Emojot Security Policy

Last Updated: June 2023

This policy applies to www.emojot.com (the “Website”) or the products or services offered by Emojot Inc (the “Services”). We refer to those products, services, websites and apps collectively as the “services” in this Statement. This Security Statement also forms part of the Terms and Conditions for Emojot customers. 


Emojot highly values our customers’ trust by letting us act as custodians of their data. That’s why we take data security, privacy and compliance seriously. Our responsibilities are built around our security practices detailed below. Our Data Protection and Privacy Policy further detail the ways we handle your data.

Physical & Network Security

The Emojot platform is hosted on the SOC-2-accredited Amazon Web Services (AWS) cloud. Thus Emojot is compliant with all the infrastructure-related regulatory compliance standards that are associated with AWS. Emojot’s entire cloud infrastructure is protected by Web Application Firewalls and Intruder Detection Systems (IDS). All the access trails are monitored in real-time and analyzed to detect any potential threats or vulnerabilities. The entire infrastructure is regularly scanned to identify any OS-level vulnerabilities, and if detected, they are patched automatically. Emojot’s infrastructure security is managed by a specialized DevOps team assisted by AI/ML-driven tooling for infrastructure access governance.

Application Security

Client accounts are configured as isolated tenants in Emojot’s multi-tenanted API-driven platform. API call authentication, authorization, and governance are managed and done on various levels by a sophisticated API Manager deployment. All the API access logs are captured and continuously monitored for full traceability in the event of any security incident.

Application-level data access is governed by three layers of access – account-level, role-level, and user-level – using OIDC and OAuth2 authorization management protocols. All user logins and passwords are encrypted and stored in an industry-standard user store. MFA (Multi-Factor Authentication) capability and SSO (Single Sign On) are provided as an additional layer of security to protect Emojot customer accounts’ user logins. All user identity/authorization management is done by a sophisticated Identity Server & API Manager deployment.

Emojot acts as the data processor and Emojot clients are data controllers who have full control and ownership of their data. Emojot provides all necessary tooling to promptly respond to all data-related requests (removal, modification, etc.) from end-users (data subjects). The client account owner/admin decides on users with Personally Identifiable Information (PII) data access rights. PII data is masked by default even if a user is granted access.

Compliance

Emojot aligns internally with regulatory compliance standards such as GDPR, HIPAA and CCPA. Emojot is committed to maintaining the highest standards of information security and compliance. As part of our ongoing efforts, we are currently in the process of obtaining ISO 27001 certification, which is a globally recognized standard for information security management.

We have engaged with a security compliance automation platform to streamline our processes and ensure adherence to industry best practices. In addition to pursuing ISO certification, we are actively exploring opportunities to certify with other important regulatory compliances in the near future. By embracing automation and continuously expanding our compliance portfolio, Emojot aims to strengthen our security posture and provide our customers with the highest level of data protection and regulatory compliance.

Access Control

Access to Emojot’s technology resources is only permitted through secure connectivity methods, such as AWS System Manager and AWS Session Manager, which provide a secure and auditable way to connect to EC2 instances. We have disabled SSH access as part of our security measures to reduce the attack surface and enhance the overall security posture of our infrastructure.

Multi-factor authentication (MFA) is still enforced for all access to our production environment, ensuring an additional layer of security beyond a username and password authentication. This helps protect against unauthorized access even in the event of compromised credentials.

Emojot follows a robust password policy that includes complexity requirements, expiration intervals, and lockout mechanisms to prevent unauthorized access attempts. We strictly enforce these password policies to maintain the integrity and security of our systems.

Our access control approach follows the principle of least privilege, meaning that access permissions are granted based on a need-to-know basis. Permissions are reviewed on a quarterly basis to ensure they are still necessary and aligned with employees’ job responsibilities. Additionally, access is immediately revoked upon employee termination or any change in employment status to prevent unauthorized access.

Security Policies

Emojot maintains and regularly reviews and updates its information security policies, at least on an annual basis. Employees must acknowledge policies on an annual basis and undergo additional training such as GDPR training, CCPA training, HIPAA training, Secure Coding and job-specific security and skills development and/or privacy law training for essential job functions. These training programs are monitored and governed by the Emojot Security Team.

Personnel

Emojot conducts background screening at the time of hire (to the extent permitted or facilitated by applicable laws and countries). In addition, Emojot communicates its information security policies to all personnel (who must acknowledge this) and new employees are required to sign non-disclosure agreements.

Dedicated Security Personnel

Emojot also has a dedicated Security team, which focuses on the application, network, system and data security of Emojot’s services. This team is also responsible for security compliance, training, and incident response.

