at least on a monthly basis to ensure effectiveness.

7.3 Business Continuity, Business Risk Assessment, and Business Impact Analysis

Agency Click’s risk assessment committee conducts business risk assessments and business impact analyses for each Key Business System used by the organization. The results of ongoing risk assessments will inform updates or the creation of recovery plans for these Key Business Systems and will help prioritize systems in relation to other critical systems.

Distribution, Relocation, and Remote Work

Agency Click prioritizes policies, tools, and equipment that enable independent, distributed remote work for all staff in case of emergencies or disasters. If the organization’s primary work site becomes unavailable, staff can work from home, or management will designate an alternate work site.

Notification and Communication

Agency Click has established internal communication protocols using secure, distributed providers that employ industry-standard security measures. Staff and management will be notified through existing channels during any emergency events or when any data recovery plan is initiated or deactivated.