Security Related FAQs

Q: For data in transit, do you leverage encryption to protect data during transport across and between network instances including services like SSH, HTTPS, etc.?

Yes, we use AES 256-bit encryption. All the network communication for network communication is encrypted with the industry standards.

Q: Do you encrypt data at rest?

All data volume is encrypted with AES 256-bit encryption to prevent any external snooping or unauthorized access in the multi-tenant environment.

Q: Do you segregate multi-tenant data using encryption?

Yes, the data is segregated with a client-specific key for proper handling and representation.

Q: Do you provide native encryption capability for sensitive data fields? If so, are there any limits on the number of fields?

Yes, there's a native encryption capability when it comes to sensitive data fields. As each field is equally intricate, there are no limits to such fields.

Q: Do you have controls in place to ensure User IDs and passwords are transmitted in an encrypted format?

User IDs and passwords must transmit through stringent checks in an encrypted format that complies with the current Technical Security Baseline Standards.

Q: Do you support secure deletion (e.g., degaussing/cryptographic wiping) of archived and backed-up data as determined by the tenant?

Yes, our policies and procedures are established as per implemented mechanisms for secure disposal and removal of data from every storage media. By this, it rests assured that the data can't be recovered by any computer forensic means. We assure secure data disposal when storage is decommissioned or when the contract comes to an end.

Q: Are Industry standard technologies used to transfer personal data? (Other than e-mail)

Yes, personal data is to be transmitted using firmly approved encrypted systems and in no way is to be transmitted via email.

Q: Are virtual images hardened by default to protect them from unauthorized access?

Yes, the hardened images are secure from any malicious leak or unauthorized access. These hardened images do not contain any authentication credentials.

Q: Do you support end-to-end encryption of tenant's data in transit across all security zones?

Yes, our network communication is encrypted with highly restricted protocols to ensure maximum security.

Q: Are policies and procedures established for labeling, handling, and the security of data and objects that contain data?

Yes, there are established policies and procedures for labeling, handling, storing, transmitting, retention/disposal, and security of client's data and objects which contain data, per the Xoxoday Information Classification Standard and Protection Measures.

Q: Do you adhere to the tenant's retention policy?

Yes, we adhere to the retention policy that the tenant sends out for optimal collaboration and a smooth user experience with products and services.

Q: Can you provide a published procedure for security mechanisms to prevent data leakage in transit and data at rest leakage upon request?

Your data is of the utmost importance. All the security mechanisms and policies are established and implemented in such ways that data leaks can be prevented, in transit as well as at rest.

Q: Can you provide tenants, upon request, documentation on how you maintain segregation of duties within your cloud service offering?

Yes, the policy, process, and procedure is implemented to ensure proper segregation of duties. These can be asked for and delivered upon tenants' requests. In the event of a user-role conflict of interest, technical controls shall be implemented to mitigate risk (if any) from unauthorized/unintentional modification/misuse of organizations' information assets.

Q: Do you use industry standards (Build Security in Maturity Model [BSIMM] benchmarks, Open Group ACS Trusted Technology Provider Framework, NIST, etc.) to build in security for your Systems/Software Development Lifecycle (SDLC)?

Yes, our products comply with all the industrial benchmarks and standards when it comes to the Software Development Lifecycle (SDLC). All software development procedures are supervised and monitored by so that they include:

Q: Do you use automated and manual source code analysis tools to detect security defects in code prior to production?

Yes, our code reviews and analysis run through stringent eyes of automated technologies as well as manual source code overview to cover any security loopholes prior to the production phase.

Q: Do you review your applications for security vulnerabilities and address any issues prior to deployment to production?
Yes, an independent security review is conducted by certified professionals to look for any security vulnerabilities in order to solve them before deploying to production.

Q: Do you verify that all of your software suppliers adhere to industry standards for Systems/Software Development Lifecycle (SDLC) security?
Yes, our products comply with all the industrial benchmarks and standards when it comes to the Software Development Lifecycle (SDLC) security standard.

Q: Do you provide tenants with documentation that describes your production change management procedures and their roles/rights/responsibilities within it?
Yes, changes to the production environment are documented, tested, and approved prior to implementation. Production software and hardware changes may include applications, systems, databases, and network devices requiring patches, service packs, and other updates and modifications. Any change in roles, rights, or responsibilities shall be documented for a seamless experience.

Q: Are any of your data centers located in places that have a high probability/occurrence of high-impact environmental risks (floods, tornadoes, earthquakes, hurricanes, etc.)?
We have a consistent and unified framework for business continuity planning, disaster recovery, plan development. All the appropriate communications shall be established, documented, and adopted to ensure consistency in business continuity. This includes protection against natural and man-made disasters (e.g., fire, flood, earthquake, war, volcanic activity, biological hazard, civil unrest, mudslide, tectonic activity, utility services outages, etc.)

