Data Security
emSigner’s security policies have been designed to offer the highest level of assurance to its users. Built on industry-leading infrastructure and designed with best-in-class security features, emSigner’s platforms are rigorously audited to protect customer data.
emSigner’s security program is built on the following core principles:
Deliver Trust
The emSigner team has over 10 years of experience operating as a trust service provider in global markets. This helps us deliver trust in both our consumer-facing and enterprise facing applications.
Use cutting-edge technology to power Security
emSigner’s technology stack uses industry leading techniques in cryptography, the latest systems that guard end points, and a host of security measures at the application, network, and database levels to protect sensitive data. This is backed up by round-the-clock monitoring, logging, and continuous training and awareness programs.
Security
emSigner uses best practices and industry standards to achieve compliance with industry-accepted general security and privacy frameworks, which in turn helps our subscribers meet their own compliance standards. As part of our accreditation and compliance measures, emSigner is continuously evaluated against the following stringent security standards:
Security, Industry Compliance, and Memberships
SOC 2 Type II
eMudhra has received the SOC 2 Type II certification. The certification issued by AICPA, the world's largest member association representing the accounting profession, affirms that eMudhra is compliant with the principles of security, availability, processing integrity, confidentiality and privacy, and has proper internal controls and processes in place to protect client data. The report can be made available upon request and under NDA.
ISO 27001:2013
emSigner is certified with ISO 27001, an international standard which is recognised globally for managing risks to the security of information we hold. ISO 27001:2013 (the current version of ISO 27001) provides a set of standardized requirements for an Information Security Management System (ISMS).
CMMI Level 5
emSigner is CMMI Level 5 accredited, a program run by the Carnegie Mellon Institute. CMMI defines criteria that assess product and service companies against their software development capability and maturity.
Industry Specific Compliance
HIPAA
The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, is a series of regulatory standards that outline the lawful use and disclosure of Protected Health Information. eMudhra is compliant with all aspects of HIPAA. We ensure that all requirements related to health information are followed comprehensively and ensure that patients' Personal Health Information (PHI) is handled with utmost care. You can place your complete trust in our foolproof security measures and rest easy, knowing that your organization's security is safe in our hands.
SAFE Identity/DirectTrust Identity
eMudhra has received DirectTrust Identity Certification (formerly Safe Identity Certification). Issued by SAFE Identity (now DirectTrust Identity), a US based industry consortium and certification body operating a Trust Framework for digital identities in healthcare, this certification provides assurance that eMudhra's paperless office solution - emSigner - is capable of processing identity credentials by applying and verifying digital signatures on PDF documents to the global healthcare community.
Memberships
Asia PKI Consortium
Chairman, Asia PKI Consortium
APKIC brings together regulators and key players from 12+ countries in Asia. The consortium aims at understanding PKI-driven digitization and cross border digitization.
Cloud Signature Consortium
Board Member
Cloud Signature Consortium (CSC) is aimed at arriving at some global standards around utilization of eSignatures. eMudhra is a Board member of the body that consists of 40+ members. Currently, CSC is chaired by Adobe.
CA Browser Forum
Member
CA Browser Forum is an invite-only membership forum for Webtrust accredited global trust providers working at a global scale to provide authentication, code signing, and SSL certificates.
FIDO Alliance
Member
FIDO alliance is strategically partnered with eMudhra to promote the use of FIDO based authentication in India.
Digital India
Key Member
eMudhra is a key member of the Digital India Program and has enabled significant changes in promoting a presence-less, cashless, and paperless society in India.
Documents and Certifications
emSigner maintains a list of documents and certifications to support its security compliance, and these can be made available on request. These include ISO certificates, GDPR compliance certificates, and HIPAA compliance certificates.
Access to documents such as the SOC2 Type II certificate, our penetration test report summary, and any other specific documents may be provided upon signing an NDA.
