Emitrr Security

1. About Emitrr

Emitrr Inc (herein referred to as Emitrr in this document) is committed to ensuring Confidentiality, Integrity, Availability, and Privacy and providing comprehensive protection to its information assets against the consequences of confidentiality breaches, failures of integrity interruptions to their availability.,

Emitrr is a SaaS-based communication and engagement software for local businesses in the US used by more than 10000 users. With text, voice, and email as the channel of communication supports more than 500 customers. All of our products live up to this promise and are backed by our world-class support.

Our Customers include multi-location businesses, franchises as well as individual small businesses. We back ourselves up with robust data security and privacy practices that form an integral part of our product engineering, technology landscaping, and service delivery principles.

In support of the Security & Privacy by Design, security is at the heart of how we build our products, secure your data, and provide high resilience. We have created and implemented security & privacy principles. These principles have a robust framework for building and maintaining secure systems, applications, and services that address and allow us to integrate a set of standards, guidelines, and best practices for managing information security, cybersecurity, data security, and privacy consideration or related risk by default and by design while ensuring its adherence to multiple requirements globally.

We have a top-down governance and security in our DNA and this helps us to constantly wade through our threat vectors and calibrate and strengthen our security posture to align with the changing business and technology landscape.

2. Security Overview

At Emitrr, security and privacy are the very underpinnings of what we do. We regularly evaluate our security policies and technologies, including firewalls and encryption, to safeguard the security of your information. We strive to be transparent in our use and protection of data while keeping the underlying data secure

We integrate strong security and global data privacy practices and standards, including SOC 2 Type 2, to strike a balance between low-security control friction and maintaining your employees’ and customers’ privacy rights. Emitrr leverages enterprise-grade security. Since customers entrust sensitive data to our care, keeping it secure and safe is our mission.

We ensure your data is encrypted both in transit and at rest. Our web applications undergo regular vulnerability assessments, penetration testing, and security reviews. Our security and privacy architecture helps you stay compliant with global standards. Emitrr’s computing infrastructure is powered by Amazon Web Services.

All communications with the Emitrr platform and APIs are encrypted using industry-standard HTTPS/TLS (TLS 1.2 or higher) over public networks, ensuring secure traffic during transit. By default, all our services with data at rest are encrypted using AES-256-bit standards, with keys managed by key management services.

Below is a diagram of Emitrr Infrastructure and the secure connection between different modules of the platform.

3. Policies

Emitrr is committed to:

i. Ensure Confidentiality, Integrity, Privacy, and Availability by adequately protecting the information and information systems against unauthorized access, modification, or alteration.

ii. Establish and implement security policies and processes while considering the protection of information and information systems from internal and external threats.

iii. Comply with legal, regulatory, and contractual security & privacy obligations as may be applicable.

iv. Ensure security and privacy awareness and competency amongst associates to enable them to meet their security & privacy obligations.

v. Provide a framework to manage and handle security incidents, privacy breaches, violations, and business disruptions.

vi. Ensure continuous improvement of the security & privacy posture to consistently meet its objectives.

Emitrr shall adopt leading industry security & privacy standards and practices to design and develop a robust information security & privacy management framework to support this policy statement. To this effect, the policy shall be supported by domain-level security & privacy policies, procedures, guidelines, and standards, which shall be communicated and made available to relevant stakeholders.

3.1 Information Security Policy

Emitrr is committed to ensuring integrity, confidentiality, availability, and security of its physical and information assets at all times for serving the needs and expectations of its interested parties both within the organization and from external parties including clients, suppliers, regulatory, and governmental departments in line with its vision, mission, and values while meeting all legal, statutory, regulatory, and contractual requirements. Emitrr’s information systems and the information and data they contain are fundamental for its daily operations and future success. Emitrr develops, implements, maintains, and continually improves policies, procedures, and controls at all levels to protect the confidentiality and integrity of information stored and processed on its systems and ensure that information is available to authorized persons as and when required. The Information Security measures include having proper access control policies in place. 

The access controls required to meet the security objectives of the Information Security policy. Access control management is paramount to protecting Emitrr information resources and requires the implementation of controls and continuous oversight to restrict access.

Confidentiality, Integrity, and Availability (CIA) are fundamental aspects of protection of systems and information and are achieved through logical, physical, and procedural controls. It is vital for the protection of systems and information authorized users who have access to Emitrr systems and information are aware of and understand how their actions may affect security and privacy.

