Is AGPL a Scam? How Small Companies Can Maximize Benefits While Remaining Compliant

Desktop Screen Open Source

Navigating AGPL:

Strategies for Small Business Success

Navigating AGPL:

Strategies for Small Business Success

Is AGPL a Scam? How Small Companies Can Maximize Benefits While Remaining Compliant

May 3rd, 2024

Why Large Companies Avoid AGPL

The Affero General Public License (AGPL) is notorious for its strict terms, which can be a deterrent for large companies. For instance, Google has explicitly banned the use of AGPL software on its corporate servers due to concerns about the license’s requirement for source code disclosure whenever the software interacts with a network. This policy stems from the risk of inadvertently exposing proprietary software due to the AGPL’s broad scope of application.

Understanding the Differences Between GPL and AGPL

The General Public License (GPL) and the Affero General Public License (AGPL) are both free software licenses, but they address different concerns particularly around network use. The main difference lies in the AGPL’s response to the “network use loophole” present in the GPL. Under the GPL, modifications need to be shared if distributed, but mere use over a network does not count as distribution. The AGPL extends these requirements to network interactions: if you modify AGPL software and run it on a server for others to interact with, the source must be made available to all users.

The Grey Area and Covered Work: The AGPL’s definition of covered work includes not only the program itself but any modifications and additional elements used to interact with it over a network, such as APIs. This is crucial for cloud applications, where even if you do not modify the original source code directly, integrating it into a larger system or application still subjects the entire system—or the “separate project”—to the AGPL. This means that creating new functionalities that interact with the original AGPL-covered software, even if in a separate project, can be considered as creating a derivative work, thereby requiring the distribution of the entire project under the AGPL. This broad scope of “covered work” under the AGPL aims to ensure transparency and freedom of use over networks, but it also poses significant implications for how companies structure and manage their software development.

Strategies to Avoid License Contamination

For companies wishing to use AGPL software without risking their proprietary code, certain strategies can be implemented:

  • Separate Projects: Keep AGPL software and proprietary software in separate projects.
  • APIs and Command Lines: Interface with AGPL software through APIs or command-line scripts, which can help maintain a boundary between different software components.
  • Documentation and Disclaimers: Ensure that all API usage and the separation of the software are well-documented. Include legal disclaimers and user notifications about the use of AGPL software and what it entails.

Understanding Your Obligations

When using AGPL software, you must:

  • Provide source code to users interacting with the software remotely through a network.
  • Include a copy of the AGPL license and make it clear that the software is licensed under the AGPL.

You are not obligated to:

  • Disclose your proprietary source code that is separate and not integrated with the AGPL-covered software in a manner that constitutes a derivative work.
  • Provide support to network users of your project if your business model does not include offering professional services.
  • Provide the version history of your project; however, you must supply the latest version currently in use.

Conclusion

The AGPL is not a scam but a legal tool that enforces the free use and distribution of software. It is stringent, designed to ensure that freedom and transparency extend to the user of software over a network. For small companies, navigating the complexities of AGPL can be beneficial with the right legal understanding and use strategies, allowing them to use open-source software while protecting their proprietary developments.

Our Compliance Journey

Our Compliance Journey

Unveiling Our Compliance Journey: Why, How, and Who!

October 10th, 2023

Hey there, awesome readers! After sharing Signority’s SOC compliance triumph, my inbox has been lighting up. Many of you have expressed a keen interest in our experience, specifically the ins and outs of selecting service providers and navigating the audit process. So today, I’m going to unveil the behind-the-scenes of our compliance voyage. Whether you’re a compliance guru or just embarking on this journey, I hope our tale illuminates your path. Let’s dive into the details!

The Old Days of Compliance

Let’s take a quick trip down memory lane. There was a time when achieving compliance felt like climbing Mount Everest. A hefty price tag, years of effort, setting up an entire compliance team, endlessly training them, tweaking product development plans – phew! This is a rich man’s large enterprise world, and dare for SMBs to think about it. Thanks for innovations in the compliance industry disrupted the Big 4. 

Rewind to a time when achieving compliance was like scaling Mount Everest: costly, complex, and primarily a game for the corporate giants. The domain, once tightly held by the Big 4 – Deloitte, EY, PwC, and KPMG, has been reshaped. Thanks to innovative disruptions, what was once a luxury has become accessible. Today, even SMBs can navigate the compliance journey without breaking the bank. As an entrepreneur, it’s heartening to see intricate processes simplified for all. Now, our toolbox for compliance comprises essential elements: a platform, auditors, and Penetration Testing.