Q: Do you provide tenants with geographically resilient hosting options?
Our hosting options are limited to 's jurisdiction and are backed by prominent business continuity plans. Hence, we don't find the need to provide geographically diverse hosting options.

Q: Are business continuity and disaster recovery plans subject to test at least annually and upon significant organizational or environmental changes to ensure continuing effectiveness?
Business continuity plans shall be subject to test at least annually or upon significant organizational or environmental changes to ensure continuing effectiveness.

Q: Do you allow tenants to view your SOC2/ISO 27001 or similar third-party audit or certification reports?
Along with an aligned enterprise-wide framework, we perform independent reviews through industry professionals along with formal risk assessments. These are done at least annually or at planned intervals to determine the likelihood and impact of all identified risks. With qualitative/quantitative methods ensuring our compliance with policies, procedures, and standards, we stick to the best standards.

Q: Do you conduct annual network penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance?
Yes, our stringent checks and tests are conducted annually to keep up the cloud service infrastructure hygiene as per the industrial standards.

Q: Do you perform annual audits (internal and external) and are the results available to tenants upon request?
Annual audits are processed both internally and externally. The audit results can be sent over to tenants upon request.

Q: Are the results of the penetration tests available to tenants at their request?
Yes, the tenants can request penetration testing results and get the reports from our end.

Q: Are you storing, transmitting, and/or processing payment card data on behalf of our organization?
No, we do not process your payment card data for any reason other than billing purposes.

Q: Can you prove that you are compliant with Indian IT Act 2000?
Yes, we are compliant with the Indian IT Act of 2000.

Q: Do you conduct information audits to determine what personal data is being stored/processed and where is it being stored?
We conduct regular audits to ensure the safety of data like employees' names, emails, employee numbers, etc. are used for verification and rewarding purposes.

Q: Do you have a dedicated information/cybersecurity team responsible for information security governance across the organization?
Information and cyber-security team keeps a watchful eye on all potential sources of threats and areas of compromise when it comes to information security.

Q: Have you defined the information security roles and responsibilities?
Roles are systematically defined for information security measures to tactfully align all operations, preventing any security breaches.

Q: Do you have an acceptable usage policy that is signed/agreed by all employees on an annual basis?
Employees must agree with the acceptable usage policy of peripherals and devices to prevent malicious activities from the inside and out.

Q: Is your environment SOC-2 Type-II attested or certified for the scope of the service being offered to tenants?
Our environment has all the capabilities to be SOC-2 Type-II compliant, but the certification is yet to come through. It shall be updated soon.

Q: Is your environment CSA-certified for the scope of the service being offered to tenants?
Yes. Our environment is not CSA START Level 1 certified.

Q: Are all relevant legislative, statutory, regulatory, and contractual security requirements identified, documented, and tracked?
We track all security requirements with respect to legislation, statutes, and contracts. They are documented in all steps.

Q: Are appropriate procedures implemented to ensure compliance with legislative, regulatory, and contractual requirements related to intellectual property rights and the use of proprietary software products?
We have our own procedure for control of documents and records that ensures compliance related to intellectual property rights and the use of proprietary software.

Q: Have you identified legislative, regulatory, contractual, and business requirements related to record management?
Our record management criteria check all boxes of legislative, regulatory, contractual, and business requirements.

Q: Do you monitor the effectiveness of cybersecurity controls through regular metrics?
With different metrics tracking cyber-security measures, keeps the effectiveness in check with regular monitoring.

Q: Do you have an approved HR Policy document?
Human Resource operation procedure takes all measures of employee confidentiality into consideration.

Q: Are your employees screened before joining the organization? Are they bound to keep the security of information intact even after their employment contract has ended?
Yes, we perform a thorough background check on every employee before they get onboard. The Non-Disclosure Agreement ensures that the information is secure even after the contract is terminated.

Q: Can you provide details of these third parties including the name of the third party and the services they will be performing on your behalf?
No, the third parties and vendors we deal with are confidential too. Hence, this list cannot be shared.

Q: Do you regularly monitor the third party's compliance with security obligations?
Yes, our third-party security policy deems it clear to comply with security obligations and we monitor their compliance regularly.

Q: Is there a process to address any risk that may occur due to the change of services being provided to the tenant?
Yes, we have a detailed risk management procedure in place to address situational issues like the change of services being provided to tenants.

Q: Do you permit the use of contractors in roles supporting customer operations?
No, our customer requests are addressed by the customer support team for maximum efficiency.

Q: Do you have a subscription to brand protection services?
Yes, 's brand protection caters to any malicious interruptions and fallacies as they are addressed in prompt time.

