Data Security

emSigner’s security policies have been designed to offer the highest level of assurance to its users. Built on industry-leading infrastructure and designed with best-in-class security features, emSigner’s platforms are rigorously audited to protect customer data.

emSigner’s security program is built on the following core principles:

Deliver Trust

The emSigner team has over 10 years of experience operating as a trust service provider in global markets. This helps us deliver trust in both our consumer-facing and enterprise facing applications.

Use cutting-edge technology to power Security

emSigner’s technology stack uses industry leading techniques in cryptography, the latest systems that guard end points, and a host of security measures at the application, network, and database levels to protect sensitive data. This is backed up by round-the-clock monitoring, logging, and continuous training and awareness programs.

Security

emSigner uses best practices and industry standards to achieve compliance with industry-accepted general security and privacy frameworks, which in turn helps our subscribers meet their own compliance standards. As part of our accreditation and compliance measures, emSigner is continuously evaluated against the following stringent security standards:

Security, Industry Compliance, and Memberships

SOC 2 Type II

eMudhra has received the SOC 2 Type II certification. The certification issued by AICPA, the world's largest member association representing the accounting profession, affirms that eMudhra is compliant with the principles of security, availability, processing integrity, confidentiality and privacy, and has proper internal controls and processes in place to protect client data. The report can be made available upon request and under NDA.

ISO 27001:2013

emSigner is certified with ISO 27001, an international standard which is recognised globally for managing risks to the security of information we hold. ISO 27001:2013 (the current version of ISO 27001) provides a set of standardized requirements for an Information Security Management System (ISMS).

CMMI Level 5

emSigner is CMMI Level 5 accredited, a program run by the Carnegie Mellon Institute. CMMI defines criteria that assess product and service companies against their software development capability and maturity.

Industry Specific Compliance

HIPAA

The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, is a series of regulatory standards that outline the lawful use and disclosure of Protected Health Information. eMudhra is compliant with all aspects of HIPAA. We ensure that all requirements related to health information are followed comprehensively and ensure that patients' Personal Health Information (PHI) is handled with utmost care. You can place your complete trust in our foolproof security measures and rest easy, knowing that your organization's security is safe in our hands.

SAFE Identity/DirectTrust Identity

eMudhra has received DirectTrust Identity Certification (formerly Safe Identity Certification). Issued by SAFE Identity (now DirectTrust Identity), a US based industry consortium and certification body operating a Trust Framework for digital identities in healthcare, this certification provides assurance that eMudhra's paperless office solution - emSigner - is capable of processing identity credentials by applying and verifying digital signatures on PDF documents to the global healthcare community.

Memberships

Documents and Certifications

emSigner maintains a list of documents and certifications to support its security compliance, and these can be made available on request. These include ISO certificates, GDPR compliance certificates, and HIPAA compliance certificates.

Access to documents such as the SOC2 Type II certificate, our penetration test report summary, and any other specific documents may be provided upon signing an NDA.

Cloud Security

emSigner follows a tiered security model where it relies on the best cloud hosting providers for hosting, infrastructure, and network security arrangements, while ensuring that continuous monitoring is done by a dedicated team of security professionals. As part of our privacy compliance efforts, comprehensive employee training and awareness is conducted on an ongoing basis, which is supplemented by Data Protection Impact Assessment along with internal and external audits.

Data Center Physical Security Facilities

emSigner is hosted in AWS data centers that have been certified as ISO 27001, PCI DSS Service Provider Level 1, and/or SOC 2 compliant. To learn more on AWS facilities compliance, please click here. AWS infrastructure services include backup power, HVAC systems, and fire suppression equipment to help protect servers and ultimately your data. To learn more on AWS facilities compliance, please click here.

On-site Security

AWS on-site security includes features such as security guards, fencing, security feeds, intrusion detection technology, and other security measures. To learn more on AWS facilities compliance, please click here.

Data Hosting Location

emSigner leverages AWS data centers in the United States, Europe, and Asia Pacific region. emSigner offers multiple data location choices including APAC (India), United States, Europe, and Middle East. For more information click here.

Network Security

Dedicated Security Team

Our dedicated security team is available 24/7 to monitor and respond to any security events and alerts.

Protection

Our network is protected through regular audits, and network intelligence technologies, which monitor and/or block malicious traffic and network attacks.

Architecture

Our network security architecture consists of multiple security zones. Sensitive systems such as database servers are protected with private subnets with controls and restrictions on traffic emerging from or to the subnet. Depending on the zone, additional security monitoring, and access controls will be deployed. DMZs are utilized between the Internet, and internally between the different zones of trust.

Network Vulnerability Scanning

Network security scanning is carried out regularly for quick identification of out-of-compliance or potentially vulnerable systems.

Intrusion Detection & Prevention

We have deployed AWS GuardDuty that continuously monitors our networks to deliver intelligent security analytics and threat intelligence, thereby providing a single solution for attack detection, threat visibility, proactive hunting, and threat response.

DDoS Mitigation

We have deployed AWS Shield, a managed Distributed Denial of Service (DDoS) protection service, to safeguard emSigner. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency.

Logical Access

Access to the emSigner Production Network is restricted on an explicit need-to-know basis. Least privilege access is continuously audited, monitored, and controlled by our Security Team. Employees accessing the emSigner Production Network are required to use multiple factors of authentication to ensure security.