The policy is organized into the following key sections which map directly to the ISO 27001 Access Control Domain security objectives:

  • Business Requirements for Access Control
    • User Access Management
    • User Responsibilities
    • Application and Application Access Control
    • Mobile Computing and Teleworking
  • Access control is established by imposing standards for protection at the operating system level, at the Application level, and at the Database level. Access to Emitrr computer systems will be based on the principles of “least privilege” and “need to know” and must be administered to ensure that appropriate level of access control is applied to users as well as system support personnel to protect Emitrr information systems.
  • Administrative (also known as “root”) access to systems is limited to Workforce Members who have a legitimate business need for this type of access. Administrative access to network devices is logged.
  • All access to Emitrr systems and services are reviewed by Corporate Security and Compliance Team and updated on a quarterly basis to assure proper authorizations are in place commensurate with job functions.
  • Access to electronically stored records containing personal information will be electronically limited to those workforces having an authorized and unique login ID assigned.
  • All computers with an Internet connection or any computer that stores or processes personal information must have a recently updated version of software providing virus, anti-spyware, and anti-malware protection, installed and active at all times.
  • Password Management: We have processes designed to enforce minimum password requirements for Emitrr Service. We currently enforce the following requirements and security standards for end-user passwords on Emitrr Service:
    • Passwords must be a minimum of 8 characters in length and include a mix of uppercase and lowercase letters as well as numbers and symbols.
    • Multiple sign-ins with the wrong username or password will result in a locked account, which will be disabled for a period of time to help prevent a brute-force sign-in, but not long enough to prevent legitimate users from being unable to use the application.
    • Email-based password reset links are sent only to a user’s pre-registered email address with a temporary link.
    • Emitrr prevents the reuse of recently-used passwords.

3.2 Acceptable Use Policy

The Acceptable Use Policy (AUP) outlines guidelines for the responsible and acceptable use of company assets by staff. This policy applies to all employees, contractors, consultants, and individuals granted access to company resources.

1. Authorized Use of Assets

Authorized Use: Company assets, including computers, networks, software, devices, and facilities, are to be used solely for business-related activities.

Non-Business Use: Non-business-related use of company assets requires explicit authorization from the management.

2. Data and Information Handling

Data Security: All employees are responsible for protecting sensitive and confidential information. Data should be handled, stored, and transmitted securely, following company policies and relevant regulations.

3. Software and License Compliance

Authorized Software: Installation and use of authorized software is permitted. Unlicensed or unauthorized software is strictly prohibited.

License Compliance: Employees must comply with software licensing agreements and report any licensing concerns to the IT department.

4. Internet and Email Usage

Internet Access: Employees should use the Internet for work-related activities only. Visiting prohibited or potentially harmful websites is not allowed.

Email Usage: Company email should be used primarily for business purposes. Personal use should be limited and comply with company guidelines.

5. Security Measures

Password Security: Employees must use strong, unique passwords for their accounts and devices.

Security Reporting: Any suspected security incidents or breaches should be reported immediately to the IT/security team.

6. Remote Access and Mobile Devices

Remote Access: Remote access to company systems must comply with established security protocols and policies.

Mobile Device Use: Personal devices used for work-related activities must comply with company security guidelines.

7. Social Media and Online Conduct

Professional Conduct: Employees should exercise caution and professionalism when discussing company matters on social media platforms, refraining from disclosing sensitive information.

8. Monitoring and Compliance

Monitoring: The company reserves the right to monitor employee activities on company assets for security and compliance purposes.

9. Consequences of Violation

Violation of this AUP may result in disciplinary actions, including warnings, suspension, termination, or legal actions, depending on the severity and repetition of the violation.

10. Review and Training

The AUP will be reviewed periodically and updated as necessary to align with changing business needs and security standards.

Employees will receive training on this policy to ensure understanding and compliance.

3.3 Software Development Lifecycle Policy 

The software development lifecycle policy at Emitrr involves the following key components –

  1. Features and functionality

    The application should do all the things it’s required to do. A tenet of software testing is to validate the build against any documented requirements that, for example, a software requirements specification (SRS) outlines.
  2. Bugs and bug rates

    Find the faults and errors in a release candidate. It’s not enough for a build to perform a feature or function — it must do that work accurately and produce expected outputs in response to known inputs. Testers should look for a “stable” or “quality” build with error rates within acceptable or established limits.
  3. Performance
    1. Software is frequently subject to performance requirements or metrics an SRS outlines. Metrics may include the following:
      computing rates, such as transactions per second or response time;
    2. Infrastructure or resource usage, such as application CPU utilization;
    3. Network metrics, such as latency or concurrent user connections; and
    4. Other data points deemed important by the development team.
  4. User acceptance or experience

    User acceptance testing gauges how well actual users like the software and how easily they can use it. Teams will commonly use the UX metric to estimate user satisfaction by factoring application response times, failed requests and other parameters into a calculation or score.
  5. Security

    Security has increasingly become a high priority in testing release candidates from both a safety and compliance standpoint. Security testing often involves identifying and remediating:

    i) Potential vulnerabilities;
    ii) Proper authorization and authentication techniques;
    iii) Data encryption (both at rest and in-transit); and
    iv) Resistance to common malicious activity.