Q: Do you monitor media platforms as well for brand protection?
Yes, with media platforms being the biggest pedestal for information sharing, we keep an eye out for any brand protection issues.

Q: Do you have the capability to detect/prevent unauthorized or anomalous behaviour based on network traffic and host activity?
Yes, in the event of a rapid spike/slump in network traffic or host activity, analyses the traffic to detect and prevent unauthorized or erratic behaviour.

Q: Do you have mandatory and regular privacy training and awareness modules?
Yes, in order to ensure airtight security of data, we have a mandatory and sessional privacy training and awareness module.

Q: What is CSA?
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.

Q: What are the important features of CSA STAR LEVEL – 1?
Important features of CSA STAR LEVEL – 1 are listed below
Operating in a low-risk environment
Wanting to offer increased transparency around the security controls they have in place. Looking for a cost-effective way to improve trust and transparency.

Q: Are the applications and programming interfaces (APIs) designed, developed, deployed, and tested in accordance with leading industry standards (e.g., OWASP for web applications) and adhere to applicable legal, statutory, or regulatory compliance obligations?
Yes, we ensure the same as part of our code review, static code analysis, and Web Application Firewall.
​

Q: Do you comply with the Physical security perimeters (e.g., fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks, and security patrols)?
Yes, we comply with these requirements. Our Cloud Security Platform, (CSP) Amazon Web Services (AWS) provides these securities to our data centers.

Q: Do you use Production data in a non-production environment?
Production data shall not be replicated or used in non-production environments. We do not use LIVE data in any other environment. We comply with the requirement.

Q: Do you obtain prior to relocation or transfer of hardware, software, or data to an offsite premise?
We take prior authorization from the concerned authority as per the Media protection procedure before relocation or transfer of hardware, software, or data to an offsite premises.

Q: Do you enforce two-factor authentication for privileged account management/authentication while accessing tenant data/systems?
Yes, our policies and procedures are established and implemented to enforce two-factor authentication for privileged account management/authentication while accessing tenant data/systems.

Q: Do you retain logs for all login attempts for a given time period or as required by the tenant?
Yes, systems must be configured to log all successful and unsuccessful login attempts by accounts with privileged access. These authentication logs must be retained for a minimum of 180 days and in accordance with the Company’s records retention guidelines.

Q: Do you have controls in place to restrict any information beyond notification of an unsuccessful login attempt prior to successful login?
Yes, there is a protocol in place to ensure that no information beyond an unsuccessful login attempt goes through prior to a successful login.

Q: Do you support use of, or integration with, existing customer-based Single Sign On (SSO) solutions to your service?
Yes, our partnerships with a wide array of integration partners ensure existing customer based Single Sign On (SSO) capability for all users to seamlessly use 's products. With an easy DIY setup, your SSO solution would be plugged in and ready to go. Please refer to our list of integrations to know more.

Q: Do you support identity federation standards (SAML 2.0, SPML, WS-Federation, etc.) as a means of authenticating/authorizing users?
Yes, our identity federation standards include SAML 2.0.

Q: What levels of isolation are used for virtual machines, physical machines, network, storage (e.g., storage area networks), management networks and management support systems, etc.?
We isolate our machines, network, and storage with respect to the AWS Standards in order to keep it safe and secure.

Q: Do you allow tenants to use third-party identity assurance services?
No, tenants are only allowed to use our secure protocols and procedures to prevent cracks and folds in data handling.

Q: Do you support the tenant's access review policy?
Yes, we do support our clients' and tenants' access review policies.

Q: Do you support password (minimum length, age, history, complexity, and expiration) and account lockout (lockout threshold, lockout duration) policy enforcement?
Our password setting requirements comply with all factors to ensure that strong passwords are created. Passwords should be of a minimum length and contain special characters, capitalized letters, and alpha-numeric combinations.

Q: Do you have mechanisms in place for unlocking accounts that have been locked out (e.g., self-service via email, defined challenge questions, manual unlock)?
No. As 's products use single sign on (SSO), the users can login via their suite email and credentials.

Q: Are audit logs reviewed on a regular basis for security events (e.g., with automated tools)?
Yes, audit logs are reviewed and recorded on a regular basis automatically. These logs are integrated with security operations/SIEM solutions.

Q: Is the option of physical and logical user audit log access restricted to authorized personnel only?
Yes, to ensure the maximum safety and authority of data in right hands, the physical and logical adult log access of users can only be accessed by authorized personnel.

Q: Do you support integration of audit logs with tenant Security Operations/SIEM (Security Information and Event Management) solution?
No, logs are automatically audited, but are not integrated with tenant's security ops. In case the tenant requests for logs, they can share when asked for by the clients.