Navigating the Compliance Maze

Navigating the intricate waters of compliance can be daunting. But, with a bit of guidance and the right tools, it becomes a manageable voyage.

First, let’s clear the air on two terms that often cross paths: ‘compliance audit’ and ‘attestation’. In simple terms, think of a compliance audit as checking whether you’re following universally accepted standards like SOC, ISO, etc. On the other hand, attestation is getting a nod from a third party that you’re in line with specific legal acts and regulations. Just to drive the point home: while standards are crucial, adhering to regulations isn’t optional. In the Canadian landscape, for instance, laws like PIPEDA and PHIPA aren’t just guidelines—they’re mandates. Not every auditor will cover both these areas, which is why our partnership with Prescient, who excels in Canadian regulations, was pivotal.

Now, let’s talk SOC 2. It houses five principles. The big question is, do you need to embrace all of them right from the outset? At Signority, we had been embedding SOC 2 and ISO compliance practices into our DNA for a couple of years before we initiated the official audit. This proactive approach significantly streamlined our journey.

Also, it’s crucial to recognize overlaps between standards. For instance, the resemblance between SOC 2 and CSA Cloud Security or ISO 270017 and ISO 270018 isn’t purely coincidental. Determining which one to focus on first can require a bit of introspection. Consider your budgetary constraints, your customer needs, and the industry you’re in. Mapping out a strategy based on these factors can set you on the right track.

The Essentials of Vendor Selection

Navigating compliance isn’t a one-time affair; it’s a continuous journey with checkpoints at least every 12 months. Given the intricate setup and the time it demands, it’s crucial to adopt a long-term perspective.

In this voyage, three key tools will guide you: a compliance platform, an auditor, and a penetration test service. Before committing to a compliance platform, it’s a wise move to request a product demo. This helps gauge the user-friendliness and the array of features on offer, ensuring you’re making an informed decision. Although these tools often come from different vendors, their coordinated effort is the key to seamless integration. Opting for vendors known for their harmonious collaboration is essential. For instance, we trusted Secureframe‘s recommendation and chose Prescient Assurance as our auditor – a decision we don’t regret. The added benefit? Prescient’s Pen Test services, further smoothing out our journey’s path.

Grasping the methodology and key milestones of your service provider is essential for a triumphant audit journey. Jumping headfirst without ample preparation can land you amidst myriad vulnerabilities and challenges. Most providers initiate with a pre-scan or preliminary audit, offering you a window to address their suggestions before the final review. To ensure a successful outcome, it’s wise to conduct internal audits first and then invite your service providers for a pre-scan. During the vendor selection phase, insist on a roadmap of deliverables. Especially if you’re new to this terrain, seasoned service providers should be eager to provide insights and advice for effective project management.

Also, it’s a good practice to inquire about the team that will be assigned to your project and understand their qualifications. Communication is crucial. For instance, Secureframe and Prescient facilitated our communication via dedicated Slack channels, enhancing our engagement beyond just emails and calls. This immediacy was invaluable, especially when unforeseen challenges arose. Case in point: We’d planned our 2023 audit with Prescient for August. Yet, when an RFP required us to submit our report in June, Prescient, despite their pre-existing commitments, went the extra mile to accommodate our needs.

The expansiveness of policy libraries is crucial. Having a platform stocked with a plethora of best-practice policies is a game-changer. It saves immense time and effort, eliminating the need to start from square one.

The ability to integrate with your existing infrastructure for compliance auditing is critical. It not only saves time but also allows for instantaneous snapshots, bolstering the credibility of the audit.

On a related note, Secureframe recently rolled out an AI-powered feature designed to assist customers in responding to RFP security queries. Given that security responses can make up to 40% of an RFP, this feature is a significant boon for companies actively participating in RFP bids. 

Before sealing the deal, always seek out 2-3 references. We gleaned surprising insights from our reference checks. It’s heartening to see how eager people are to share their experiences and lessons, helping you sidestep potential pitfalls.

I attached our vendor selection and reference check questionnaires at the end of this blog.

Penetration test

The penetration test, commonly known as “Pen test,” has a notable influence on the product. 

In preparation, Prescient supplied us with their testing methodologies and toolsets. Their input was invaluable; While we had initially set sights on a Level 1 test, after reviewing one of our enterprise security requirements, they recommended advancing to a Level 2 test. Impressively, they also offered us the flexibility to adjust our initial quote.