3.4 Change Management Policy

Emitrr management believes in establishing a cross-functional working model based on the size, nature of activities, and emerging business realities for product development, support, and maintenance. Emitrr uses the Scrum model from the agile framework in combination with the Continuous Integration and Continuous Deployment (CI/CD) approach to ensure faster delivery of functionalities to its Customers. Members from various teams form the “Squad” to work on the core functionality or features of the product and the underlying infrastructure. Secure Coding standards and guidelines have been published to the Squad and Development teams by the Application Security team.

Change Squad Composition

A Squad consists of the following members:

  • Product Manager
  • Squad Lead
  • Tribe members
  • Tribe leads
  • Code Version Management

To get the “CI” working of the CI/CD cycle, continuous integration is paramount to faster development cycles. Critical blocks of code are unit tested before they are checked-in on the code repository using a source control tool. Any changes to the uncompiled source code is tracked for its code integrity and most updated library is maintained for the subsequent sprints. Once the code is approved by the Quality Assurance team, the code is committed for promotion to the staging and production environments.

All product inputs are accumulated including enhancements, bugs, and fixes in a central repository owned by Product owners. SLAs are defined for fixing the issues and priorities are assigned. Once they prioritize what gets into each sprint based on our priority criteria. All security issues/vulnerabilities are considered high priority and bundled into the earliest possible sprint. Our DevOps sprints are powered by a Squad of members that includes the Product Owner, Squad Lead, Tribe Lead, and Tribe Members.

Change Verification and Approval

Following the principles of Security by Design, at Emitrr, product security is a part of the blueprint and design consideration in every build cycle. Accordingly, the Application Security and Cloud security team is a part of the build cycles. Multiple security checks including code reviews, web vulnerability reviews, and advanced security tests are performed in every build. Source code analysis is performed using adopted tools. Vulnerabilities are identified, fixed, and revalidated before the code is promoted to production. Apart, the builds are put through stringent functionality tests, performance tests, stability tests, and UX tests before the build is certified as “Good to go”. Static code analysis is carried out during unit tests, before compiling it in a runtime environment. The “Good to go” flag serves as a gating mechanism for code promotion to the production environment.

Change Deployment

To reduce possible downtime, code promotions take place using the Blue-Green Deployment model, which reduces the risk by running two identical production environments called Blue and Green. At any time, only one of the environments is live, with the live environment serving all production traffic. During a product update, deployment and the final stage of testing take place in an environment that is not live (Green). Once the deployment and acceptance criteria are fully tested the updated build in Green is switched to Blue. While the Green goes live, Blue is pushed to an idle state. In addition, if something unexpected happens with the new version of Green, we can immediately roll back to the last version by switching back to Blue.

3.5 Asset Management Policy

Emitrr has established a formal Asset Management Policy; and the process is necessary to facilitate effective management, control, and maintenance of the assets/information in its operations environment by classifying assets as per the functionality or criticality.

We are committed to sustainable asset management practices that promote environmental responsibility and efficiency. The objective of our asset management program is to effectively monitor, track, and optimize the utilization of all company assets to ensure maximum efficiency, cost-effectiveness, and return on investment. Through strategic planning, proactive maintenance, and accurate data analysis, Emitrr minimizes downtime, extends asset lifespan, and reduces operational expenses. By implementing best practices and leveraging technology, we aim to maximize productivity, improve asset performance, and ultimately enhance overall business performance and profitability. Emitrr has defined process phases for Asset Management such as Planning, acquisition, operation, maintenance, disposal and performance monitoring.

This policy is to identify, classify, label, and handle Information Assets of Emitrr, and to apply protection mechanisms commensurate with the level of confidentiality and sensitivity.

  1. The confidentiality and sensitivity of the information will be maintained through an Information Asset classification scheme. The level of security to be accorded to the information of Emitrr depends directly on the classification level of the asset, which is associated with that information.
  2. All new assets will be acquired in accordance with Emitrr’s procurement policies and procedures. A risk assessment will be conducted prior to acquiring any new asset to ensure that it aligns with the organization’s strategic objectives. Asset acquisition decisions will be based on cost-effectiveness and strategic alignment with organizational goals. Asset performance metrics will be tracked and analyzed to evaluate asset ROI and inform strategic decision-making.
  3. The Information Asset Inventory must contain the following information as a minimum:

    a. Information Asset Identification
    b. Information Asset Description
    c. Information Asset Location
    d. Information Asset Owner/Custodian
    e. Information Asset Classification
    f. Information Asset Value
    g. Acceptable Usage of Assets

Employees are educated on being responsible and exercising good judgment regarding the reasonableness of personal use. For security and network maintenance purposes, authorized individuals within Emitrr, monitor equipment, systems, and network traffic. We reserve the right to suspend or disable employee network accounts for an actual or suspected security breach or policy violation. Any IT resource assigned to an employee is not transferred to another employee or group without first following a procedure of intimating IT so that the transfer is recorded. The transfer should be made post a sign-off from IT. In the event of loss of an asset post an un-intimated transfer for any purpose, the employees are held liable and appropriate fines are levied.

