eMudhra’s security policies have been designed to offer highest level of assurance to its users. Built in industry leading infrastructure and designed with best in class security features, eMudhra’s platforms are rigorously audited to protect customer data.
eMudhra’s security program is built on two core principles
Deliver Complete Trust
eMudhra has a decade old history of operating as a trust service provider in the global markets with 100% compliance to local regulatory requirements. This helps us deliver trust in our consumer as well as enterprise facing applications. eMudhra’s operations are periodically audited for ISO and CMMI compliance. eMudhra’s CA operations are also WebTrust accredited.
Use Cutting Edge Technology to power Security
eMudhra’s technology stack uses industry leading techniques in cryptography, latest systems that guard end points and a host of security measures at application, network and database levels to protect sensitive data. This is backed up by round the clock monitoring, logging and continuous training and awareness programs.
The Security Posture
The Security Posture is implemented and enforced by a dedicated security team
This team works round the clock and is responsible for infrastructure, application and database security and compliance. The security team also gets themselves involved in all aspects of the product development lifecycle and conduct vulnerability assessment and penetration testing before all critical releases.
Our approach to security is multi-layered starting from the data and going all the way upto the end user. This is reflected in our product offerings all of which use one or more ways listed below to protect sensitive information.
- Use of encryption and hashing techniques to protect personal data
- Use of HSM’s to store keys that can be used to sign or encrypt information
- Access control mechanism for employees and customers on our platforms to restrict access to data
- Regular backups of data is taken out of our core systems from a disaster recovery standpoint
- Retention of data as per local laws or in compliance with customer requirements
- Software Development Lifecycle best practices used in accordance with CMMI maturity model
- Vulnerability Assessment and Penetration Testing done on all key components of applications
- Training on Secure Coding and Security Design principles
- Top Management Review on Information Security compliance
- Our CA operations, related applications and analytics platforms are hosted at our own Tier III data centre which is audited yearly by external auditors
- Other applications are hosted on Amazon Web Services and Hetzner (Germany) both of whom are highly reputed when it comes to ensuring security compliance
- AWS data centres are frequently audited and comply with a comprehensive set of frameworks including ISO 27001, SOC 1, SOC 2, SOC 3, PCI DSS
- AWS physical data centers have stringent physical access controls in place to ensure that no unauthorized access is permitted including biometric access controls and twenty-four-hour armed guards and video surveillance.
- All of our infrastructure is monitored and logged for key security events
- Access Control mechanism as listed in our Information Security policy is followed to prevent unauthorized access to sensitive applications
- Hosts running various applications are scanned periodically for vulnerabilities and patched for security updates and critical patch fixes
End User Security
- End Users have anti-virus tools installed that control access to various websites, monitor traffic in-out of the computer and log key events
- Firewalls deployed at our offices prevent access to unauthorized content
- For certain customer engagements that require higher security, eMudhra has isolated zones that isolate network traffic for those specific employees
- eMudhra also uses industry leading email systems provided by Office 365 and Gmail to its employees
eMudhra Assurance Program
eMudhra strives to raise its bar as far as its security policy and focus is concerned.
Below are our certifications and compliance attestations.
ISO 27001 is a compliance framework that establishes Information Security Management System (ISMS) standards to identify and manage information risks through a comprehensive set of company-wide processes and controls. Additionally, ISMS embodies principles of continuous improvement to keep up with the evolving threat landscape and address them proactively.View our ISO certificates
CMMI refers to Capability Maturity Model Integration (CMMI) and is a process level improvement training and appraisal program for software development. Administered by the CMMI Institute, a subsidiary of ISACA, it was developed at Carnegie Mellon University (CMU). It is required by many United States Department of Defense (DoD) and U.S. Government contracts, especially in software development.To see eMudhra’s CMMI certification, click here
eMudhra’s platforms are GDPR ready. To learn more about the capabilities and support we have put in place, please refer to our GDPR resources.
The WebTrust for Certification Authorities program was developed to increase consumer confidence in the Internet as a vehicle for conducting e-Commerce and to increase consumer confidence in the application of PKI technology. This program, which was originally developed jointly by AICPA and CICA, is now managed by the Chartered Professional Accountants of Canada.
EAL 4+ Common Criteria
The Evaluation Assurance Level (EAL1 through EAL7) of an IT product or system is a numerical grade assigned following the completion of a Common Criteria security evaluation, an international standard in effect since 1999. The increasing assurance levels reflect added assurance requirements that must be met to achieve Common Criteria certification. The intent of the higher levels is to provide higher confidence that the system's principal security features are reliably implemented. The EAL level does not measure the security of the system itself; it simply states at what level the system was tested. eMudhra’s CA system is undergoing testing at EAL Level 4, which is applicable under circumstances where developers or users require a moderate to high level of independently assured security.