Cloud Security
emSigner follows a tiered security model where it relies on the best cloud hosting providers for hosting, infrastructure, and network security arrangements, while ensuring that continuous monitoring is done by a dedicated team of security professionals. As part of our privacy compliance efforts, comprehensive employee training and awareness is conducted on an ongoing basis, which is supplemented by Data Protection Impact Assessment along with internal and external audits.
emSigner is hosted in AWS data centers that have been certified as ISO 27001, PCI DSS Service Provider Level 1, and/or SOC 2 compliant. To learn more on AWS facilities compliance, please click here. AWS infrastructure services include backup power, HVAC systems, and fire suppression equipment to help protect servers and ultimately your data. To learn more on AWS facilities compliance, please click here.
On-site Security
AWS on-site security includes features such as security guards, fencing, security feeds, intrusion detection technology, and other security measures. To learn more on AWS facilities compliance, please click here.
Data Hosting Location
emSigner leverages AWS data centers in the United States, Europe, and Asia Pacific region. emSigner offers multiple data location choices including APAC (India), United States, Europe, and Middle East. For more information click here.
Network Security
Dedicated Security Team
Our dedicated security team is available 24/7 to monitor and respond to any security events and alerts.
Protection
Our network is protected through regular audits, and network intelligence technologies, which monitor and/or block malicious traffic and network attacks.
Architecture
Our network security architecture consists of multiple security zones. Sensitive systems such as database servers are protected with private subnets with controls and restrictions on traffic emerging from or to the subnet. Depending on the zone, additional security monitoring, and access controls will be deployed. DMZs are utilized between the Internet, and internally between the different zones of trust.
Network Vulnerability Scanning
Network security scanning is carried out regularly for quick identification of out-of-compliance or potentially vulnerable systems.
Intrusion Detection & Prevention
We have deployed AWS GuardDuty that continuously monitors our networks to deliver intelligent security analytics and threat intelligence, thereby providing a single solution for attack detection, threat visibility, proactive hunting, and threat response.
DDoS Mitigation
We have deployed AWS Shield, a managed Distributed Denial of Service (DDoS) protection service, to safeguard emSigner. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency.
Logical Access
Access to the emSigner Production Network is restricted on an explicit need-to-know basis. Least privilege access is continuously audited, monitored, and controlled by our Security Team. Employees accessing the emSigner Production Network are required to use multiple factors of authentication to ensure security.
Data Security and Privacy
Encryption of Data at Rest
Both the PII data as well as documents are encrypted and stored in the database of emSigner. emSigner uses advanced encryption standards for encrypting the data which includes AES256 bit encryption keys.
Encryption of Data in Motion
All communications with emSigner UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and emSigner is secure during transit. Exceptions for encryption may include any use of in-product SMS functionality, any other third-party app, integration, or service, subscribers may choose to leverage at their own discretion. Additionally, emSigner also provides an option to the user to encrypt documents within the platform UI before sharing them with external parties.
Resiliency
Uptime
emSigner maintains a publicly available system service status webpage, which includes system availability details, scheduled maintenance, service incident history, and relevant security events.
High Availability
emSigner is hosted on AWS cloud with application and database being hosted in two separate availability zones. It is assured to provide 99.99% uptime to ensure that there is no disruption to the services. Timely notifications/communications to clients and end-users are sent in case of planned or unplanned downtime of the service.
Redundancy
emSigner employs service clustering and network redundancies to eliminate a single point of failure. Data backups are performed by the system automatically with synchronous replication. Our backup process allows us to deliver a high level of service availability, as Service Data is replicated across availability zones.
Disaster Recovery
As part of our Disaster Recovery (DR) program, emSigner leverages rigorous business impact and risk analysis to identify applications/services that are critical to each of our products. The program ensures that our services remain available and are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and testing activities. The Disaster Recovery document can be found here.
Security Incident Response
In case of a system alert, events are escalated to our internal teams providing Operations, Network Engineering, and Security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths. The Incident response document can be found here.
