Trust and Security at Agora Care

At Agora Care, protecting the data entrusted to us is a core responsibility. This Trust Center outlines the measures we take to ensure the confidentiality, integrity, and availability of your information. Our approach is guided by industry standards, legal obligations, and a strong internal culture of security and privacy.

Information Security Management

Policies and Governance

We operate under a formal Information Security Management System (ISMS) aligned with ISO/IEC 27001. Our policies cover all aspects of information security, from access control to incident response. These policies are reviewed and updated at least annually to ensure continued relevance and effectiveness.

Roles and Responsibilities

Security is a shared responsibility across our organization. Specific roles and responsibilities for information security are clearly defined, regularly reviewed, and integrated into internal documentation and systems used across our teams.

External Oversight and Industry Participation

We work with trusted external consultants to audit and enhance our security practices. We also engage with relevant industry groups to stay informed of emerging risks, best practices, and regulatory changes, including organizations such as Clusis, The Trust Valley, and the Swiss Association of DPOs.

Privacy by Design and by Default

We apply data protection principles from the start of every project. When new data processing activities are planned or when existing processes change, they are reviewed and presented to the Security Committee for evaluation.

Changes are tracked through our internal systems to ensure accountability.

Secure Remote Work

We support remote work while maintaining a high level of security. Employees follow a formal teleworking policy that outlines minimum standards for device use, secure connections, physical workspace setup, and data confidentiality when working from outside our offices.

Device and Endpoint Security

All work is performed on devices that are registered and managed by Agora Care. These endpoints are secured with appropriate technical controls, including full-disk encryption, access restrictions, and regular security updates. We continuously monitor for vulnerabilities and respond proactively.

Personnel Security

Employees are a key part of our security strategy. All new staff receive training on information security and data protection during onboarding, and periodic refresher training is provided throughout employment. Every team member is bound by a confidentiality agreement that continues to apply even after they leave the organization.

Information Classification and Access Management

We categorize data based on sensitivity and business context. Access to data is controlled using role-based access controls, enforced by our access management systems.

We follow strict procedures for granting, reviewing, and revoking access. Passwords and authentication practices comply with current best practices and are updated as threat landscapes evolve.

Encryption and Data Protection

We encrypt all data in transit using industry-standard protocols such as TLS. For sensitive workflows, we apply additional layers of encryption and access control. Data handling practices are regularly reviewed to ensure they align with legal and contractual requirements.

Physical and Environmental Security

Our physical offices and infrastructure are protected by a range of access controls and monitoring systems, including badge-based entry and alarm systems. Remote employees are required to maintain a secure and private working environment that meets minimum confidentiality standards.

Operational Security

Our operational security measures include:

  • A structured change management process to assess the security impact of technical changes
  • Regular software patching and vulnerability scanning
  • Use of managed infrastructure with dedicated security controls
  • Policies requiring the use of secure configurations across systems and services We continuously assess technical threats and adapt our controls to match the evolving risk environment.

Secure Communication Channels

We use encrypted communication tools and secure platforms to exchange sensitive or confidential information. All employees are required to use approved communication channels and adhere to our internal guidelines for transmitting secrets and sensitive data.

Confidentiality agreements further reinforce our expectations around the use of secure communication practices.

System Development and Lifecycle Security

Security is built into the development and procurement process for any new system or platform. We conduct risk assessments for high-impact changes and review controls regularly throughout the lifecycle of our systems. Supplier-provided systems must meet our internal security requirements before deployment.

Vendor and Supplier Oversight

We expect our suppliers and vendors to meet the same high standards we set for ourselves. Our Supplier Relationship Management Policy includes clear information security criteria, which are reviewed annually. Due diligence is performed for all critical suppliers, and contracts include relevant data protection clauses.

Incident Management

We maintain a formal procedure for detecting, reporting, and managing information security incidents. All incidents are logged, analyzed, and handled with urgency and care to prevent recurrence and limit potential impact. We continuously refine our processes based on lessons learned.

Business Continuity and Resilience

We maintain a Business Continuity Plan (BCP) that outlines how we ensure continued service in the event of a disruption. The BCP includes procedures for maintaining the confidentiality and availability of data during incidents. The plan is tested regularly and updated based on test results and evolving operational needs.

Legal and Regulatory Compliance

We comply with the Swiss Federal Act on Data Protection (FADP), the European Union’s General Data Protection Regulation (GDPR), and other applicable laws. Regulatory obligations are reviewed and maintained in a dedicated legal register.

We are committed to maintaining compliance as a foundational element of our trust and security posture.