Data Security and Privacy

Encryption of Data at Rest

Both the PII data as well as documents are encrypted and stored in the database of emSigner. emSigner uses advanced encryption standards for encrypting the data which includes AES256 bit encryption keys.

Encryption of Data in Motion

All communications with emSigner UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and emSigner is secure during transit. Exceptions for encryption may include any use of in-product SMS functionality, any other third-party app, integration, or service, subscribers may choose to leverage at their own discretion. Additionally, emSigner also provides an option to the user to encrypt documents within the platform UI before sharing them with external parties.

Resiliency

Uptime

emSigner maintains a publicly available system service status webpage, which includes system availability details, scheduled maintenance, service incident history, and relevant security events.

High Availability

emSigner is hosted on AWS cloud with application and database being hosted in two separate availability zones. It is assured to provide 99.99% uptime to ensure that there is no disruption to the services. Timely notifications/communications to clients and end-users are sent in case of planned or unplanned downtime of the service.

Redundancy

emSigner employs service clustering and network redundancies to eliminate a single point of failure. Data backups are performed by the system automatically with synchronous replication. Our backup process allows us to deliver a high level of service availability, as Service Data is replicated across availability zones.

Disaster Recovery

As part of our Disaster Recovery (DR) program, emSigner leverages rigorous business impact and risk analysis to identify applications/services that are critical to each of our products. The program ensures that our services remain available and are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and testing activities. The Disaster Recovery document can be found here.

Security Incident Response

In case of a system alert, events are escalated to our internal teams providing Operations, Network Engineering, and Security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths. The Incident response document can be found here.

Application Security

Vulnerability Management

Vulnerability Scanning

We employ third-party security tools to unceasingly and dynamically scan our core applications against common web application security risks, including, but not limited to the OWASP Top 10 security risks. We maintain a dedicated in-house product security team to test and work with development teams to fix any discovered issues. We also employ third-party security teams to perform detailed Vulnerability scanning annually. eMudhra's Vulnerability Management document can be found here.

Third-party Penetration Testing

emSigner is tested intensively by our internal product and testing team before every major release. We also employ third-party security teams to perform detailed penetration tests annually.

Employee Awareness & Training

Secure Code Training

All the codes that are written and published go through an iterative development process with a focus on secure coding. Huge emphasis is put on OWASP guidelines while developing the software.

Quality Assurance

Our Quality Assurance (QA) team reviews and tests our code base. We have a dedicated application security team who identify, test, and ensure that there are no security vulnerabilities in the code.

Environments

emSigner uses separate environments for production, staging, quality assurance, and development. The production and staging environments are isolated mutually with dedicated QA and Development environments, thereby ensuring that code transitions through a proper release process with a clear focus on DevOps practices.

Product Security

Authentication Security

Authentication Modes

emSigner has multiple modes of authentication; users can use emSigner native authentication, protocols such as SAML 2.0 and Open ID connect for SSO, or integration with external multi-factor authentication systems through REST APIs, Office 365 Cloud AD, and Google accounts for user authentication.

Password Policy

emSigner's native authentication allows the administrators (only) to configure password policies to be imposed through the administrator settings. Administrators can choose the password complexity (length, alphabets, numbers, upper & lower cases, etc.), aging, and login attempts.

Two-factor Authentication (2FA)

emSigner's native authentication allows two-factor authentication for users through email/SMS based OTP's or through Google/Microsoft/emSigner Authenticator app.

Credential Security

We follow credential storage best practices by never storing passwords in a human-readable format. The storage of credentials is always the result of a secure, one-way hash.

Additional Product Security

Role Based Access Controls (RBAC)

Access to workflows and documents within emSigner is governed by Role Based Access Controls (RBAC) and can be configured at the granular level. emSigner supports various permission levels - at the user level and department level for initiators, signatories/reviewers, administrators, etc. Restrictions can also be imposed on the document level for pre-defined workflows and ad-hoc level workflows, including the document uploaded for signing, attachments (if any), and completion certificates.

Audit Logs

emSigner offers Audit Logs for accounts, with details related to account changes, user changes, actions performed, etc. The Audit Log is available in Administrator settings and can be exported in excel/pdf formats for further analysis. To know more about Audit logs and see what information is captured within the logs, please visit View Audit Logs.

Document Log

emSigner captures various actions performed by the users on a document, which includes the Sent, Viewed, and Signed/Reviewed data along with the timestamp. It also captures the Operating System, browser, and IP address used by the user while performing the action (s) assigned to the participant.

Attachment Authentication (2FA)

emSigner allows the user to configure attachment visibility from the administrator module. Administrators can define whether or not the participants can view the attachment (s) on a workflow level.

Credential Security

We follow credential storage best practices by never storing passwords in a human-readable format. The storage of credentials is always the result of a secure, one-way hash.

Human Resource Security

Security Awareness

Policies

eMudhra maintains a comprehensive Information Security Policy which is published to employees and contractors joining us.

Training

Every eMudhra employee and contractor is subjected to mandatory security training sessions at periodic intervals of time. All developers receive training on secure coding methodologies, while the security team is provided with additional security training on industry best practices.

Employee and Contractor Vetting

Background Verification checks

eMudhra performs background checks on all new employees and contractors in accordance with local laws. The background check includes criminal, education, and employment verification.

Non-disclosure and Confidentiality Agreements

Every eMudhra employee and contractor is mandated to sign a Non-Disclosure Agreement and Employment Agreement, including terms for IP confidentiality. They are also sensitized about the importance of security regularly.

Last updated

Copyright emSigner 2023