Emitrr information may include, but is not limited to:

  • All computer equipment, software, operating systems, storage media, network accounts, electronic mail, etc… (“IT resources”), are the property of Emitrr. These systems are to be used for business purposes in serving the interests of the company, and of our customers in the course of normal operations.
  • All proprietary information that belongs to Emitrr, such as user manuals, training materials, operating and support procedures, business continuity plans, and audit trails.
  • Personnel information relating to employees of Emitrr.
  • All customer information & product research-related data held by Emitrr.
  • All software assets such as application software, system software, development tools, and utilities.
  • All physical assets, such as computer equipment, communications equipment, removable media, and equipment relating to facilities.
  • People assets.
  • Intangibles such as the reputation and image of Emitrr.

Emitrr maintains an inventory of all virtual devices (including servers and networking components), and physical devices. All the devices are labelled and tracked in an asset register with information about the asset owner, asset custodian, and asset location. The asset register is kept current and is updated whenever the assets are moved or retired or serviced.

3.6 Cryptographic Key Management Policy

Emitrr has developed and implemented a formal process for the cryptographic protection standard and ensures the confidentiality, authenticity, and integrity of the information that is transferred through a third-party network and protects against unauthorized access or malicious activities.

i. Cryptographic controls can be used to achieve different security objectives, e.g:

  • Confidentiality: Using encryption of information to protect restricted or critical information, either stored or transmitted.
  • Integrity/Authenticity: Using digital signatures or message authentication codes to protect the authenticity and integrity of stored or transmitted sensitive or critical information.
  • Non-Repudiation: Using cryptographic techniques to obtain proof of the occurrence or nonoccurrence of an event or action.

ii. Cryptographic controls shall be used in compliance with all relevant agreements, laws, and regulations.

We use cryptographic methods and industry standards to protect customer data in transit and at rest. For example, all communications with Emitrr platforms and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and Emitrr is secure during transit. By default, encryption is also enabled on all our services that contain data at rest using AES-256 bit standards with keys being managed by key management services.

Key Management

At Emitrr, we prioritize the security and integrity of our cryptographic keys through stringent key management practices. Our approach follows industry standards and best practices, encompassing key generation, distribution, storage, updates, and disposal. We maintain strict controls over key access and usage, promptly addressing any compromises or incidents. Additionally, we ensure compliance with legal requirements and safeguard key authenticity alongside integrity. Our commitment extends to protecting keys against unauthorized access and physical threats.

3.7 Vulnerability & Patch Management

Emitrr has the below process and control for handling vulnerabilities on our products and infrastructure.

Source Code

Secure coding guidelines based on OWASP Secure Coding Guidelines are shared with the engineering teams. The guidelines shall include but are not limited to Input Validation, Output Encoding, Session Management, Error Handling, and Logging. Developers are also trained on the secure coding guidelines by the Application Security team at least on a yearly basis.

Product

On an annual basis, external VAPT for the product is performed by external third-party audit firms. This is a gray box testing where the external vendor is provided with an application walkthrough; automated scans for any identifying weakness in the application, OWASP top 10 vulnerabilities, and manual tests covering application features such as authorization, authentication, session management, injection, input validation, and transmission security.

Issues identified on all these activities are logged as tickets (internal tool) and are fixed by the respective teams as per the defined vulnerability management process SLA. ( Critical – Within 7 days | High – 15 days | Medium – 30 days | Low – 90 days). Delays if any are notified to the respective department head and for exceptions to the CEO through the risk tracker.

Cloud Infrastructure

Emitrr uses AWS for our infrastructure. All our network w.r.t to the product is managed by the Emitrr cloud infrastructure team. The network components include ECS, Application server, Web server, cache, background servers, database servers, and S3 are other components that make up the application and data layer. Only the necessary traffic required for business is allowed, the rest are blocked via security groups and NACL (network access control).

We use Docker containers, which are scanned internally daily via the security hub, and scans are performed to identify security misconfigurations against CIS benchmarks.

The Emitrr application security team and DevOps team perform hardening on servers and network components against the CIS benchmark and ensure that the necessary hardening is in place.

Emitrr runs quarterly scans using automated and manual test methods. We have subscribed to a vulnerability database for our environment and trigger alert notifications. The SIEM tool is used for continuous monitoring. Vulnerabilities identified are logged as tickets in internal tools and are fixed by the respective teams as per defined vulnerability management process and SLA.