Vulnerability Management and Penetration Tests

All test and production environments including networks, and application-level components are scanned automatically using tools like AWS Inspector designed based on industry best practices. Critical patches are applied to servers on a monthly basis or on a priority basis.

Emojot also conducts regular vulnerability assessments, and penetration testing on its services both internally and externally at regular intervals. The remediation of issues is done according to the severity of any results found. The reports related to audit assessment and penetration testing carried out by external parties can be provided to the customers if required.

We are dedicated to continuously enhancing our vulnerability management and penetration testing processes to ensure the highest level of security for our systems. As part of this commitment, we are actively exploring opportunities to transition to continuous vulnerability assessments and penetration testing through automated platforms. By embracing automation, we aim to improve the efficiency and effectiveness of our security assessments, enabling us to proactively identify and remediate vulnerabilities in a timely manner. This ongoing pursuit of excellence in vulnerability management reflects our unwavering dedication to safeguarding our systems and protecting our customers’ valuable data.

Encryption

All Emojot data is encrypted at rest and in transit. That means, all the data is encrypted in the database, and the data transfer channels are also encrypted. All data is encrypted at rest using the AES-256 encryption algorithm and data in transit is encrypted with TLS.

Development

Our development team employs secure coding techniques and best practices focused on the OWASP Top Ten. All code merged into the mainline branch is scanned with automated SAST (Static Application Security Testing) tools to ensure maximum code quality, maintainability and security are maintained.

Development, testing, and production environments are completely separated and isolated. All changes are peer reviewed and logged for performance, audit, and security purposes prior to deployment into the production environment.

Asset Management

Emojot maintains an asset inventory which includes identification, classification, retention, and disposal of information and assets. These asset inventories are regularly reviewed (annually) within internal meetings and in accordance with any specific event across the organization.

Information Security Incident Management

Emojot maintains security incident response policies and procedures involved in the initial response, investigation, customer notification (no less than as required by applicable law), public communication, and remediation. These policies are reviewed regularly and tested annually.

Breach Notification

Despite the best efforts we put in, no method of transmission over the internet and no method of electronic storage are perfectly secure. However, if Emojot identifies or learns of any security breach we will notify the affected users within a 72-hour time window after identification. Our breach notification procedures are aligning with applicable country-level, state and federal laws and regulations as well as any industry rules or standards applicable to us.

Information Security Aspects of Business Continuity Management

Emojot’s databases are backed up on a rotating basis of full and incremental backups and verified regularly. Backups are encrypted and stored within the production environment to preserve their confidentiality and integrity and are tested regularly to ensure availability. Furthermore, Emojot maintains a formal Business Continuity and Disaster Recovery Plan (BCDRP). The BCDRP is tested and updated on a regular basis to ensure its effectiveness in the event of a disaster.

Risk Management

Risk Management refers to the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. Risk management is critical for Emojot to successfully implement and maintain a secure environment. Risk assessments will identify, quantify, and prioritize risks against Emojot’s criteria for risk acceptance and objectives. The results will guide and determine appropriate action and priorities for managing information security risks and for implementing controls needed to protect information assets. Weekly security meetings are in place to enforce this policy.

Emojot risk management policy includes the following steps as part of a risk assessment program:

1. Identify the risks

  • Identify Emojot assets and the associated information owners.
  • Identify the threats to those assets.
  • Identify the vulnerabilities that might be exploited by the threats.
  • Identify the impacts that losses of confidentiality, integrity and availability may have on the assets.

2. Analyze and evaluate the risks

  • Assess the business impacts that might result from security failures, taking into account the consequences of a loss of confidentiality, integrity or availability of those assets.
  • Assess the realistic likelihood of security failures occurring in light of prevailing threats and vulnerabilities, impacts associated with these assets, and the controls currently implemented.
  • Estimate the level of risks.
  • Determine whether the risks are acceptable.

3. Identify and evaluate options for the treatment of risk

  • Apply appropriate controls.
  • Accept the risks.
  • Avoid the risks.
  • Transfer the associated business risks to other parties.

4. Select control objectives and controls for the treatment of risks.

Client Responsibilities

As the data controller of the data client owns within the Emojot platform it’s required that clients maintain the security of their accounts by using sufficiently complicated passwords, enabling MFA on their accounts and continuously verifying the permissions of user accounts which have access to their data. 

Logging and Monitoring

Application and infrastructure systems log information centrally stored, managed and backed up for troubleshooting, security reviews, audit trails, and analysis by authorized Emojot personnel. Logs are preserved in accordance with regulatory requirements. Emojot will provide customers with assistance and access to records in the event of a security incident impacting their account.

Leave a Reply

Leave a Reply