Data Security
emSigner’s security policies have been designed to offer highest level of assurance to its users. Built in industry leading infrastructure and designed with best in class security features, emSigner’s platforms are rigorously audited to protect customer data.

emSigner’s security program is built on the following core priniciples
Deliver Trust
emSigner team has over 10 years experience in operating as a trust service provider in global markets. This helps us deliver trust in both of our consumer and enterprise facing applications.


Use Cutting Edge Technology to power Security
emSigner’s technology stack uses industry leading techniques in cryptography, latest systems that guard end points and a host of security measures at application, network and database levels to protect sensitive data. This is backed up by round the clock monitoring, logging and continuous training and awareness programs.
Accreditations and Certifications
emSigner uses and follows industry best practices to continuously maintain compliance with various generally accepted industry standards and security frameworks.
As part of our accreditation and compliance measures, emSigner is continuously evaluated against the following stringent security standards
emSigner is ISO 27001: 2013 certified, a industry standards for Information Security practices. To download our ISO certificates, please contact us
emSigner is ISO 27018: 2014 certified, another industry standard for ensuring cloud security
emSigner is evaluated on an ongoing basis for SOC 2 Type II compliance, a gold standard for cloud security. SOC2 Type II reports are available under NDA. To request a copy, please contact us.
emSigner is CMMI Level 5 accredited, a program run by the Carnegie Mellon Institute. CMMI defines criteria that assess product and service companies against their software development capability and maturity.
To see eMudhra’s CMMI accreditation, Click here
The WebTrust for Certification Authorities program was developed to increase consumer confidence in the Internet as a vehicle for conducting e-commerce and to increase consumer confidence in the application of PKI technology. This program, which was originally developed jointly by AICPA and CICA, is now managed by the Chartered Professional Accountants of Canada.
emSigner's affiliate brand emSign's (both part of eMudhra) Webtrust accreditation can be seen here
Privacy
emSigner is GDPR and HIPAA compliant with the privacy built on key principles of user consent, secure storage of personally identifiable information and audit trails to track key activity in the system. We also conduct risk assessments of third party services before onboarding them.
As part of our privacy compliance efforts, employee training and awareness is conducted on an ongoing basis which is supplemented by Data Protection Impact Assessment , internal and external audits
Link to our privacy policy can be found here
To learn more about the capabilities and support we have put in place, please refer to our GDPR resources
- GDPR FAQ’s
- GDPR Data Processing Addendum
- GDPR Compliance
To learn more about our HIPAA compliant practices for processing healthcare data, please contact us
Documents and Artefacts
emSigner maintains a list of documents and certifications to support its security compliance and these can be made available on request. These include ISO certificates, GDPR compliance and HIPAA compliance certificates.
Access to documents such as SOC2 Type II certificate, our penetration test report summary and any other specific documents may be provided upon signing an NDA
To request access to any of the above documents, please contact us here
Cloud and Product Security
emSigner follows a tiered security model where it relies on the best cloud hosting providers for hosting and infrastructure and network security while ensuring that continuous monitoring is done by a dedicated team of security professionalsAs part of our privacy compliance efforts, employee training and awareness is conducted on an ongoing basis which is supplemented by Data Protection Impact Assessment , internal and external audits
emSigner is hosted in AWS data centers in a highly available manner across multiple AWS regions including USA, Europe and India. AWS data centers offer some of the highest levels of compliance and controls for data centers and hosting providers.
To understand more about AWS security, please visit
For overall compliance - https://aws.amazon.com/compliance/programs/
For data center controls - https://aws.amazon.com/compliance/data-center/controls/
For physical security - https://aws.amazon.com/compliance/data-center/perimeter-layer/
emSigner uses a deployment architecture that consists of public and private subnets for trusted zones. Our database are hosted only in private subnets with controls and restrictions on traffic in or out of the subnet.
All access to the private subnets are only through application servers or bastion hosts designed specifically for this purpose.
emSigner leverages AWS tools and systems to monitor incoming traffic for threats, DDoS attacks and other types of intrusion.
We also leverage the use of security event monitoring systems for monitoring and notifying our security team of critical events so they can be responded to.
At a product level, emSigner ensures security at multiple layers
All code written and published go through a iterative development process with a focus on secure coding. Huge emphasis is put on OWASP guidelines while developing the software. The code goes through review using third party tools before being released into our testing environments.
This is supplemented with periodic internal and annual external vulnerability scans and penetration tests
The application runs over SSL/TLS channels with encryption in transit and all data stored at rest is encrypted
emSigner uses separate environments for production, staging, quality assurance and development. The production and staging environments are isolated mutually and with the QA and Development environments ensuring that code transitions through a proper release process with focus on DevOps practices
At a product feature level, emSigner supports the following features
Multifactor authentication and O365 based login - This allows users to setup a second factor such as an OTP or use O365 credentials to login
Role Based Access Control - Ability to distinguish between users based on their roles and entitlement thus allowing only users with privileges are allowed to perform certain critical actions such as user creation etc
Trusted Login - ability to defined IP range to block requests coming from third party networks
Secure Credentials - All secure credentials such as passwords are hashed so that they are never stored in plain text. Further password policies allow users to define password complexity, expiry etc to strengthen login controls into the system
Device Tracking - emSigner tracks certain parameters such as IP, Device Type as part of its activity logs. This is used for event monitoring and act as circumstantial evidence in case of digital signing of documents where parties use Simple or Advanced Electronic Signature
Employee Awareness and Training
emSigner maintains a comprehensive Information Security Policy which is published to employees and contractors joining us.
All employees/contractors are required to undergo mandatory awareness atleast annually.
Employees also sign NDA’s and Employment Agreement including terms for IP confidentiality and are sensitized on the importance of security regularly.