Monitoring & Operations

For monitoring, we have configured security logging and monitoring tools. The security teams is responsible for performing proactive monitoring of information security events and alerts and providing situational awareness through the detection, containment, and remediation of any suspected or actual security incidents. The team ensures that tactical rules and data sensors are configured to provide suitable early warning and alerts. The team works on a 24×7 basis to identify, analyze, communicate, investigate, report on critical information security events.

Early warning signals have been configured that trigger alerts to our Security team based on event patterns and strict thresholds. The scope of monitoring is exhaustive and covers the network perimeter, all the service zones and we recognize events based on signatures, patterns, and corrections that catch false negatives and eliminate false positives. We are equipped to detect and mitigate persistent threats or DDOS, session hijacks, login spoofs, or any other data extraction strategies.

Patch Management

Emitrr patch management process is governed by the applicable policy and standard to ensure that all patches, security and otherwise, are deployed in accordance with defined SLAs.

Testing and Scanning

  • Emitrr conducts multiple types of security scans.
  • Those scans include internal, external, authenticated, and unauthenticated scans.
  • These processes are conducted both by Emitrr and third-party resources.

Note: Customers are not allowed to conduct their own scans without explicit permission. To request permission customers must work with their Emitrr account teams in order to receive the appropriate authorization from the Emitrr security team.

3.8 Data Security Policy

Data Leakage Prevention

At Emitrr, we prioritize data security through robust policies and tools encompassing identification, prevention, and monitoring of data leakage, backed by stringent measures, user accountability, data leakage prevention and strategies to thwart adversarial intelligence.

The mechanism is in place to prevent the leakage of sensitive information. All external USB ports on Emitrr machines are restricted by default. Removable mass storage is restricted by default on the workstations and is enabled only after the appropriate approval & business justification.

Emitrr does not deploy a standard DLP solution. Emitrr collects logs from infrastructure systems and endpoints containing details about installed software packages and network traffic. Traffic is monitored at different points in the network. Network, host, and application-level anomaly detection are in place, leveraging custom-built applications and services working in conjunction with a centralized logging and system monitoring platform. Emitrr has a centralized device management solution and other support solutions in place that provide Emitrr’s capability to remotely wipe the data on BYOD and/or mobile devices when necessary. A hard drive encryption solution is deployed on laptops for the protection of data. Content filtering is enabled and user access is monitored continuously as per defined policies. Access to public email IDs like Gmail and shared drives are blocked from the Emitrr network and laptop. Emitrr Corporate published mobile applications & mail access on mobile devices are protected using passcode or biometric (based on device support). Additional security controls viz secured container screen shot prohibition etc. are enabled on mobile applications.

No documents are stored in print and further access to printers is restricted only to senior management. Any document printouts (if required) are to be shredded and disposed-off once the requirement is over for which clearly marked shredders are installed next to printers.

Encryption of Data in Transit and at Rest

Emitrr encrypted Restricted and Confidential data in transit and at rest. Restricted information is the most sensitive form of information. It is so sensitive that disclosure or usage would have a definite impact on Emitrr’s business. Extremely restrictive controls need to be applied (e.g., very limited audience and those who are authorized to have such a form of information Examples include employee personal information, Personal identity information (PII), Financial Account Data (on individuals), strategic plans, investment decisions, etc. Confidential information is distributed on a “Need to Know” basis only. It is so confidential that disclosure or usage would have a definite impact on Emitrr’s business. Examples include System Security Parameters and Risk Assessment or Audit records, Intellectual Property, Customer Data, business plans, unpublished financial statements, Firewall and Router Configurations, Service Contracts, etc. Emitrr restricted and confidential data is encrypted during transmission outside Emitrr-owned or managed networks. Network communications between customers and the Emitrr platform are encrypted until the session is terminated or the user logs out of the session.

Information Deletion

At Emitrr, we prioritize the timely and secure deletion of confidential & restricted information, adhering to stringent policies and procedures to mitigate risks and uphold data integrity throughout its lifecycle.

Emitrr adheres to guidelines for securely deleting confidential /restricted information, including selecting appropriate deletion methods based on business needs and regulations, documenting deletion results, obtaining evidence of deletion from third-party service providers, configuring systems for secure destruction, removing obsolete copies, using approved deletion software, employing certified disposal services for physical media, and choosing appropriate disposal mechanisms based on storage media type, to mitigate the risk of unauthorized access or disclosure.

Privacy and Protection of PII

At Emitrr, we prioritize the privacy and protection of personally identifiable information (PII). We have established clear policies and procedures, and communicated to all stakeholders, to ensure compliance with relevant laws and regulations. Our designated privacy officer provides guidance on individual responsibilities, and we implement robust technical and organizational measures to safeguard PII. By adhering to these measures, we uphold the trust of our customers, employees, and stakeholders.