Staying Updated

The world of compliance isn’t static. With new regulations popping up, like Quebec’s Bill 64 privacy act, staying updated is crucial. Ensure your vendors are clued into these changes, and have a plan to support your evolving needs.

Our Wishlist for the Future

Before we wrap up, we wanted to share a couple of ideas that might further streamline the compliance journey. By no means are these criticisms; they’re simply our musings on what could make the process even smoother in the future:

  • AI-Driven Policy Integration: Imagine a world where there’s an AI tool that seamlessly integrates a platform’s policy libraries with individual company policies. This would effortlessly yield a tailor-made, optimized policy, harnessing the best of both worlds.

  • Diverse Payment Options: As compliance becomes increasingly accessible to companies of all sizes, it might be beneficial for vendors to explore diverse payment currencies. For Canadian enterprises like ours, having an option to pay in CAD could be a small yet impactful convenience.

In conclusion, we are genuinely grateful for our partnership with Prescient Assurance and Secureframe. This blog aims to share our journey, hoping to be a beacon for other businesses and express our sincere appreciation to our partners who’ve stood by us every step of the way. We’re excited about the future and can’t wait to see how the world of compliance evolves!

Staying Updated

The world of compliance isn’t static. With new regulations popping up, like Quebec’s Bill 64 privacy act, staying updated is crucial. Ensure your vendors are clued into these changes, and have a plan to support your evolving needs.

Securing Your Trust: Signority’s Compliance Journey

Securing Your Trust: Signority’s Compliance Journey

October 5th, 2023

Signority’s security & compliance principles guide how we deliver our products and services, enabling people to simply and securely access the digital world.

Secure Personnel

Child & Family Services encompass an array of responsibilities, from safeguarding children against harm to providing necessary support to families in crisis. Each interaction, whether it’s an initial intake, assessment, or even volunteer onboarding, requires multiple layers of documentation. Historically, this has meant paper forms, manual logging, and significant administrative overhead.

The Practical Benefits of Signority’s Digital Approach

Signority takes the security of its data and that of its clients and customers seriously and ensures that only vetted personnel are given access to their resources.

  • All Signority contractors and employees undergo background checks prior to being engaged or employed by us in accordance with local laws and industry best practices.
  • Confidentiality or other types of Non-Disclosure Agreements (NDAs) are signed by all employees, contractors, and others who have a need to access sensitive or internal information.
  • We embed the culture of security into our business by conducting employee security training & testing using current and emerging techniques and attack vectors.
 

Secure Development

  • All development projects at Signority, including on-premises software products, support services, and our own Digital Identity Cloud offerings follow secure development lifecycle principles.
  • All development of new products, tools, and services, and major changes to existing ones, undergo a design review to ensure security requirements are incorporated into proposed development.
  • All team members that are regularly involved in any system development undergo annual secure development training in coding or scripting languages that they work with as well as any other relevant training.
  • Software development is conducted in line with OWASP Top 10 recommendations for web application security.
 

Secure Testing

Signority deploys third party penetration testing and vulnerability scanning of all production and Internet facing systems on a regular basis.

  • All new systems and services are scanned prior to being deployed to production.
  • We perform penetration testing both by internal security engineers and external penetration testing companies on new systems and products or major changes to existing systems, services, and products to ensure a comprehensive and real-world view of our products & environment from multiple perspectives.
  • We perform static and dynamic software application security testing of all code, including open source libraries, as part of our software development process.

Cloud Security

Signority Cloud provides maximum security with complete customer isolation in a modern, multi-tenant cloud architecture.

Signority Cloud leverages the native physical and network security features of the cloud service, and relies on the providers to maintain the infrastructure, services, and physical access policies and procedures.

  • All customer cloud environments and data are isolated using Signority’s patented isolation approach. Each customer environment is stored within a dedicated trust zone to prevent any accidental or malicious co-mingling.
  • All data is also encrypted at rest and in transmission to prevent any unauthorized access and prevent data breaches. Our entire platform is also continuously monitored by dedicated, highly trained Signority experts.
  • We separate each customer’s data and our own, utilizing unique encryption keys to ensure data is protected and isolated.
  • Client’s data protection complies with SOC 2 standards to encrypt data in transit and at rest, ensuring customer and company data and sensitive information is protected at all times.
  • We implement role-based access controls and the principles of least privileged access, and review revoke access as needed.