Q: Are audit logs centrally stored and retained?
Yes, regular audit logs are stored with and retained for future references.

Q: Describe how event logs are protected from alteration including how access to these logs is controlled?
The event logs are stored in a bucket wherein nobody can access them without an approval from the high authorities i.e., the Chief Technical Officer.

Q: Are file integrity (host) and network intrusion detection (IDS) tools implemented to help facilitate timely detection, investigation by root cause analysis, and response to incidents?
Yes, all the mechanisms related to security and policies are implemented to facilitate timely decision and investigation by root-cause analysis. These incidents are analyzed with network intrusion detection (IDS) tools.

Q: Do your logging and monitoring framework allow isolation of an incident to specific tenants?
Yes, in case specific incidents arise for particular tenants, our logging and monitoring framework allows isolation of incidents.

Q: Are policies and procedures established and measures implemented to strictly limit access to your sensitive data and tenant data from portable and mobile devices (e.g., laptops, cell phones, and personal digital assistants (PDAs)), which are generally higher risk than non-portable devices (e.g., desktop computers at the provider organization’s facilities)?
Yes, there are measures to limit the access of tenant's data from non-authorized devices. Please refer to "Access Control Procedures".

Q: Is there an approval process for access requests to systems handling personal data?
Yes, with access control limit, General Admins, Managers can give out access to authorized individuals as per requests raised by them in order to handle their platform as well as the personal data accordingly.

Q: Is access to systems containing personal data granted using a role-based criteria?
Yes, the role of "admin" holds the high regards, and these roles can process the personal data of users as per their choice with the access control limit capability.

Q: Is all Personal Data registered in a standard repository?
Yes, personal data is stored in registered databases that comply with all necessary inputs of a standard inventory repository.

Q: Are credentials stored in a centralized system that is as per the Industry standard?
Yes, all the given credentials are safely stored in a secure storage such as Secret manager as per the Industry standard.

Q: Do you design and implement controls to mitigate and contain data security risks through proper separation of duties, role-based access, and least-privileged access for all personnel within your supply chain?
Yes, our roles and job duties are segregated through role-based access to ensure maximum security of tenants' databases.

Q: Will you share user entitlement remediation and certification reports with your tenants, if inappropriate access may have been allowed to tenant data?
Yes, in case an incident occurs with respect to inappropriate access of data, we shall share the reports.

Q: Do you support tenant's multifactor authentication (e.g., RSA Secure ID, PKI Certificates, out of band pin comprised of at least 6 digits, etc.)?
Yes, we do support measures to enforce strong multi factor authentication when it comes to accessing highly restricted data.

Q: Do you support access to tenant sensitive data by only tenant's managed devices?

No, the data can be accessed by authorized personnel to serve you better with maximum security.

Q: Do you have the ability to logically segment or encrypt customer data such that data may be produced for a single tenant only, without inadvertently accessing another tenant's data?
Yes, our network environment is designed and configured to restrict any communication and connection between the tenant's environment and our corporate network.

Q: Do you logically and/or physically separate tenant systems from corporate systems?
Yes, our logic to physically separate tenant systems is made possible by assigning each tenant's data a client-specific key that is uniquely encrypted for maximum security.

Q: Are information system documents (e.g., administrator and User guides, architecture diagrams, etc.) made available to authorized personnel to ensure configuration, installation, and operation of the information system?
Yes, all the resources that are needed for configuration, installation, and operation of information systems are made available to the authorized personnel for their perusal.

Q: Do you provide the logical segregation of tenant data and the application?
Yes, we logically segregate the tenant's data and the application.

Q: Do you logically and physically segregate production and non-production environments?
Yes, physical segregation is done for production and non-production environments.

Q: Have you suffered any security breach in the last 5 years?
Our security systems are airtight and so far, we haven't suffered any security breaches.

Q: Do you make security incident information available to all affected customers and providers periodically through electronic methods (e.g., portals)?
Yes, we have a repository of security incident information if needed for all the affected customers. This information can be accessed electronically.

Q: Are ingress and egress points, such as service areas and other points where unauthorized personnel may enter the premises, monitored, controlled, and isolated from data storage and process?
Yes, only the authorized personnel are allowed in points of ingress and egress in order to isolate access of data storage and process.

Q: What are the data backup and data archiving procedures? Is it secured?
Data backups are done daily and in a secured way in AWS.

Q: Is there a provision for customer definable backup and Retention Periods of data?
No, the backup and retention of data lies in the hands of. Data is stored in the event that a future need arises for looking into the database.

Q: Is the data stored in the database and is transit scrambled?
Yes, the data is stored in our secure database and is transit scrambled for maximum security.