Application Security
Vulnerability Management
Vulnerability Scanning
We employ third-party security tools to unceasingly and dynamically scan our core applications against common web application security risks, including, but not limited to the OWASP Top 10 security risks. We maintain a dedicated in-house product security team to test and work with development teams to fix any discovered issues. We also employ third-party security teams to perform detailed Vulnerability scanning annually. eMudhra's Vulnerability Management document can be found here.
Third-party Penetration Testing
emSigner is tested intensively by our internal product and testing team before every major release. We also employ third-party security teams to perform detailed penetration tests annually.
Employee Awareness & Training
Secure Code Training
All the codes that are written and published go through an iterative development process with a focus on secure coding. Huge emphasis is put on OWASP guidelines while developing the software.
Quality Assurance
Our Quality Assurance (QA) team reviews and tests our code base. We have a dedicated application security team who identify, test, and ensure that there are no security vulnerabilities in the code.
Environments
emSigner uses separate environments for production, staging, quality assurance, and development. The production and staging environments are isolated mutually with dedicated QA and Development environments, thereby ensuring that code transitions through a proper release process with a clear focus on DevOps practices.
Product Security
Authentication Security
Authentication Modes
emSigner has multiple modes of authentication; users can use emSigner native authentication, protocols such as SAML 2.0 and Open ID connect for SSO, or integration with external multi-factor authentication systems through REST APIs, Office 365 Cloud AD, and Google accounts for user authentication.
Password Policy
emSigner's native authentication allows the administrators (only) to configure password policies to be imposed through the administrator settings. Administrators can choose the password complexity (length, alphabets, numbers, upper & lower cases, etc.), aging, and login attempts.
Two-factor Authentication (2FA)
emSigner's native authentication allows two-factor authentication for users through email/SMS based OTP's or through Google/Microsoft/emSigner Authenticator app.
Credential Security
We follow credential storage best practices by never storing passwords in a human-readable format. The storage of credentials is always the result of a secure, one-way hash.
Additional Product Security
Role Based Access Controls (RBAC)
Access to workflows and documents within emSigner is governed by Role Based Access Controls (RBAC) and can be configured at the granular level. emSigner supports various permission levels - at the user level and department level for initiators, signatories/reviewers, administrators, etc. Restrictions can also be imposed on the document level for pre-defined workflows and ad-hoc level workflows, including the document uploaded for signing, attachments (if any), and completion certificates.
Audit Logs
emSigner offers Audit Logs for accounts, with details related to account changes, user changes, actions performed, etc. The Audit Log is available in Administrator settings and can be exported in excel/pdf formats for further analysis. To know more about Audit logs and see what information is captured within the logs. View Audit Logs.
Document Log
emSigner captures various actions performed by the users on a document, which includes the Sent, Viewed, and Signed/Reviewed data along with the timestamp. It also captures the Operating System, browser, and IP address used by the user while performing the action (s) assigned to the participant. View Document Log.
Attachment Authentication (2FA)
emSigner allows the user to configure attachment visibility from the administrator module. Administrators can define whether or not the participants can view the attachment (s) on a workflow level.
Credential Security
We follow credential storage best practices by never storing passwords in a human-readable format. The storage of credentials is always the result of a secure, one-way hash.
Human Resource Security
Security Awareness
Policies
eMudhra maintains a comprehensive Information Security Policy which is published to employees and contractors joining us.
Training
Every eMudhra employee and contractor is subjected to mandatory security training sessions at periodic intervals of time. All developers receive training on secure coding methodologies, while the security team is provided with additional security training on industry best practices.
Employee and Contractor Vetting
Background Verification checks
eMudhra performs background checks on all new employees and contractors in accordance with local laws. The background check includes criminal, education, and employment verification.
Non-disclosure and Confidentiality Agreements
Every eMudhra employee and contractor is mandated to sign a Non-Disclosure Agreement and Employment Agreement, including terms for IP confidentiality. They are also sensitized about the importance of security regularly.
Last updated