Compliance

Signority is committed to providing secure products and services to safely and easily manage billions of digital identities across the globe. Our external certifications provide independent assurance of Signority’s dedication to protecting our customers by regularly assessing and validating the protections and effective security practices Signority has in place.

Signority Acquires SOC 2, CSA Level 2, and HIPAA Compliance

Signority Acquires SOC 2, CSA Level 2, and HIPAA Compliance

October 3rd, 2023

Ontario, Canada, September 27, 2023 – Today, Signority celebrates achieving the SOC 2 Type II compliance, in line with the standards set by the American Institute of Certified Public Accountants (AICPA), commonly referred to as SSAE 18. With an unqualified opinion supporting this achievement, Signority underscores its dedication to enterprise-level security, ensuring the safety of customer data within its system.

Furthermore, Signority has earned the CSA Star compliance, adhering to the Cloud Security Alliance’s Security, Trust, Assurance, and Risk Registry benchmarks.

With a global footprint, Signority provides a cloud-secured digital signature solution. Our platform’s security and compliance credentials were meticulously audited by the reputed Prescient Assurance, known for their expertise in B2B and SaaS sector assessments. We extend our gratitude to Secureframe for their pivotal support in this journey.

Our SOC 2 Type II and CSA Star audit certifications offer a solid reassurance to our existing and future clientele about Signority’s steadfast commitment to maintaining superior standards in security and compliance.

If you ‘d like to acquire Signority’s attestation letter, please reach out to compliance@signority.com.

About Signority

Catering to a worldwide user base, Signority champions in providing leading-edge digital signature workflow solutions. We pride ourselves on ensuring legal compliance, efficiency, cost savings, and enhancing overall productivity for our clients.

Media Relations

Jane He
1.833.222.1088
mediarequests@signority.com

Digitizing Canadian Child & Family Services: Signority’s Impact

Canadian Child & Family Services:

A Digital Transformation

Canadian Child & Family Services:

A Digital Transformation

Digitizing Canadian Child & Family Services: Signority’s Impact

September 26th, 2023

Children represent the future, and families are the cornerstone of our society. In the heart of community resilience and strength lies Child & Family Services organizations. They play an indispensable role in ensuring the safety, health, and overall well-being of our most vulnerable members – our children. Yet, like many sectors with deeply embedded traditional processes, Child & Family Services have often been bound by paper-heavy methods, which can delay vital interventions and take crucial time away from direct service.

Signority: Transforming Child & Family Services with Digital Solutions

Child & Family Services encompass an array of responsibilities, from safeguarding children against harm to providing necessary support to families in crisis. Each interaction, whether it’s an initial intake, assessment, or even volunteer onboarding, requires multiple layers of documentation. Historically, this has meant paper forms, manual logging, and significant administrative overhead.

The Practical Benefits of Signority’s Digital Approach

Streamlined Consent Processes: Child & Family Services often require consent forms for various activities, including medical treatment, counseling, urgent response service plan (URS), and educational support. Signority’s digital signature solution simplifies the process of obtaining and managing these consents. Social workers can send consent forms electronically, and clients or guardians can sign them from anywhere, reducing delays and ensuring that necessary permissions are in place promptly.

Efficient Document Signing: Whether it’s agreements, service contracts, or parental consent forms, Signority enables Child & Family Services to send, receive, and sign documents quickly and securely. This efficiency is vital in situations where time-sensitive decisions must be made to protect the well-being of children and families.

Data Security: Signority hosts Canadian customer data exclusively within Canada. Our platform employs advanced encryption and security measures to safeguard sensitive information. Given that Child & Family Services handle confidential data daily, Signority’s robust security features, including masked tags for data security, guarantee that personal identifiable information (PII) remains confidential and fully compliant with data protection regulations.

Environmental & Cost Savings: By shifting away from paper-based processes, agencies can reduce their reliance on physical documents, saving money on printing, storage, and transportation. Additionally, this eco-friendly approach aligns with the broader societal trend towards sustainability.

Access from Anywhere: Signority’s cloud-based platform allows social workers and professionals to access necessary documents from anywhere with an internet connection. This accessibility ensures seamless service delivery, even when working remotely or in the field.

Efficient Onboarding: For Child & Family Services that rely on volunteers or need to conduct background checks, Signority’s digital signature solution streamlines the onboarding process. Volunteer applications and criminal record checks can be seamlessly integrated, ensuring that the agency has the right people on board quickly and safely.

