TECHNICAL AND ORGANIZATIONAL MEASURES

Last Updated April 23, 2024

Description of the technical and organizational measures implemented by Emissary, including relevant certifications. 

Measures of pseudonymization and encryption of personal data:

Emissary encrypts data at rest with AWS KMS AES-256 and in transit with TLS 1.2 and 1.3 for HTTPS protocol. Emissary uses URL hashing as a pseudonymization strategy for every entity within its app. 

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services:

Emissary follows SOC 2 type 2 standards, externally audited on an annual basis. Emissary access security controls are based on the Principle of Least Privilege (PoLP) and Role-Based Access Control (RBAC). Our server configuration is redundant, with its main server located in zone us-east-1 Northern Virginia. AWS backups are automatically stored on multiple availability zones within the United States.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident:

Emissary has backup plans for databases and buckets running periodic backup jobs. Backups are stored in AWS storage across different regions.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing: 

Emissary uses GuardDuty for AWS infrastructure, HostedScan for external scanning, Sonarcloud for in-house code scanning and Github’s Dependabot for library dependencies scanning. Emissary also performs an annual penetration test. 

Measures for user identification and authorization:

Final user authentication requires user and password combination to coincide. MFA can be activated through SSO integration. Developers access control is exclusively through SSH protocol for remote access paired with VPN and firewalling (ip and port filtering). Personnel access control is exclusively through SSO, which in turn has MFA protection.

Measures for ensuring physical security of locations at which personal data are processed:

Emissary’s cloud hosting provider AWS. For more detailed information please refer to https://aws.amazon.com/compliance/data-center/controls/.

Measures for ensuring events logging:

Read-only logs are generated and retained in AWS servers in storage for at least 365 days.

Measures for internal IT and IT security governance and management:

Written policies and procedures are in place.

Measures for certification/assurance of processes and products:

Emissary is annually audited for SOC 2 Type 2 standard.