Q: Is the client data used for testing purposes?
Our tenants' data is excruciatingly confidential and is never used for testing or staging purposes.

Q: Do you provide tenants with documentation describing your Information Security Management Program (ISMP)?
Yes, please go through our "Information Security Management System Manual" for a complete understanding.

Q: Do you review your Information Security Management Program (ISMP) at least once a year?
Our ISMP is annually reviewed and updated if required.

Q: Do you ensure your providers adhere to your information security and privacy policies?
Yes, it's crucial for our providers to adhere with the Information Security & Privacy Policy of the organization.

Q: Do you follow OWASP (Open Web Application Security Project) guidelines for application development?
Yes, we follow all the technical guidelines for development of our code and applications that come under the Open Web Application Security Project.

Q: Are all identified security, contractual, and regulatory requirements for customer access contractually addressed and remediated prior to granting customers access to data, assets, and information systems?
Yes, we remediate and address all requirements with respect to security, contracts, and regulative purposes for customer access to data and information systems.

Q: Is MFA (Multi-Factor Authentication) provided as an option?
No, we don't provide multi-factor authentication. As of now, there's oAuth2.0 and SAML-based tokens. JSON-based token is available for maximum security direct-email logins.

Q: Does the product's architecture support continuous operation during upgrades and maintenance windows?
Yes, Empuls's architecture goes through constant upliftment and experiences no downtime during upgrades and maintenance windows.

Q: Does your security information and event management (SIEM) system merge data sources (app logs, firewall logs, IDS logs, physical access logs, etc.) for granular analysis and alerting?
Yes, our event management systems merge the data sources to maintain log data within the SIEM. This helps in proper analysis and driving out alerts if needed in case of contingency.

Q: Do you have a documented security incident response plan?
Yes, our documented security incident response plan logs, monitors, and collects relevant security event data for the purpose of investigation.

Q: Do you monitor and quantify the types, volumes, and impacts on all information security incidents?
Yes, information security incidents, if any, shall be quantified in type, volume, and the impact of such incidents.

Q: Does your incident response plan comply with industry standards for legally admissible chain-of-custody management processes and controls?
Yes, systems must be configured to log all successful and unsuccessful login attempts by accounts with privileged access. These authentication logs must be retained for a minimum of 180 days and in accordance with the Company’s records retention guidelines.

Q: Do you use file integrity (host) and network intrusion detection (IDS) tools for your SaaS solution to help facilitate timely detection, investigation by root cause analysis, and response to incidents?
Yes, with host and network intrusion detection tools, we ensure timely detection and investigation in a prompt manner.

Q: Do you monitor cyber threats internally or have taken services from any third party?
Cyber threats, if any, are managed internally by the tech team.

Q: Do you assess the identified threat for applicability and exposure to your environment?
Yes, we have a regular audit on threats for applicability and exposure to our environment.

Q: Do you update your cyber security program based on proactive or reactive threat intelligence feeds?
Yes, we update your cyber security program based on proactive or reactive threat intelligence feeds.

Q: Does your threat feed rely on input from multiple sources?
Empuls's holistic presence keeps our tech team updated with the latest news from multiple sources when it comes to any technological developments or threats.

Q: Does your incident response plan comply with industry standards for legally admissible chain-of-custody management processes and controls?
Yes, physical segregation is done for production and non-production environments.

Q: Are all personnel required to sign NDA or Confidentiality Agreements as a condition of employment to protect customer/tenant information?
Yes, our personnel - both full-time and on-contract are bound by an agreement of non-disclosure and a confidentiality agreement as a condition of employment to protect the customers and tenant's information.

Q: Do you specifically train your employees, contractors, third-party users regarding their specific role and the information security controls they must fulfil?
Yes, all the employees and personnel pass-through induction and job training, along with contractors and third-party users for their share of information security controls.

Q: Are personnel trained and provided with awareness programs at least once a year?
Yes, all personnel are well trained with awareness programs annually.

Q: Do you have a capability to rapidly patch vulnerabilities across all of your computing devices, applications, and systems?
Yes, policies and procedures are established, and mechanisms are implemented to detect, address, and stabilize vulnerabilities in a timeframe that matches the Security Patch Management Standards.

Q: Do you have anti-malware programs that support or connect to your cloud service offerings installed on all of your systems?
Yes, Empuls's products are supported by leading anti-malware programs. These are connected with our cloud service offerings and are a part of all our systems.

Q: Do you conduct local operating system-layer vulnerability scans regularly as prescribed by industry best practices?
Yes, we perform periodic scans of operating systems and databases along with server applications for vulnerability and configuration compliance. This is done by using suitable vulnerability management tools as per the industry standards.