Audit Trails for Accountability: Signority provides audit trails for every signed document, enhancing accountability and transparency within the organization. This feature is particularly valuable in cases where document validity and compliance are essential.

Faster Response Times: Digital signatures expedite the signing process. Social workers can get the necessary approvals in place swiftly, reducing response times and ensuring that children and families receive the support they need without unnecessary delays.

These benefits underscore how Signority’s digital signature solution is uniquely positioned to meet the needs of Child & Family Services by simplifying administrative tasks, ensuring data security, and enhancing efficiency in a sector where time and accuracy are critical for protecting vulnerable children and families.

Ultimately, the mission is clear. It’s not just about digitization for the sake of modernity. It’s about providing Child & Family Services with the platform they need to do their job more efficiently, so more time and resources can be allocated where they matter most: directly with children and their families.

By leveraging the power of Signority, Child & Family Services organizations can ensure that every child’s story is not just heard but also acted upon with the efficiency, care, and urgency it deserves.

Signority is proud to be a part of this transformative journey, offering solutions that make a tangible difference in the lives of many.

How Signority Secures Your Data

How Signority Secures Your Data

How Signority Secures Your Data

My last blog, Three Stages of Data; In Transit, At Rest, & In Use described each of the three data stages and touched on how each stage requires a different approach to security and privacy. Today we are going to talk about:

  1. when your data enters each of the three stages during the workflow, and
  2. how Signority secures your data. 
Three Stages of Data
Three Stages of Data

If you’ve used Signority you know that every document has a workflow.  The workflow begins at the creation of the document and ends when it’s been stored after it has been signed by all participants.

During the it’s workflow your document and any data related to it, enters all three stages of data at various times. Here is each of the data stages and when your document enters that stage during the workflow.

In Transit: Your information related to your document is in transit (or in motion) when:

  1. someone registers for a new account
  2. you send the email notifications to the signers that there is a document ready for signing, and,
  3. when the document has completed the workflow, meaning it has been signed by everyone, and a copy of the document is sent to each of the document participants (senders and recipients).

At Rest: All information related to the document and the document itself is at rest:

  1. when it is waiting for the next person in the workflow to sign the document
  2. it is stored on our servers once the workflow has been completed.

In Use: Your document and any related data, i.e.: the audit trail, are ‘in use’:

  1. when a recipient or user are editing the document by adding the required information and/or signatures
  2. the Signority platform is updating the audit trail with any actions, i.e.: signed, id verification, etc.

Signority starts our security process with our employees. All employees and sub-contractors must be security cleared with the federal government security clearance program. And they must complete a minimum amount of security and compliance training each year.

For In Transit and In Use data Signority eSignature Platform services using strongly encrypted extended validation (EV) Transport Layer Security (TLS) certificates to encrypt the data in transit between users and the Signority eSignature Platform. We only allow the highest security TLS 1.2 and 1.3 protocols, and do not allow weaker TLS or SSL.  The article linked above explains in detail what EV and TLS certificates are, what they do, and why we use them. 

If you would like to know our rating, here is the most current certificate for Signority at the time of this blog post.

We also do not allow the use of older browser versions. Older versions are not updated with the latest security features and updates to ensure a secure browsing connection.

Data at rest data at rest is encrypted by using state-of-the-art AWS encryption technology and we salt usernames & passwords. 

What is a ‘salted’ username and password?  A salted username and password is a process where they are converted through a ‘hashing algorithm’ into an unintelligible series of numbers and letters. You can read a more detailed breakdown here at Okta.com.

Plus, we offer masked tags for end users to encrypt their sensitive information on documents.

If you are not a technical person, think of it this way:

  1. Your information is locked in a box that requires a key.
  2. That key is locked in another box that requires another key to open it.
  3. And that box, with your box, is in a box that is password protected. 

So your data is guarded with multiple layers of protection ensuring your data is secure and private.

If you would like to know more about how Signority protects customers data and privacy I encourage you to go to our Trust Centre. In Signority’s Trust Centre you can review our approach to Security, Privacy, Compliance, and Legislation (Legal).

Have questions? 

Contact us by:

  • calling at 833-222-1088,
  • using the chat icon on the bottom right of your screen,
  • or through our contact form.

Look for my next blog, ‘What is Data Residency? And Does it Matter?