# Data Security emSigner’s security policies have been designed to offer the highest level of assurance to its users. Built on industry-leading infrastructure and designed with best-in-class security features, emSigner’s platforms are rigorously audited to protect customer data. ## emSigner’s security program is built on the following core principles: ### **Deliver Trust** The emSigner team has over 15 years of experience operating as a trust service provider in global markets. This helps us deliver trust in both our consumer-facing and enterprise facing applications. #### Use cutting-edge technology to power Security emSigner’s technology stack uses industry leading techniques in cryptography, the latest systems that guard end points, and a host of security measures at the application, network, and database levels to protect sensitive data. This is backed up by round-the-clock monitoring, logging, and continuous training and awareness programs. ### Security emSigner uses best practices and industry standards to achieve compliance with industry-accepted general security and privacy frameworks, which in turn helps our subscribers meet their own compliance standards. As part of our accreditation and compliance measures, emSigner is continuously evaluated against the following stringent security standards: ### **Security, Industry Compliance, and Memberships** **SOC 2 Type II** emSigner has received the SOC 2 Type II certification. The certification issued by AICPA, the world's largest member association representing the accounting profession, affirms that eMudhra is compliant with the principles of security, availability, processing integrity, confidentiality and privacy, and has proper internal controls and processes in place to protect client data. The report can be made available upon request and under NDA. **ISO 27001:2022** emSigner is certified with ISO 27001, an international standard which is recognized globally for managing risks to the security of information we hold. ISO 27001:2022 (the current version of ISO 27001) provides a set of standardized requirements for an Information Security Management System (ISMS). **CMMI Level 5** emSigner is CMMI Level 5 accredited, a program run by the Carnegie Mellon Institute. CMMI defines criteria that assess product and service companies against their software development capability and maturity. ### Industry Specific Compliance **HIPAA** The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, is a series of regulatory standards that outline the lawful use and disclosure of Protected Health Information. eMudhra is compliant with all aspects of HIPAA. We ensure that all requirements related to health information are followed comprehensively and ensure that patients' Personal Health Information (PHI) is handled with utmost care. You can place your complete trust in our foolproof security measures and rest easy, knowing that your organization's security is safe in our hands. **SAFE Identity/DirectTrust Identity** eMudhra has received DirectTrust Identity Certification (formerly Safe Identity Certification). Issued by SAFE Identity (now DirectTrust Identity), a US based industry consortium and certification body operating a Trust Framework for digital identities in healthcare, this certification provides assurance that eMudhra's paperless office solution - emSigner - is capable of processing identity credentials by applying and verifying digital signatures on PDF documents to the global healthcare community. ### **Documents and Certifications** emSigner maintains a list of documents and certifications to support its security compliance, and these can be made available on request. These include ISO certificates, GDPR compliance certificates, and HIPAA compliance certificates. Access to documents such as the SOC2 Type II certificate, our penetration test report summary, and any other specific documents may be provided upon signing an NDA. ### **Data Encryption** **Encryption of Data at Rest** Both the PII data as well as documents are encrypted and stored in the database of emSigner. emSigner uses advanced encryption standards for encrypting the data which includes AES256 bit encryption keys. **Encryption of Data in Motion** All communications with emSigner UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and emSigner is secure during transit. Exceptions for encryption may include any use of in-product SMS functionality, any other third-party app, integration, or service, subscribers may choose to leverage at their own discretion. Additionally, emSigner also provides an option to the user to encrypt documents within the platform UI before sharing them with external parties. ### **Resiliency** **Uptime** emSigner maintains a publicly available [system service status webpage](https://stats.uptimerobot.com/51KP3F0myM), which includes system availability details, scheduled maintenance, service incident history, and relevant security events. **High Availability** emSigner is hosted on AWS cloud with application and database being hosted in two separate availability zones. It is assured to provide 99.99% uptime to ensure that there is no disruption to the services. Timely notifications/communications to clients and end-users are sent in case of planned or unplanned downtime of the service. **Redundancy** emSigner employs service clustering and network redundancies to eliminate a single point of failure. Data backups are performed by the system automatically with synchronous replication. Our backup process allows us to deliver a high level of service availability, as Service Data is replicated across availability zones. **Disaster Recovery** As part of our Disaster Recovery (DR) program, emSigner leverages rigorous business impact and risk analysis to identify applications/services that are critical to each of our products. The program ensures that our services remain available and are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and testing activities. The Disaster Recovery document can be found [here](https://www.emsigner.com/trust-center/download/BCP_Brief.pdf). **Security Incident Response** In case of a system alert, events are escalated to our internal teams providing Operations, Network Engineering, and Security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths. The Incident response document can be found [here](https://www.emsigner.com/trust-center/download/Incident_Reporting_Response.pdf). ## --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://support.emsigner.com/security-and-quality/data-security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.