2026-07-07 - SOC2 Compliance: Keyfile Removal and Migration to ADC¶
Release¶
AgileData.io - Hardened by Design: Service Account Keyfiles Removed Across the Platform
As part of AgileData’s SOC2 compliance programme, all service account keyfiles have been removed from the platform and replaced with Application Default Credentials (ADC). Keyfiles — static JSON credential files — represent a known security risk because they can be accidentally exposed, don’t rotate automatically, and are flagged by Google’s Security Command Center (SCC) as a high-risk finding.
ADC is Google’s recommended approach for authenticating services running within Google Cloud. With ADC, credentials are obtained from the environment at runtime via Google’s metadata service, removing the need to manage, store, or rotate static keyfile secrets. This approach is more secure, simpler to manage, and aligns with cloud security best practice.
The migration covered both the API layer and the functions layer. App Engine services now run using the tenancy-specific service account rather than the default App Engine service account, giving each tenant proper identity isolation.
What’s New:
All service account keyfiles removed from the API and functions layers
Authentication migrated to Application Default Credentials (ADC) across both layers
App Engine now runs as the tenancy service account for proper per-tenant identity isolation
SOC2 and SCC keyfile findings resolved
What this means for you:
The platform is more secure — no static credentials that can be leaked or stolen
Credential rotation is handled automatically by Google, removing operational overhead
A key milestone in AgileData’s SOC2 compliance journey completed
Last Refreshed¶
Doc Refreshed: 2026-07-07