Q: Do you conduct network-layer vulnerability scans regularly as prescribed by industry best practices?
Yes, we ensure that there is no breach in network layers with vulnerability scans as per the industrial standards.

Q: Do you conduct application-layer vulnerability scans regularly as prescribed by industry best practices?
Yes, to check the hygiene of the application layer, our vulnerability scans are done as prescribed by the industrial standard.

Q: Will you make the results of vulnerability scans available to tenants at their request?
Yes, tenants can request for vulnerability scan reports.

Q: Do you have controls and processes in place to perform host/file integrity monitoring for all systems storing and transmitting sensitive data?
Yes, in order to detect any unauthorized changes in the data or system configuration, we have a procedure in place for host/file integrity monitoring.

Q: Do you conduct daily vulnerability scans at the operating system layer?
No, our periodic vulnerability scans are conducted just the right number of times to ensure prominence of security measures and protection of the operating system layer.

Q: Do you conduct daily vulnerability scans at the database layer?
No, our periodic vulnerability scans are conducted just the right number of times to ensure prominence of security measures and protection of the database layer.

Q: Do you conduct daily vulnerability scans at the application layer?
No, our periodic vulnerability scans are conducted just the right number of times to ensure prominence of security measures and protection of the application layer.

Q: Do you have external third-party services conduct vulnerability scans and periodic penetration tests on your applications and networks?
Yes, vulnerability scans and penetration tests are conducted periodically by third parties and external services to test our security measures.

Q: Does your incident response plan comply with industry standards for legally admissible chain-of-custody management processes and controls?
Yes, we have proper forensic procedures in place that include chain-of-custody management processes and controls.

Q: What controls are used to mitigate DDoS (distributed denial–of-service) attacks?
As part of Web Application Firewall (WAF), rate limiters are installed to block multiple requests from specific IPs in order to prevent DDOS-type attacks. These are powered by intelligent daemons that detect other identifiers like URLs accessed or other client properties to automatically blacklist possible threats either temporarily or permanently.

Q: Is there a cloud audit program to address the client's audit and assessment requirements?
Yes, in our cloud audit program, we analyse and address all the requirements put forth by the tenant to ensure maximum satisfaction.

Q: Does your incident response capability include the use of legally admissible forensic data collection and analysis techniques?
Yes, we have proper forensic procedures for data collection and analysis for incident responses.

Q: Are you capable of supporting litigation holds (freeze of data from a specific point in time) for a specific tenant without freezing other tenant data?
Yes, we can freeze data from a specific time without freezing other data if need be.

Q: Do you enforce and attest to tenant data separation when producing data in response to legal subpoenas?
Yes. Tenant data is enforced and attested in case it comes to light in legal subpoenas.

Q: Give details of the platform on which the application is developed?
The Empuls Platform is developed on microservices architecture because the applications are independent applications and deployed on the AWS virtual platform cloud.

Q: Does your product provide/support mobility through native mobile apps etc.?
Yes, our product is supported by a comprehensive web and mobile application that can be accessed via desktop and mobile devices.

Q: Do you offer configurability in your SaaS solution? Give the options if available?
Our platform can be white-listed to match the look and feel of the tenant's platform. The emails are also customizable for a personal touch.

Q: Do you support out-of-the-box integration with on premise applications such as SAP, Active Directory etc.?
Yes, Empuls comes with a full set of integration with various platforms for enriched utility and maximum output from the platform.

Q: Do you offer configurability in your SaaS solution? Give the options if available
Our platform can be white-listed to match the look and feel of the tenant's platform. The emails are also customizable for a personal touch.

Q: What types of Advisory and technical support are provided?
Empuls's customer support team is available at all times to address any queries and support with respect to advisory and technical operations.

Q: How does the Cloud Service Provider protect keys, and what security controls are in place to affect that?
Each tenant data is uniquely encrypted using a client specific key. We use AES 256-bit encryption for data at rest to ensure maximum security measures.

Q: Are hardware security modules used to protect such keys? Who has access to such keys?
Yes, hardware security modules are used to protect these keys, and the key access lies with the Chief Technical Office.

Q: What procedures are in place to manage and recover from the compromise of keys?
We use the Key Management Service by AWS to manage all the keys. In the event that keys get compromised, they can be recovered through the Key Management Service.

Q: If an advanced warning is given for service interruption, will it count as downtime?
Yes, in the event of service interruption, the prior notification will count for the downtime.

Q: What is the SLA (Time) for different levels of support for different incidents and change requests? Standard example: Critical - 2 hrs. or less, Moderate - 4 hrs. or less, Minimum - 8 hrs. or less
The time of support ranges between six to forty-eight hours. This depends on the level of service and the gravity of incidents.

