What data and security certifications does agentOS and Calmony have?

Penetration Testing

• Breachlock Annual Penetration Test – Independent third-party security assessment conducted yearly to identify vulnerabilities before they can be exploited.
• Invicti Continuous Scanning – Automated ongoing penetration testing of our marketing and product sites to catch new vulnerabilities as they emerge.

Continuous Security Monitoring

• SecurityScorecard – Real-time external security posture monitoring, providing visibility into our overall security rating and potential risks.  https://platform.securityscorecard.io/#/scorecard/agentos.com/company-overview
• Security Headers Compliance – Continuous validation of HTTP security headers to protect against common web vulnerabilities such as XSS and clickjacking.
• AWS GuardDuty – Intelligent threat detection that continuously monitors for malicious activity and unauthorised behaviour across our AWS infrastructure.
• AWS Security Hub (CSPM) – Centralised compliance monitoring against industry standards including NIST 800-53, PCI DSS v3.2.1, and AWS Foundational Security Best Practices.

Access Control

• Enforced Multi-Factor Authentication – MFA required across all user machines and applications, ensuring that compromised credentials alone cannot grant access.
• Access Control (PAM), Password Management, Data Security, Information Security & Data Retention Policy - policy establishes guidelines for managing and controlling access to IT systems across agentOS, agentPay, and Calmony to prevent unauthorised use while maintaining data security.
• Account Management (User and Password Security) Policy - It ensures secure account management practices while maintaining operational efficiency, protecting sensitive data and meeting FCA regulatory requirements. 
• High Level Security Baseline Policy - baseline requirements ensure consistent security standards across our infrastructure while maintaining operational efficiency and regulatory compliance. 
• Physical Security Policy - This policy outlines the measures and procedures implemented at our office location at 13 Lambourne Crescent, Cardiff Business Park, Cardiff CF24 5EG. 

Endpoint Protection (All Servers & User Machines)

• Rapid7 – Vulnerability management and detection across all endpoints, ensuring systems are patched and secure.
• CrowdStrike – Enterprise-grade endpoint detection and response (EDR), providing real-time protection against malware, ransomware, and advanced threats.
• Cisco Umbrella – DNS-layer security on all staff machines, blocking malicious domains and preventing connections to harmful sites before they occur.
• Enforced Device Policies – All machines require full disk encryption, automatic security updates, and active antivirus protection as mandatory compliance requirements.

Data Protection

• AWS RDS Managed Databases – All databases are encrypted at rest and in transit, with continuous automated backups and cross-region replication for disaster recovery.
• Data Loss Prevention (DLP) Policy - This policy establishes the framework for preventing unauthorised data access, loss, or leakage across agentOS, agentPay, and Calmony's digital infrastructure. Given our role in handling sensitive financial and personal data, robust DLP measures are essential for maintaining security and trust. 
• Enhanced Administration and Data Access Policy under the Four Eyes Principle for our Corporate Clients and their Banking Clients - The purpose of this policy is to ensure the integrity, confidentiality, and security of corporate client and their banking clients data, especially when accessed by agentOS under special circumstances such as debugging. This is to be achieved through the implementation of the Four Eyes Principle, ensuring that all access to sensitive data is reviewed, approved, and monitored by two authorised individuals. 
• Data Backup Policy - Establishes the framework for data backup and recovery procedures across agentOS, agentPay, and Calmony's digital infrastructure. It ensures the protection and preservation of critical business information and maintains operational continuity. 
• Cryptography Policy (including Encryption and Key Management) Policy - Establishes the framework for implementing and managing cryptographic controls across agentOS's digital infrastructure, ensuring the highest standards of data security and compliance. 
• Artificial Intelligence (AI) and Large Language Models (LLM) Policy - This policy governs the use of Artificial Intelligence (AI) and Large Language Models (LLMs) within agentOS, agentPay, and Calmony group companies. Establishing clear policy for responsibility and security while using AI and maintaining compliance with relevant regulations and protecting sensitive data. 

Staff Security Awareness

• KnowBe4 Training – Ongoing security awareness training for all staff, covering phishing, social engineering, and security best practices.
• Simulated Phishing Tests – Regular phishing simulations to test staff vigilance and reinforce training, helping identify areas for improvement.

Governance, Risk & Compliance

• Eramba – GRC platform for managing security policies, risk assessments, and compliance obligations in a structured, auditable manner.

FCA 

• AgentOS, agentPay, and Calmony is Calmony is an FCA registered (850923) Electronic Money Directive (EMD) and Payment Services Directive (PSD) agent. 

PCI compliance

• Calmony is committed to protecting our consumers and their customers’ credit and debit card data in compliance with the Payment Card Industry Data Security Standard (PCI DSS).
• We conduct regular vulnerability scans and penetration tests in accordance with the PCI DSS requirements for our business model.