AgileData.io Docs
Table Of Contents
AgileData.io Docs
Table Of Contents

2026-07-07 - SOC2 Compliance: Keyfile Removal and Migration to ADC

Release

AgileData.io - Hardened by Design: Service Account Keyfiles Removed Across the Platform

As part of AgileData’s SOC2 compliance programme, all service account keyfiles have been removed from the platform and replaced with Application Default Credentials (ADC). Keyfiles — static JSON credential files — represent a known security risk because they can be accidentally exposed, don’t rotate automatically, and are flagged by Google’s Security Command Center (SCC) as a high-risk finding.

ADC is Google’s recommended approach for authenticating services running within Google Cloud. With ADC, credentials are obtained from the environment at runtime via Google’s metadata service, removing the need to manage, store, or rotate static keyfile secrets. This approach is more secure, simpler to manage, and aligns with cloud security best practice.

The migration covered both the API layer and the functions layer. App Engine services now run using the tenancy-specific service account rather than the default App Engine service account, giving each tenant proper identity isolation.

What’s New:

  • All service account keyfiles removed from the API and functions layers

  • Authentication migrated to Application Default Credentials (ADC) across both layers

  • App Engine now runs as the tenancy service account for proper per-tenant identity isolation

  • SOC2 and SCC keyfile findings resolved

What this means for you:

  • The platform is more secure — no static credentials that can be leaked or stolen

  • Credential rotation is handled automatically by Google, removing operational overhead

  • A key milestone in AgileData’s SOC2 compliance journey completed

Last Refreshed

Doc Refreshed: 2026-07-07