Q: Do you have penalty clauses in the event of performance failure?
No, there is no penalty clause attached in the event of a performance failure.

Q: Does the application have robust Backup and Restore procedures? Is the duration configurable? Can you share your DR strategy and test results? Is it Active-active?
Since we are a SAAS product, we maintain backup and restore all the customer data by ourselves. We use AES 256 encryption for data at rest. We have a multi-AZ deployment with periodic backup for our DR. BCP, DR is active-passive.

Q: How is data isolated between customers? Is the data in non-prod instances refreshed with Prod data and masked? If data masking is performed, then how configurable are the masking scripts? What protection is used for Prod data at rest and at transit?
We use logical data isolation with the help of company specific encryption keys. Data in a non-production environment is not updated with the production data. We generate separate test data. Data at transit - TLS1.2 encryption, Data at rest - AES256.

Q: How many instances to be provided and supported? How seamless is the Product upgrade release? What is the hosting model - public, private, hybrid, etc
We are a SAAS solution, and hosting is handled by us. No instances needed from the client. We use public cloud for hosting.

Q: What is the RTO and RPO? Can you share the latest DR strategy test results?
6 Hours RTO and 6 Hours RPO, yes upon request we can share latest DR strategy test results.

Q: What are WCAG Guidelines?
Web Content Accessibility Guidelines (WCAG) defines how to make Web content more accessible to people with disabilities. Accessibility involves a wide range of disabilities, including visual, auditory, physical, speech, cognitive, language, learning, and neurological disabilities.

Q: Do you comply with WCAG Guidelines?
Yes. We always give our best to make sure that our applications are developed as per WCAG guidelines and help differently abled people across the globe.

Q: Can people with disabilities use your website and application without barriers?
Yes. We ensure that people with disabilities can use our websites and applications without any difficulties. Our website and products are having very simple options with very good visibility of the content.

Q: Do you consider WCAG guidelines during product development?
Yes. We always consider the WCAG guidelines for helping differently abled people.

Q: Do you conduct any periodical review and improve the website or applications?
Yes. We periodically review and do all the necessary changes to our website and applications as per the guidelines.

1. How do you protect digital identities and credentials and use them in cloud applications?
We use AES 256-bit encryption for data at rest to secure digital identities.

2. What data do you collect about the tenant (logs, etc.)? How is it stored? How is the data used? How long will it be stored?
We only store basic user data—names, emails, and contact numbers. This data is not used by Empuls for any purposes and resides securely within the system. It can be deleted upon tenant request.

3. Under what conditions might third parties, including government agencies, have access to my data?
Your data is completely secure. Third parties have no access under normal circumstances.

4. Can you guarantee that third-party access to shared logs and resources won’t reveal critical information about tenants?
Yes, all data is encrypted and secure, ensuring no critical tenant information is revealed to third parties.

5. Do you have data-integrity monitoring / change-detection software?
Yes, all data is stored in secured databases, and any changes are logged in system records to maintain integrity.

6. Do you have data loss prevention (DLP) solutions implemented for web, email, and end-point gateways?
Yes, our web assets, email records, and endpoints are protected using DLP techniques.

7. Do you have technical controls capable of enforcing customer data retention policies?
Yes, our technical framework aligns with customer-defined data retention policies.

8. Can you provide details about policies and procedures for backup, including removable media management and secure destruction?
Empuls operates entirely on the cloud, so removable storage is not applicable.

9. Can you specify the steps taken to ensure that deleted data is completely wiped?
We follow an organized purge process. Once data is deleted, it is removed from all storage locations.

10. What checks are made on the identity of users with privileged access?
Privileged users are assigned specific roles, and access is controlled via OAuth 2.0 authentication.

11. What processes are in place for de-provisioning privileged credentials?
De-provisioning is handled via support tickets raised to our customer support team and processed securely in the backend.

12. How are the accounts with the highest level of privilege authenticated and managed?
High-privilege accounts are authenticated and managed via OAuth 2.0 for secure access to sensitive data.

13. How do you allow extraordinary privileged access in emergencies?
Tenants can request emergency access via customer support or a key account manager. Privileged access is granted promptly from the backend.

14. How are privileged actions monitored and logged? How is log integrity maintained?
Infrastructure logs are collected using AWS Audit Trail, and application logs are collected in Elastic Search and retained in long-term cloud storage.

15. Is there mutual authentication? How is strong authentication implemented?
Yes, mutual authentication is implemented using AES 256-bit encryption for secure access.

16. What information is recorded within audit logs?
Infrastructure logs via AWS Audit Trail and application logs via Elastic Search are recorded and retained securely.

17. Is the data segmented within audit logs for tenant-specific access?
No, logs contain multi-tenant information and cannot be isolated for a single customer.