Data Retention and Disposal

Emitrr processes and stores Test execution data from its Customers while providing Emitrr Services or transmitted via the Emitrr platform by or on behalf of our Customers.

These data include reports, tests, networks, browser process logs, other artifacts, authentication, licensing, and test execution metadata (e.g. test status, duration, name, browsing sessions, search history) and other information that Customers may provide during testing.

All the Test execution data from the executed VM or Real Device gets deleted as soon as the test is completed, which means if you run any test twice, you will get a new clean, and sanitized machine or device. This means the VM where the test gets executed gets deleted as soon as the test ends. Real devices will only be put into the public pool after the clean-up process is complete.

All test execution data reports are available from the Emitrr platform interface. Test execution data reports and other Test execution data are stored for 60 days and then automatically deleted. Customers who require longer data retention periods are encouraged to download their data directly.

We will retain your Emitrr Account data and personal information only for as long as it is necessary. Personal Information that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. If you have an association with us, we will only keep the data while your association is active or for as long as needed to provide services to you and, as further needed for us to comply with our legal and contractual obligations.

Disposal of Data – Test execution data is disposed of in a method that renders the data unrecoverable, to the​ ​​extent reasonably possible, in accordance with industry best practices for wiping off or cleaning up electronic media (e.g.​ ​NIST SP 800-88).

Protection of information systems during audit testing

At Emitrr, we prioritize information security to safeguard our systems and data. Our policy ensures that audit access and testing are conducted with precision and caution:

i. All audit requests are approved by management.

ii. Technical audit tests are scoped and controlled.

iii. Tests are limited to read-only access or supervised execution by experienced administrators.

iv. Tests affecting system availability are scheduled outside business hours.

v. Access is monitored and logged for accountability.

By adhering to these guidelines, we maintain robust security while facilitating necessary audits. Periodic reviews ensure alignment with evolving needs.

3.9 Third-Party Security Policy

Emitrr partners with organizations that like itself adhere to global standards and regulations. These organizations include sub-processors or third parties that Emitrr utilizes to assist in providing its products.

Third Party Onboarding

Based on the nature of the data involved, vendors are classified into 5 categories:

Category 1 – Handles Customer Data (store, process, transmit. (eg – AWS)

Category 2 – Emitrr internal critical production tools (eg – SIEM, CRM)

Category 3 – Emitrr internal business tools or applications (eg – Slack, Google Suite)

Category 4 – Emitrr internal business tools involving employee PII (eg – HRMS)

Category 5 – Emitrr internal business tools not involving PII (eg – anonymous feedback)

All vendors will have to fill up a questionnaire and undergo information security and privacy compliance review. 

Third-Party Risk Management

Regular assessments are conducted on such service providers to ensure data is processed in a fair manner, and that data is processed only for the purposes it was collected. Apart from evaluation for technical requirements, an examination for data protection measures, compliance with Emitrr’s security and privacy requirements and audits reports review is conducted before on-boarding the service provider. Various checks on the service provider’s vulnerability, and patch management processes for intrusion protection capabilities are reviewed. Copies of the access management process, third-party vulnerability testing reports, SOC 2 reports, ISO 27001 /27701 reports, PCI DSS AOC etc. are shared by the service partner and reviewed by Emitrr as a part of due diligence.

Data Governance

Requirements regarding breach notifications and reporting obligations flowed down to Emitrr sub-processors through the Data Processing Addendum executed with such sub-processors. All the contracts are reviewed by the Legal team (and by GRC team re: breach notification and reporting obligations, rights to audit, support for subject access requests and other security and privacy safeguards) prior to execution and the GRC team reviews the service providers on a periodic basis as per its Risk Management Process.

3.10 Incident Response Plan

Emitrr has defined the security incident management process to classify and handle incidents and security breaches. A dedicated incident management team has been established, consisting of individuals with the necessary technical expertise and authority to respond to information security incidents. The information security team is responsible for recording, reporting, tracking, responding, resolving, monitoring, reporting, and communicating about the incidents to appropriate parties in a timely manner. The process is reviewed, and updated as part of periodic internal audits and is audited as part of SOC 2 Type II assessment.

The plan outlines the procedures to be followed in the event of an information security incident, including the roles and responsibilities of the incident management team. Information security incidents shall be classified based on their severity and impact on the organization’s operations. This classification will determine the appropriate response actions and escalation procedures.

You may contact our 24×7 hotline at [email protected] to report complaints/breaches.

Breach Notification

Emitrr has processes established for early identification and reporting of incidents/breaches. Accordingly, as data controllers, we notify the concerned Data Protection Authority of breach within 72 hours after we become aware of it. Depending on specific requirements, we will notify to Customers too, when necessary. As data processors, we inform the concerned data controllers without undue delay. The Data Protection Officer is responsible for reporting to Customers about security incidents/breaches.

