Agora Shared Responsibility Model

Provision of the Control Plane (under Denodo’s cloud account).

Launch and monitoring of the provision of the Execution Plane (under the Customer’s cloud account).

Manage the Customer’s Organization and Subscription(s) in Agora.

Provide access to the Customer cloud account in the CSP for deploying the Execution Plane by Agora.

Provide access to the Customer data sources and data consumers in the CSP, another CSP or on-premises.

Manage the Denodo Platform environments in the Execution Plane, including environment creation, update, and deletion, and cloud resource access.

Start/stop the Denodo Platform environments in the Execution Plane.

Provision of the physical/virtual infrastructure (servers, storage, network) needed for running both the Control Plane (under Denodo’s cloud account) and the Execution Plane (under the Customer cloud account).

Secure the Agora Control Plane.

Utilize industry standards to harden images and operating systems deployed under Denodo’s control.

Deliver secure, high-quality, compliant software for the Control Plane.

Maintain the Control Plane with updated code and images.

Perform vulnerability scans periodically.

Secure the Agora Execution Plane.

Update the Denodo Platform environments in the Execution Plane to deploy the latest patches images and code (in accordance with the Customer patch management policies).

Maintain the security of CSP’s  infrastructure.

Maintain a security management program that maintains reasonable security measures to protect Customer data and the services needed for running both the Control Plane (under Denodo’s cloud account) and the Execution Plane (under the Customer cloud account).

Support role-based access privileges and data access policies to manage access to Agora’s data and platform features with fine granularity.

Use industry best practices to authenticate Denodo’s personnel in Agora.

Set Denodo’s employee privileges consistent with least privilege principles.

Limit access to systems processing Customer data to employees with roles that warrant access. 

Secure interactions with the customer-managed cloud account IAM Security.

Manage the Customer’s users and roles in Agora, and determine role membership for each user, including the admin role. 

Utilize role-based access control and data access policies to limit data access according to the least privilege principle.

Implement access management best practices for the Customer’s users in Agora, like regular user access audits (at least every 6 months), password rotation, etc. Review roles, policies, privileges, and data ownership at user onboarding and offboarding.

For Customers in regulated industries that require compliance with regulations such as HIPAA or PCI-DSS, implement data access policies in accordance with those regulations. Especifically, to avoid production data being transferred through the Control Plane.

Maintain access controls required to restrict access to authorized Denodo and Customer resources.

Restrict CSP’s employee access to the Denodo and  Customer resources.

Implement encryption at rest (TDE)  and in transit (TLS and HTTPS) in Agora.

Implement data redaction of Customer’s data in the logs generated by Agora.

Support fine-grained role-based access privileges and data access policies to manage access to Agora’s data and platform features.

Secure management of data source infrastructure, including encryption at rest when necessary. Data sources are managed and remain under the Customer’s control.

Secure connectivity to customer-managed resources (data sources and data consumers) from Agora.

Implement a semantic layer in Agora following the Denodo Platform best practices for securing data access.

Maintain encryption hardware and services.

Encrypt data at rest and in transit, where configured.

Maintain the confidentiality,integrity and availability of the data stored in the CSP’s infrastructure.

Separate the Control Plane (under Denodo’s cloud account) from the Execution Plane  (under the Customer cloud account) using multiple layers of network security controls following CSP’s best practices.

Follow CSP’s best practices in creating secured virtual network environments.

Manage the security, bandwidth, and performance of network connections between the Execution Plane and the Customer  (e.g. data sources, data consumers).

Maintain the physical and logical security of the cloud service networks.

Maintain secure network communications for cloud services, including cloud services endpoints or APIs.

Implement monitoring for the Agora Control Plane.

Monitor the Agora Control Plane, including CSP’s infrastructure and services.

Implement monitoring for the Agora Execution Plane (Denodo Diagnostic and Monitoring Tool).

Monitor the Agora Execution Plane using the Denodo Diagnostic and Monitoring Tool.

Implement monitoring for the CSP’s infrastructure and services.

Implement security detection capabilities, including those provided natively by the CSP.

Implement an incident response framework to manage and minimize the effects of unplanned security events.

Notify customers of security breaches in accordance with data  protection laws and the Customer agreement.

Generate, secure and deliver an audit trail of the Customer's use of Agora.

Implement security monitoring for the Customer’s Organization and Subscription(s) in Agora.

Investigate and respond to potential security incidents in the Customer’s Organization and Subscription in Agora using the audit trail provided by Denodo.

Implement security monitoring of Customer’s employee access to Customer’s data through Agora.

Implement an incident response framework.

Monitor for security violations of the underlying CSP’s infrastructure and services.

Deliver audit logs for cloud service events based on customer configurations.

Implement an incident response framework.

Notify customer of a security breach for which that customer is impacted.

Maintain availability of the Agora Control Plane. Show availability through the Agora Status page.

Maintain capacity of the Agora Control Plane.

Availability of the Execution Plane.

Configure the Execution Plane according to the Customer requirements, including prod and non-prod environments, high availability, capacity, auto-scaling, etc.

Develop and maintain a semantic layer in Agora to deliver unified data assets across the Customer’s organization.

Application backup (i.e. the semantic layer), including  integration with the Customer’s Control Version System.

Manage CI/CD Pipeline integration.

Perform security reviews of your code, CI/CD Pipeline and Repo Integration.

Maintain availability of the CSP infrastructure.

Maintain capacity of the CSP infrastructure.

Disaster Recovery of the Control Plane.

Review Business Continuity and Disaster Recovery plans annually.

Conduct Business Continuity and Disaster Recovery drills annually.

Conduct periodic backups of the Control Plane.

Note: Denodo doesn't provide backup nor disaster recovery for the Execution Plane or other customer resources (data sources or data consumers). Disaster Recovery plans and Control Plane backups are for resiliency purposes in the case of a critical systems failure.

Disaster Recovery of the Execution Plane.

Establish, review and test periodically your Business Continuity and Disaster Recovery plans.

Disaster recovery of the CSP infrastructure.

Review Business Continuity and

Disaster Recovery plans annually.

Conduct Business Continuity and Disaster Recovery drills annually.

Maintain Agora’s compliance with the following security certifications:

○ SOC 2 Type II

○ SOC 3 Type II

Conduct independent third-party audits.

Comply with Denodo applicable laws and regulations.

Adhere to privacy regulations.

Comply with the Customer applicable laws and regulations.

Configure and use Agora according to those regulations.

Adhere to privacy regulations.

Maintain independent third-party audits, standards, and certifications of compliance:

Adhere to privacy regulations.