Data Security

emSigner’s security policies have been designed to offer highest level of assurance to its users. Built in industry leading infrastructure and designed with best in class security features, emSigner’s platforms are rigorously audited to protect customer data.

emSigner’s security program is built on the following core priniciples

Deliver Trust

emSigner team has over 10 years experience in operating as a trust service provider in global markets. This helps us deliver trust in both of our consumer and enterprise facing applications. 

Use Cutting Edge Technology to power Security

emSigner’s technology stack uses industry leading techniques in cryptography, latest systems that guard end points and a host of security measures at application, network and database levels to protect sensitive data. This is backed up by round the clock monitoring, logging and continuous training and awareness programs.

Accreditations and Certifications

emSigner uses and follows industry best practices to continuously maintain compliance with various generally accepted industry standards and security frameworks.

As part of our accreditation and compliance measures, emSigner is continuously evaluated against the following stringent security standards

emSigner is ISO 27001: 2013 certified, a industry standards for Information Security practices. To download our ISO certificates, please contact us

emSigner is ISO 27018: 2014 certified, another industry standard for ensuring cloud security

emSigner is evaluated on an ongoing basis for SOC 2 Type II compliance, a gold standard for cloud security. SOC2 Type II reports are available under NDA. To request a copy, please contact us.

emSigner is CMMI Level 5 accredited, a program run by the Carnegie Mellon Institute. CMMI defines criteria that assess product and service companies against their software development capability and maturity.

To see eMudhra’s CMMI accreditation, Click here

The WebTrust for Certification Authorities program was developed to increase consumer confidence in the Internet as a vehicle for conducting e-commerce and to increase consumer confidence in the application of PKI technology. This program, which was originally developed jointly by AICPA and CICA, is now managed by the Chartered Professional Accountants of Canada.

emSigner's affiliate brand emSign's (both part of eMudhra) Webtrust accreditation can be seen here


emSigner is GDPR and HIPAA compliant with the privacy built on key principles of user consent, secure storage of personally identifiable information and audit trails to track key activity in the system. We also conduct risk assessments of third party services before onboarding them.

As part of our privacy compliance efforts, employee training and awareness is conducted on an ongoing basis which is supplemented by Data Protection Impact Assessment , internal and external audits

Link to our privacy policy can be found here

To learn more about the capabilities and support we have put in place, please refer to our GDPR resources

  • GDPR FAQ’s
  • GDPR Data Processing Addendum
  • GDPR Compliance

To learn more about our HIPAA compliant practices for processing healthcare data, please contact us

Documents and Artefacts

emSigner maintains a list of documents and certifications to support its security compliance and these can be made available on request. These include ISO certificates, GDPR compliance and HIPAA compliance certificates.

Access to documents such as SOC2 Type II certificate, our penetration test report summary and any other specific documents may be provided upon signing an NDA

To request access to any of the above documents, please contact us here

Cloud and Product Security


emSigner follows a tiered security model where it relies on the best cloud hosting providers for hosting and infrastructure and network security while ensuring that continuous monitoring is done by a dedicated team of security professionalsAs part of our privacy compliance efforts, employee training and awareness is conducted on an ongoing basis which is supplemented by Data Protection Impact Assessment , internal and external audits

emSigner is hosted in AWS data centers in a highly available manner across multiple AWS regions including USA, Europe and India. AWS data centers offer some of the highest levels of compliance and controls for data centers and hosting providers.

To understand more about AWS security, please visit

For overall compliance -

For data center controls -

For physical security -

emSigner uses a deployment architecture that consists of public and private subnets for trusted zones. Our database are hosted only in private subnets with controls and restrictions on traffic in or out of the subnet.

All access to the private subnets are only through application servers or bastion hosts designed specifically for this purpose.

emSigner leverages AWS tools and systems to monitor incoming traffic for threats, DDoS attacks and other types of intrusion.

We also leverage the use of security event monitoring systems for monitoring and notifying our security team of critical events so they can be responded to.

At a product level, emSigner ensures security at multiple layers

All code written and published go through a iterative development process with a focus on secure coding. Huge emphasis is put on OWASP guidelines while developing the software. The code goes through review using third party tools before being released into our testing environments.

This is supplemented with periodic internal and annual external vulnerability scans and penetration tests

The application runs over SSL/TLS channels with encryption in transit and all data stored at rest is encrypted

emSigner uses separate environments for production, staging, quality assurance and development. The production and staging environments are isolated mutually and with the QA and Development environments ensuring that code transitions through a proper release process with focus on DevOps practices

At a product feature level, emSigner supports the following features

Multifactor authentication and O365 based login - This allows users to setup a second factor such as an OTP or use O365 credentials to login

Role Based Access Control - Ability to distinguish between users based on their roles and entitlement thus allowing only users with privileges are allowed to perform certain critical actions such as user creation etc

Trusted Login - ability to defined IP range to block requests coming from third party networks

Secure Credentials - All secure credentials such as passwords are hashed so that they are never stored in plain text. Further password policies allow users to define password complexity, expiry etc to strengthen login controls into the system

Device Tracking - emSigner tracks certain parameters such as IP, Device Type as part of its activity logs. This is used for event monitoring and act as circumstantial evidence in case of digital signing of documents where parties use Simple or Advanced Electronic Signature

Employee Awareness and Training

emSigner maintains a comprehensive Information Security Policy which is published to employees and contractors joining us.

All employees/contractors are required to undergo mandatory awareness atleast annually. 

Employees also sign NDA’s and Employment Agreement including terms for IP confidentiality and are sensitized on the importance of security regularly.

Have questions, reach out to us


The eSignature Legality Guide is the result of legal research into the laws and practices regarding eSignature on a country-by-country basis. Each country-level analysis was conducted by local law firms located in that country, in that country’s local language. This legal analysis was then supplemented with complementary research on eSignature and digital signature technology standards conducted by independent technology experts. Together, this information is provided as a public resource to understand eSignature legality, and clarify some of the common misconceptions about international eSignature legality.


A basic measure of eSignature legality in a country is whether courts will admit eSignatures as evidence in court. In most countries in the world, an eSignature cannot be rejected simply because it is electronic, meaning that it should be admissible, subject to proof. Learn more about how DocuSign helps you prove an eSignature validity in court, below.


While there are exceptions for very specific types of transactions, eSignatures, independent of the underlying technology, may be used for the majority of general business transactions in most countries. Issues that may restrict general business use include local technology requirements or other restrictions on special transactions types. Learn more about specific transaction types, below.


‘Tiered’ countries recognize Qualified Electronic Signature (QES, or the locally named equivalent) as a distinct type of eSignature. In these countries, a QES has special legal status in the form of presumed authenticity, and may be legally required for a few, specific transaction types. In spite of this, a non-QES eSignature can still be submitted as evidence in court even in Tiered countries, so long as the party presenting it has sufficient evidence to prove that it is valid. Countries imposing QES standards often struggle to promote electronic business transactions, especially across country borders. ‘Open’ countries have no such technology requirements or eSignature types that receive special legal status. Learn more about eSignature legality at

Close Bitnami banner