Information Security Policy
Last modified – 15th April 2021

Introduction

Securing your data is a top priority!!
Empuls is committed to ensure Integrity, Confidentiality, Availability and Security of its Physical and Information Assets and maintaining privacy for serving the needs of the customers and organization while meeting appropriate legal, statutory, and regulatory requirements.
To provide adequate protection for information assets, Empuls has built the Information Security Management System (ISMS) which includes the respective policies to be followed in a diligent, consistent, and impartial manner. Empuls will implement procedures and controls at all levels to protect the confidentiality and integrity of information stored and processed on its systems and ensure that information is available only to authorized persons as and when required.

The Empuls promise

Empuls is committed to complying with all applicable regulations and law of the land in all locations and countries related to its operations and information processing.
Empuls takes data integrity and security very seriously. Over 2 million customers across the globe trust us with their data security. Due to the nature of the product and service we provide, it is important that we acknowledge that our responsibilities both as data controller as well as a data processor.
Customer data security is an essential part of our product, processes, and team culture. Our facilities, processes and systems are reliable, robust, and tested by reputed quality control and data security organizations. We continuously look for opportunities to make improvements in the dynamic technology landscape and give you a highly secure, scalable system to provide a great experience. Empuls lets you deliver a secure subscription experience at different levels by -
  • Securing your data with compliance to GDPR.
  • Ensuring Internal Data security of your data that rests with Empuls with adherence to ISO 27001, SOC 2 Compliance requirements.
  • Network Security within Empuls: Network, application, and operational level security policies that we follow.
  • Governance, risk, and compliance team ensuring best practices and standards across the employees and teams.

ISO 27001 certification

ISO/IEC 27001:2013 bis a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management processes with the aim of keeping information secure. With ISO’s robust information security management system (ISMS) in place, you gain the additional reassurance that a full spectrum of security best practices are implemented across the organization. ‍ Empuls is ISO 27001:2013 certified and we’re committed to identifying risks, assessing implications and putting in place systemised controls that inspire trust in everything that we do - right from our codebase to physical infrastructure to people practices.
The basic goal of ISO 27001 is to protect three aspects of information:
  • Confidentiality: only the authorized persons have the right to access information.
  • Integrity: only the authorized persons can change the information.
  • Availability: the information must be accessible to authorized persons whenever it is needed.

EU-US privacy shield

Empuls complies with the EU-U.S. Privacy Shield by adhering to the principles and protecting the rights of anyone in the EU whose personal data is transferred to the United States as well as bringing legal clarity for businesses relying on transatlantic data transfers.

General Data Protection Regulation (GDPR)

General Data Protection Regulation it is one of the most important changes made to data privacy regulations in the last two decades. It establishes a new framework for handling and protecting the personal data of EU-based residents and is in effect since May 25, 2018. It provides the citizens of the EU greater control over their personal data and assures them that their information is protected.
At Empuls, we are helping our users understand and, where applicable, comply with the General Data Protection Regulation (GDPR). The GDPR was introduced to bind each member state of the EU with a single, harmonious data protection law. It has been the most comprehensive European data privacy law in decades.

Empuls's Commitment to GDPR

Empuls is fully committed to upholding the rights data subjects are granted under the applicable data protection laws and taking great care of their personal data. Over 2 million customers across the globe trust us with their data security. Due to the nature of the product and service we provide, it is important that we acknowledge that our responsibilities both as data controller as well as a data processor.
Customer data security is an essential part of our product, processes, and team culture. Our facilities, processes, and systems are reliable, robust, and tested by reputed quality control and data security organizations. We continuously look for opportunities to make improvements in the dynamic technology landscape and give you a highly secure, scalable system to provide a great experience.

Physical and Network security

Empuls is hosted on Amazon's AWS platform and infrastructure. Empuls employees do not have any physical access to our production environment. As an Amazon - AWS customer, we are benefitted from a data centre and network architecture built to meet the requirements of the most security-sensitive organisations.
AWS data centres are housed in nondescript facilities, with military-grade perimeter control berms with professional security staff utilising video surveillance, state of the art intrusion detection systems, and other electronic means.
In addition to Apart from the physical security, AWS platform also provides significant protection against traditional network security issues including -
  • Distributed Denial of Service (DDoS).
  • AttacksMan In the Middle (MITM).
  • AttacksPort Scanning.
  • Packet sniffing by other tenants.

Administrative operations

Empuls uses two-factor authentication to grant access for our administrative operations - both infrastructure and services. We ensure that administrative privileges are granted to only a few employees. Additionally, role-based access is used to ensure specific users have only required operations that are allowed for specific users as per the access control policy.
All administrative access is automatically logged and monitored by our internal security team. Detailed information on when/why the operations are carried out are documented and notified to the security team before performing any changes in the production environment.
Empuls has deployed an information technology network to facilitate its business and make it more efficient for various risks. And establish management direction, principles, and standard requirement to ensure that the appropriate protection of information on its networks maintained and sustained. Few controls which in place to achieve the protection of exchanged information from interception, copying, modification, misrouting, and destruction as follow:

Host security

SSH keys are required to gain console access to our servers and each login is identified by a user. All critical operations are logged to a central log server and our servers can be accessed only from restricted and secure IPs.
Hosts are segmented, and accesses are restricted based on functionality. That is, application requests are allowed only from AWS ELB and database servers can be accessed only from application servers.

Application security

Secure Access - ‍Empuls's application servers are all secure HTTPS. We use industry-standard encryption for data traversing to and from the application servers.
Cross-site scripting (also known as XSS) - All user inputs are well encoded when displayed to ensure XSS vulnerabilities are mitigated.
Cross-site request forgery (CSRF) - All POST requests are checked for CSRF token before processing the request.
SQL Injection - We use prepared statements for database access to avoid SQL Injection attacks.
Encrypted Data Storage - ‍Empuls does not store any sensitive user information. The keys for various third-party services (like payment gateway) - if stored, are all in the encrypted form in the database.
Vulnerability Scanning & Patching - ‍We periodically check and apply patches for third-party software/services. As and when vulnerabilities are discovered we apply the fixes. We do periodic vulnerability Assessment and Penetration testing using the services of an authorised vendor.

Data storage & redundancy

We use Amazon's RDS for our database. The automated backup feature is configured for RDS. We backup data for up to 30 days. We have configured Amazon RDS in Multi-AZ which provides enhanced availability and durability. Each AZ runs on its own physically distinct, independent infrastructure, and is engineered to be highly reliable. Know more.

Monitoring

Empuls uses both internal and multiple external monitoring services to make sure the environment is secure. Our monitoring system will alert the concerned teams through emails and phone calls if there are any errors or abnormality in the request pattern.

Disclosure

At Empuls, we are continually working towards making our system secure. If you find any issues or have any queries regarding our security, please write to us at [email protected]​
Last modified 21d ago