Customers will have a dedicated Customer Success Manager who will be the SPOC for reporting. The account owner/admin of the Customer’s Emitrr platform will be notified of any security incident that has an impact on the Customer. If there are any email DLs, we will also be able to report the. We are happy to contractually agree on such requirements with a mutual concurrence.

3.11 Business Continuity & Disaster Recovery

Business Continuity Plan

Emitrr has a formal Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) defined and implemented to enable people, process, and technology support during any crisis or business interruptions. Appropriate roles and responsibilities have been defined and documented. Emitrr Customer Success team will be responsible for communication and notification during a crisis. In case of a crisis, the BCP team shall contact relevant authorities such as service utilities, emergency services, electricity and health and safety for support in connection with business continuity. Information security shall be maintained across appropriate levels during disruption.

Recovery Time Objective (RTO): Emitrr will aim to restore its normal operations within four hours from the time a disaster is declared, unless a disaster or multiple disasters or impact all of the Availability Zones used on an account.

Recovery Point Objective (RPO): Emitrr has configured its infrastructure to provide one hour or less of data loss. This is calculated from the point of the disruption, and not from Emitrr’s disaster declaration.

Emitrr would continually review the business continuity program based on lessons learned from actual events, exercises, and audits. This includes updating BCPs, refining response procedures, and enhancing training and awareness efforts.

Business Impact Analysis

Business Impact Assessment (BIA) is carried out for all applicable processes which form the basis for BCP & DRP. All critical operations, processes, and facilities are included as part of BIA, and accordingly, BCP and DRP requirements are planned. Dependencies are identified and all strategies that are applicable have been considered as part of BCP and DRP requirements.

Crisis Management

Emitrr had established a Crisis Management Team (CMT) responsible for coordinating response efforts during emergencies. The CMT will be composed of senior leaders from key functional areas and will be tasked with decision-making, communication, and resource allocation during crises.

ICT Readiness

Emitrr is dedicated to ensuring the resilience of its ICT services by maintaining an organizational structure equipped to prepare for and respond to disruptions, regularly evaluating and approving continuity plans aligned with business objectives, and outlining comprehensive performance, recovery time, and recovery point objectives

Real-Time Back-Up

All data hosted on the cloud is synced in real-time (with cross-regional network latency) across the AZs or to a separate AWS region other than the one that hosts Customer serving infrastructure. Each AWS region is designed to be completely isolated from the AWS regions & hence helps achieve the greatest possible fault tolerance and stability. Data sync happens in an active-active model and is equipped to independently handle the load in case of any failures. Backup and restore testing are conducted on an annual basis for ensuring the integrity of backup and effectiveness of restore processes within the organization.

Fault Tolerance Using High Availability & Redundancy

Emitrr uses high-availability solutions to provide continuous service to its Customers. Emitrr provides highly available/ high availability (HA) services using AWS Availability Zones (AZ) within the AWS region in which Emitrr hosts the application for the Customers. Each AWS Data Center (DC) region has multiple isolated AZs. Emitrr places resources and data in multiple of these locations within the region.

Testing and Exercise

The BC and DR Plan is tested and reviewed on a yearly basis by the Emitrr Information Security Officer (ISO) and approved by ISCSC (Information Security & Compliance Steering Committee). On a yearly basis, training on BCP and DRP requirements is provided to all relevant workforce members involved in the process. The BCP and DR plan of Emitrr is reviewed and audited as part of SOC 2 Type II covering availability as one of the trust service principles.

3.12 Risk Management

Emitrr has developed a Risk Management Framework as part of the Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2022 standard. The information security and GRC team assess security risk annually and on an ongoing basis when any major internal changes occur or when significant events occur in the industry. Emitrr identifies and documents potential risks to its assets, including but not limited to information systems, data, facilities, and personnel. Emitrr has implemented an integrated control system characterized using different control types (e.g., layered, preventative, detective, corrective, and compensating) that mitigates identified risks.

Information security risk management is integrated into the SDLC, and information security roles and responsibilities are defined for all SDLC phases. When developing software or systems Emitrr performs thorough testing and verification during the development process. The risk management process shall be integrated into the change management process at all levels. Risks associated with proposed changes shall be identified, assessed, and addressed in a timely manner to minimize potential negative impacts. A formal acquisition process which includes risk assessment, is followed for purchased commercial products, and supplier contracts include the identified security requirements.

Emitrr continuously monitors and reviews the effectiveness of risk management processes and controls. This includes regular reviews of risk assessments, incident reports, and security controls to ensure they remain adequate and up-to-date. Risk assessments include the evaluation of multiple factors that may impact security as well as the likelihood and impact from a loss of confidentiality, integrity and availability of information and systems.

Information security risks associated with the execution of projects, such as security of internal and external communication aspects are considered and treated throughout the project life cycle.

RA shall be performed on a recursive manner bi-annually or whenever any of the following changes occur:

  • Technology, infrastructure or process-related changes
  • Introduction/change of suppliers
  • Change the leads to exceptions to Emitrr policies
  • Changes that affect the legal or regulatory requirements of the system
  • Any other changes that are considered to be significant by the management of Emitrr

Sources for risks can be of the following nature, but not limited to:

  • Self-Assessment includes security and process risks
  • Customer Complaint /Feedback
  • Internal /External Audit
  • Regulatory Requirement
  • Security Incident /Event
  • Technology /Geo-Political Change

Key enablers such as people, premise, process, and technology shall be documented for each risk identified in the risk register to ensure appropriate control implementation. Risk register includes strategic, financial, environmental, safety, people and reputation risks.

Mitigation strategies shall be developed and implemented to address identified risks effectively. These strategies may include technical, administrative, and physical controls aimed at reducing the likelihood and impact of potential incidents.

​​The risk treatment plan identifies risks and nonconformities, corrective actions, resources, responsibilities and priorities for managing information security risks is regularly reviewed and updated.

Appropriate Risk treatment plans (Reduce Risk, Avoid Risk, Transfer Risk, Retain Risk) will be considered and approved by the CEO and Risk Owner. The risk assessment, top risk selection and risk treatment plans are reviewed, and progress is tracked by the ISCSC.

3.13 Endpoint Security

In light of the evolving threat landscape and the increasing sophistication of cyberattacks, it is imperative for Emitrr to adopt a robust security framework to safeguard our digital assets. Recognizing the criticality of endpoint security in protecting our systems and data, we have implemented a Zero Trust model to fortify our defenses and mitigate potential risks.

All devices including but not limited to computers, laptops, and mobile devices shall be considered untrusted by default. Access to resources, applications, and data shall be granted based on continuous authentication, least privilege access principles, and contextual factors rather than implicit trust in the network or device.

All employees have company-provided assets (ie. Laptops) for carrying out their responsibilities. These endpoints will have standard builds deployed with MDM solutions for control and management of devices and are authenticated via single sign on (IAM) and two factor authentication(2FA).

Antivirus is deployed in all endpoints for protection against viruses and malware. On a periodic basis, signature updates are pushed to all systems. 

All employees have company-provided assets (ie. Laptops) for carrying out their responsibilities. These endpoints will have standard builds deployed with MDM solutions for the control and management of devices and are authenticated via a single sign-on (IAM) and two-factor authentication.

All laptops and workstations are secured via full disk encryption and are provisioned off a centrally managed image. We apply updates to employee machines on an ongoing basis and monitor employee workstations for malware. We also have the ability to apply critical patches or remotely wipe a machine via the device manager. Wherever possible, we use two-factor authentication to further secure access to our corporate infrastructure.

User Endpoint Devices

Emitrr have established and communicated a comprehensive procedure for secure configuration and management of user endpoint devices, addressing information handling, device registration, physical protection, update requirements, network connections, access controls, encryption, malware protection, remote management and, partitioning user and organizational data.

Use of Personal Devices

Our organization prioritizes the security of business information on personal devices (BYOD) by enforcing separation of personal and business use, acknowledging user responsibilities, implementing remote data wiping measures, addressing intellectual property rights disputes, and ensuring compliance with software licensing agreements and relevant legislation.

Email Security

All emails are signed by the Emitrr.com domain. The emails are encrypted in transit.

4. SOC 2 Report

At Emitrr, we are committed to building and maintaining trust by delivering the highest standards of security for our customers. As part of this, we constantly invest in security and data privacy initiatives with the latest certifications and accreditations.

Emitrr has been independently audited by one of the global audit firms based on the SOC 2 Type II framework covering security, confidentiality, process integrity, availability and privacy trust service principles. We undergo routine audits to receive updated SOC 2 Type II reports, available upon request and under NDA.

To request reach out on [email protected]

5. VAPT Report 

The Application Security team will perform vulnerability assessment and Penetration testing (VA & PT) on all Emitrr products on production environment in an iterative cadence cycle. As per cadence, the security team does Quarterly manual and automated web application penetration testing for Emitrr platforms. For all other remaining environments (staging, production, development), manual and automated penetration testing will be performed semi-annually. The application security team will report identified security vulnerabilities in the internal tool (Atlassian-Jira) and the respective product team will be notified to resolve the reported vulnerabilities within the defined SLA.

External cyber security organizations are engaged to perform the independent VA & PT annually. The updated VAPT report is available upon request and under NDA.

To request reach out on [email protected]