emSigner's security program is built on the following core principles -
Deliver Trust
We have over 10 years of experience in operating as a trust service provider in global markets. Leveraging this experience and expertise, we deliver trust across consumer and enterprise facing applications.
Cutting Edge Technology to Power Security
emSigner's technology stack uses industry leading techniques in cryptography, latest systems that guard end-points along with a host of security measures at application, network, and database levels to protect sensitive data. This is backed up by round-the-clock monitoring, logging, and continuous training & awareness programs.
Security
emSigner uses best practices and industry standards to achieve compliance with industry-accepted general security and privacy frameworks, which in turn helps our subscribers to meet their own compliance standard. As part of our accreditation and compliance measures, emSigner is continuously evaluated against the following stringent security standards -
Security, Industry Compliance, and Memberships
eMudhra has received the SOC 2 Type II certification. The certification issued by AICPA, the world's largest member association representing the accounting profession, affirms that eMudhra is compliant with the principles of security, availability, processing integrity, confidentiality and privacy, and has proper internal controls and processes in place to protect client data. The report can be made available upon request and under NDA.
emSigner is certified with ISO 27001, an international standard which is recognised globally for managing risks to the security of information we hold. ISO 27001:2013 (the current version of ISO 27001) provides a set of standardised requirements for an Information Security Management System (ISMS).
emSigner is certified with ISO 27018:2014, an international standard which establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.
emSigner is CMMI Level 5 accredited, a program run by the Carnegie Mellon Institute. CMMI defines criteria that assess product and service companies against their software development capability and maturity.
The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, is a series of regulatory standards that outline the lawful use and disclosure of Protected Health Information. eMudhra is compliant with all aspects of HIPAA. We ensure that all requirements related to health information are followed comprehensively and ensure that patients' Personal Health Information (PHI) is handled with utmost care. You can place your complete trust in our foolproof security measures and rest easy, knowing that your organization's security is safe in our hands.
eMudhra has received DirectTrust Identity Certification (formerly Safe Identity Certification). Issued by SAFE Identity (now DirectTrust Identity), a US based industry consortium and certification body operating a Trust Framework for digital identities in healthcare, this certification provides assurance that eMudhra's paperless office solution - emSigner - is capable of processing identity credentials by applying and verifying digital signatures on PDF documents to the global healthcare community.
| Body | eMudhra's Position | Description |
|---|---|---|
| Asia PKI Consortiaum | Chairman, Asia PKI Consortium | APKIC brings together regulators and key players from 12+ countries in Asia. The consortium aims at understanding PKI-driven digitization and cross border digitization. |
| Cloud Signature Consortium | Board Member | Cloud Signature Consortium (CSC) is aimed at arriving at some global standards around utilization of eSignatures. eMudhra is a Board member of the body that consists of 40+ members. Currently, CSC is chaired by Adobe. |
| CA Browser Forum | Member | CA Browser Forum is an invite-only membership forum for Webtrust accredited global trust providers working at a global scale to provide authentication, code signing, and SSL certificates. |
| FIDO Alliance | Member | FIDO alliance is strategically partnered with eMudhra to promote the use of FIDO based authentication in India. |
| Digital India | Key Member | eMudhra is a key member of the Digital India Program and has enabled significant changes in promoting a presence-less, cashless, and paperless society in India. |
emSigner maintains a list of documents and certifications to support its security compliance and these can be made available on request. These include ISO certificates, GDPR compliance, and HIPAA compliance certificates.
Access to documents such as SOC2 Type II certificate, our penetration test report summary and any other specific documents may be provided upon signing an NDA.
To request access to any of the above documents, please contact us here.
Cloud Security
emSigner follows a tiered security model where it relies on the best cloud hosting providers for hosting, infrastructure, and network security arrangements, while ensuring that continuous monitoring is done by a dedicated team of security professionals. As part of our privacy compliance efforts, comprehensive employee training and awareness is conducted on an ongoing basis, which is supplemented by Data Protection Impact Assessment along with internal and external audits.
emSigner is hosted in AWS data centers that have been certified as ISO 27001, PCI DSS Service
Provider Level 1, and/or SOC 2 compliant. To learn more on AWS facilities compliance, please
click here.
AWS infrastructure services include backup power, HVAC systems, and fire suppression equipment
to help protect servers and ultimately your data. To learn more on AWS facilities compliance,
please click here.
AWS on-site security includes features such as security guards, fencing, security feeds, intrusion detection technology, and other security measures. To learn more on AWS facilities compliance, please click here.
emSigner leverages AWS data centers in the United States, Europe, and Asia Pacific region. emSigner offers multiple data location choices including APAC (India), United States, Europe, and Middle East. For more information click here.
Our dedicated security team is available 24/7 to monitor and respond to any security events and alerts.
Our network is protected through regular audits, and network intelligence technologies, which monitor and/or block malicious traffic and network attacks.
Our network security architecture consists of multiple security zones. Sensitive systems such as database servers are protected with private subnets with controls and restrictions on traffic emerging from or to the subnet. Depending on the zone, additional security monitoring, and access controls will be deployed. DMZs are utilized between the Internet, and internally between the different zones of trust.
Network security scanning is carried out regularly for quick identification of out-of-compliance or potentially vulnerable systems.