18. How are audit logs reviewed and what triggers action?
Administrative logs are part of the Cloud Dashboard and are regularly reviewed for anomalies and security events.

19. Do you use multiple ISPs?
Yes, we have multiple internet service providers for uninterrupted coverage and maximum uptime.

20. Do you have DDoS protection, and if so, how?
Yes, gateways and rate-limiting mechanisms are in place to mitigate DDoS attacks.

21. What is your downtime plan (e.g., service upgrades, patches)?
Our service is designed to remain uninterrupted during upgrades or patches.

22. Can you accommodate timely forensic investigations (e.g., eDiscovery)?
Yes, forensic investigations can be conducted promptly when required.

23. Do you follow data input/output integrity routines to prevent processing errors or misuse?
Yes, we use multi-layer application architecture to ensure database isolation and integrity checks.

24. Do you follow defined quality change control and testing processes (e.g., ITIL) to protect system availability, confidentiality, and integrity?
Yes, all changes follow defined organizational policies, testing, and release standards.

25. Do you assign data and object ownership based on type, value, sensitivity, and criticality?
Yes, data is classified and access is provided according to its type, value, sensitivity, and organizational criticality.

26. Do you follow Data Security & Information Lifecycle Management Ownership/Stewardship?
Yes, all data is assigned stewardship with defined responsibilities, documented and communicated according to compliance requirements.

27. Are operating systems hardened and technical controls applied (antivirus, file integrity monitoring, logging)?
Yes, all operating systems are hardened to provide only necessary ports, protocols, and services. Antivirus, file integrity monitoring, and logging controls are implemented as per compliance standards.

1. Does Empuls follow GDPR?
Yes. Empuls is GDPR compliant. We ensure that all data is gathered, stored, and handled respecting individual rights. Employees and stakeholders are trained on proper data handling, emphasizing GDPR compliance and information security awareness.

2. Does Empuls have an information security policy, and is it communicated to all relevant parties?
Yes. Empuls has a formal information security policy communicated to employees, contractors, suppliers, and other relevant external parties. The policy aligns with leading practices such as ISO-27001, ISO-22307, CoBIT, and applicable regulatory, federal, state, and international laws.

3. Does Empuls have a disciplinary policy for violations of security controls?
Yes. Employees are aware of the disciplinary actions that may result from violations of security policies, and a detailed process is formally documented.

4. Are all projects assessed for information security risks?
Yes. Projects in Empuls are managed via JIRA, and compliance with information security policies is mandatory. All code changes are reviewed by tech leads or architects who identify potential security issues during the review process.

5. Does Empuls have a mobile device policy?
Yes. The policy addresses risks associated with mobile devices in unprotected environments and implements controls to prevent unauthorized data transmission or storage.

6. Is information classification formally governed?
Yes. Empuls classifies information consistently across the organization based on sensitivity and criticality (confidentiality, integrity, availability). Classification is updated as necessary, and formal procedures exist for secure disposal proportional to the sensitivity of the information.

7. Are procedures in place for secure disposal of removable media?
Yes. Formal procedures are established to minimize the risk of confidential information leakage, with disposal methods proportional to the sensitivity of the media.

8. Are access controls enforced according to policy?
Yes. Empuls uses role-based access controls, and application menus/screens are accessible according to the user’s role.

9. What encryption and hashing methods are used?
AES 256-bit encryption is used for personally identifiable data, and SHA-256 with a unique salt is used for password hashing.

10. Are Business Continuity and Disaster Recovery Plans in place and tested? Where is data stored?
Yes. Empuls has tested BCP and DRP plans, and data is stored securely on AWS USA (Oregon).

11. Is there a process for reporting information security weaknesses?
Yes. Security weaknesses identified during audits or VAPT reviews are reported, and the process is widely communicated to all employees and stakeholders.

12. Are security controls assessed regularly?
Yes. Quarterly VAPT and static code analysis via SonarQube are conducted to assess security controls.

13. Are contractual requirements for securing business information defined?
Yes. Policies and procedures ensure secure handling of information in transit, and NDAs with external parties explicitly address information protection.

14. Are IS systems audited and business disruption minimized?
Yes. ISO audits include IS systems, and the process is designed to minimize business disruption.

15. Is there a process to assess and respond to new vulnerabilities?
Yes. Quarterly VAPT is conducted by third-party auditors to identify and remediate vulnerabilities.

16. How secure is Empuls?
Empuls enforces strict data protection based on Data Protection Impact Assessments (DPIA). All personal data is encrypted, and employees are trained on GDPR and information security. Empuls is ISO 27001, GDPR, and SOC compliant.

17. How does Empuls use my information?
Information collected may be used to: