Jim, Please contact me off list. I'd be happy to share our SOC3 and answer any additional questions you may have. I can also put you in touch with other Agari customers who had similar concerns but overcame them.
John Wilson On Tue, Feb 16, 2016 at 8:31 AM, jim c via dmarc-discuss < dmarc-discuss@dmarc.org> wrote: > I work for an organization that has fairly stringent security requirements > regarding where our data is stored. We recently moved towards DMARC, and > are working with Agari. > > One of the things that Agari does - essentially the most important - is > receive and analyze any forensic data returned. The issue that we've > noticed is that the forensic data is the entirety of the email. It isn't > just header info, but contains the entire message text, along with > attachments. This means that any externally-bound valid email that is > mistakenly marked as a failure will have forensic data - ie the entire > email - sent to Agari. They will house the emails on their internal > servers, wherever their data center is. These emails are available for > only 14 days....however, they cannot tell me how long their system backups > are stored. It wouldn't matter if they could, as we have no way of > auditing their security measures, enforcing requirements, validating > encryption, backup storage security, etc. > > Agari advertises as a cloud service, yet they are not Fedramp'd, which I > believe should put them out of consideration for most federal agencies, > considering accidental disclosure of classified data via email, if flagged > as a failure via DMARC, would cause the email and hence the sensitive data > to be house outside of any government system. If Agari's systems were be > to hacked, all of this data would be available - and again, they are not > Fedramp'd, which ostensibly certifies their compliance with federal > security requirements. > > Does anyone know if this issue has been discussed before (I couldn't find > it), and how any of you out there that may work at organizations with > similar security concerns, have dealt with this issue? > > _______________________________________________ > dmarc-discuss mailing list > dmarc-discuss@dmarc.org > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well > terms (http://www.dmarc.org/note_well.html) > -- *John Wilson, Field CTO* jwil...@agari.com l M: 650.996.5848 l www.agari.com *Changing Email Security For Good.* <http://www.google.com/url?q=http%3A%2F%2Fwww.agari.com&sa=D&sntz=1&usg=AFrqEzd4mZ00_sT0PTWz6Ol1KrgLNpsu8w> *l* <http://www.google.com/url?q=http%3A%2F%2Fwww.facebook.com%2Fpages.agari&sa=D&sntz=1&usg=AFrqEzenk5sOQNv2kVpEwPOZa1rCMY7U1w> <http://www.google.com/url?q=http%3A%2F%2Fwww.twitter.com%2Fagariinc&sa=D&sntz=1&usg=AFrqEzcauu14S4nXj_fNJqbceMWl8MuvfA> <http://www.google.com/url?q=http%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fagari&sa=D&sntz=1&usg=AFrqEzfp5UPxXBRo5sHX9u4uEwTalrUpEw> <https://plus.google.com/102166045743309741150/about>
_______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