We have deployed AWS GuardDuty that continuously monitors our networks to deliver intelligent security analytics and threat intelligence, thereby providing a single solution for attack detection, threat visibility, proactive hunting, and threat response.
We have deployed AWS Shield, a managed Distributed Denial of Service (DDoS) protection service, to safeguard emSigner. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency.
Access to the emSigner Production Network is restricted on an explicit need-to-know basis. Least privilege access is continuously audited, monitored, and controlled by our Security Team. Employees accessing the emSigner Production Network are required to use multiple factors of authentication to ensure security.
Both the PII data as well as documents are encrypted and stored in the database of emSigner. emSigner uses advanced encryption standards for encrypting the data which includes AES256 bit encryption keys.
All communications with emSigner UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and emSigner is secure during transit. Exceptions for encryption may include any use of in-product SMS functionality, any other third-party app, integration, or service, subscribers may choose to leverage at their own discretion. Additionally, emSigner also provides an option to the user to encrypt documents within the platform UI before sharing them with external parties.
emSigner maintains a publicly available system service status webpage, which includes system availability details, scheduled maintenance, service incident history, and relevant security events.
emSigner is hosted on AWS cloud with application and database being hosted in two separate availability zones. It is assured to provide 99.99% uptime to ensure that there is no disruption to the services. Timely notifications/communications to clients and end-users are sent in case of planned or unplanned downtime of the service.
emSigner employs service clustering and network redundancies to eliminate a single point of failure. Data backups are performed by the system automatically with synchronous replication. Our backup process allows us to deliver a high level of service availability, as Service Data is replicated across availability zones.
As part of our Disaster Recovery (DR) program, emSigner leverages rigorous business impact and risk analysis to identify applications/services that are critical to each of our products. The program ensures that our services remain available and are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and testing activities. The Disaster Recovery document can be found here.
In case of a system alert, events are escalated to our internal teams providing Operations, Network Engineering, and Security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths. The Incident response document can be found here.
Application Security
We employ third-party security tools to unceasingly and dynamically scan our core applications against common web application security risks, including, but not limited to the OWASP Top 10 security risks. We maintain a dedicated in-house product security team to test and work with development teams to fix any discovered issues. We also employ third-party security teams to perform detailed Vulnerability scanning annually. eMudhra's Vulnerability Management document can be found here.
emSigner is tested intensively by our internal product and testing team before every major release. We also employ third-party security teams to perform detailed penetration tests annually.
All the codes that are written and published go through an iterative development process with a focus on secure coding. Huge emphasis is put on OWASP guidelines while developing the software.
Our Quality Assurance (QA) team reviews and tests our code base. We have a dedicated application security team who identify, test, and ensure that there are no security vulnerabilities in the code.
emSigner uses separate environments for production, staging, quality assurance, and development. The production and staging environments are isolated mutually with dedicated QA and Development environments, thereby ensuring that code transitions through a proper release process with a clear focus on DevOps practices.
Product Security
emSigner has multiple modes of authentication; users can use emSigner native authentication, protocols such as SAML 2.0 and Open ID connect for SSO, or integration with external multi-factor authentication systems through REST APIs, Office 365 Cloud AD, and Google accounts for user authentication.
emSigner's native authentication allows the administrators (only) to configure password policies to be imposed through the administrator settings. Administrators can choose the password complexity (length, alphabets, numbers, upper & lower cases, etc.), aging, and login attempts.
.png)
emSigner's native authentication allows two-factor authentication for users through email/SMS based OTP's or through Google/Microsoft/emSigner Authenticator app.
We follow credential storage best practices by never storing passwords in a human-readable format. The storage of credentials is always the result of a secure, one-way hash.
.png)
Access to workflows and documents within emSigner is governed by Role Based Access Controls (RBAC) and can be configured at the granular level. emSigner supports various permission levels - at the user level and department level for initiators, signatories/reviewers, administrators, etc. Restrictions can also be imposed on the document level for pre-defined workflows and ad-hoc level workflows, including the document uploaded for signing, attachments (if any), and completion certificates.
emSigner offers Audit Logs for accounts, with details related to account changes, user changes, actions performed, etc. The Audit Log is available in Administrator settings and can be exported in excel/pdf formats for further analysis. To know more about Audit logs and see what information is captured within the logs, please visit View Audit Logs.
emSigner captures various actions performed by the users on a document, which includes the Sent, Viewed, and Signed/Reviewed data along with the timestamp. It also captures the Operating System, browser, and IP address used by the user while performing the action (s) assigned to the participant.
emSigner allows the user to configure attachment visibility from the administrator module. Administrators can define whether or not the participants can view the attachment (s) on a workflow level.
We follow credential storage best practices by never storing passwords in a human-readable format. The storage of credentials is always the result of a secure, one-way hash.
Human Resource Security
eMudhra maintains a comprehensive Information Security Policy which is published to employees and contractors joining us.
Every eMudhra employee and contractor is subjected to mandatory security training sessions at periodic intervals of time. All developers receive training on secure coding methodologies, while the security team is provided with additional security training on industry best practices.
eMudhra performs background checks on all new employees and contractors in accordance with local laws. The background check includes criminal, education, and employment verification.
Every eMudhra employee and contractor is mandated to sign a Non-Disclosure Agreement and Employment Agreement, including terms for IP confidentiality. They are also sensitized about the importance of security regularly.