Our commitment to data protection

At essensys, we recognise the importance of the data we collect and process on behalf of our customers. essensys’ robust privacy and security program meets the highest standards in the industry. essensys is consistent with ISO 27001 and ISO 9001.

What customers should do

Get buy in and build a team

• Raise awareness of the importance of GDPR compliance with organization leaders
• Obtain executive support for necessary staff resources and financial investments
• Choose someone to lead the effort
• Build a steering committee of key functional leaders
• Identify privacy champions throughout the organization

Assess the organisation

• Review existing privacy and security efforts to identify strengths and weaknesses
• Identify all the systems where the organization stores personal data and create a data inventory
• Create a register of data processing activities and carry out a privacy impact assessment for each high-risk activity
• Document Compliance

Establish controls and processes

• Ensure privacy notices are present wherever personal data is collected
• Implement controls to limit the organization’s use of data to the purposes for which it collected the data
• Establish mechanisms to manage data subject consent preferences
• Implement appropriate administrative, physical, and technological security measures and processes to detect and respond to security breaches
• Establish procedures to respond to data subject requests for access, rectification, objection, restriction, portability, and deletion (right to be forgotten)
• Enter into contracts with affiliates and vendors that collect or receive personal data
• Establish a privacy impact assessments process
• Administer employee and vendor privacy and security awareness training

Document compliance

• Compile copies of privacy notices and consent forms, the data inventory and register of data processing activities, written policies and procedures, training materials, intra-company data transfer agreements, and vendor contracts
• If required, appoint a data protection officer and identify the appropriate EU supervisory authority
• Conduct periodic risk assessments

Security and privacy around essensys’ services

essensys is committed to achieving and maintaining the trust of our customers. Integral to this mission is providing a robust security and privacy program that carefully considers data protection matters across our services, including data submitted by customers to our services (“Customer Data”).

Services Covered

This documentation describes the architecture of the security- and privacy-related audits and the administrative, technical and physical controls applicable to the essensys services.

Architecture and Data Segregation

The Services are operated in a multitenant architecture that is designed to segregate and restrict Customer Data access based on business needs. The architecture provides an effective logical data separation for different customers via customer-specific databases and allows the use of customer and user role-based access privileges. Additional data segregation is ensured by providing separate environments for different functions, especially for testing and production.

Control of Processing

essensys has implemented procedures designed to ensure that Customer Data is processed only as instructed by the customer, throughout the entire chain of processing activities by essensys and its sub-processors. In particular, essensys have agreements with their sub-processors containing privacy, data protection and data security obligations that provide a level of protection appropriate to their processing activities. Compliance with such obligations as well as the technical and organizational data security measures implemented by essensys and its sub-processors are subject to regular audits.

Audits and Certifications

The following security and privacy-related audits and certifications are applicable to the Services.

• ISO 27001/27017/27018 certification: essensys is working towards an information security management system (ISMS) for the Covered Services in accordance with the ISO 27001 international standard and aligned to ISO 27017 and ISO 27018.
• Service Organization Control (SOC) reports: essensys’ information security control environment applicable to the Covered Services will undergo an independent evaluation in the form of SOC 1* (SSAE 18 / ISAE 3402), SOC 2 and SOC 3 audits.

* essensys are currently working towards this certification.

Additionally, the Services undergo security assessments by internal personnel and third parties, which include infrastructure vulnerability assessments and application security assessments, on at least an annual basis.

Security Policies and Procedures

The Services are operated in accordance with the following policies and procedures to enhance security:

• Customer passwords are stored using a one-way salted hash.
• User access log entries will be maintained, containing date, time, user ID, URL executed or entity ID operated on, operation performed (created, updated, deleted) and source IP address. Note that source IP address might not be available if NAT (Network Address Translation) or PAT (Port Address Translation) is used by Customer or its ISP.
• If there is suspicion of inappropriate access, essensys can provide customers log entry records and/or analysis of such records to assist in forensic analysis when available. This service will be provided to customers on a time and materials basis.
• Data centre physical access logs, system infrastructure logs, and application logs will be kept for a minimum of 60 days. Logs will be kept in a secure area to prevent tampering.
• Passwords are not logged.
• essensys personnel will not set a defined password for a user. Passwords are reset to a random value (which must be changed on first use) and delivered automatically via email to the requesting user.

Intrusion Detection

essensys, or an authorized third party, will monitor the Services for unauthorized intrusions using network-based and/or host-based intrusion detection mechanisms. essensys may analyse data collected by users’ web browsers (e.g., device type, screen resolution, time zone, operating system version, browser type and version, system fonts, installed browser plug-ins, enabled MIME types, etc.) for security purposes, including to detect compromised browsers, to prevent fraudulent authentications, and to ensure that the Services function properly.

Security Logs

All systems used in the provision of the Services, including firewalls, routers, network switches and operating systems, log information to their respective system log facility or a centralized syslog server (for network systems) in order to enable security reviews and analysis.

Incident Management

essensys maintains security incident management policies and procedures. essensys notifies impacted customers without undue delay of any unauthorized disclosure of their respective Customer Data by essensys or its agents of which essensys becomes aware to the extent permitted by law.

essensys typically notifies customers of significant system incidents by email, and for incidents lasting more than one hour, may invite impacted customers to join a conference call about the incident and essensys’ response.

User Authentication

Access to Services requires authentication via one of the supported mechanisms, including user ID/password, SAML based Federation, Oauth, Social Login, or Delegated Authentication as determined and controlled by the customer. Following successful authentication, a random session ID is generated and stored in the user’s browser to preserve and track session state.

Physical Security

Production data centres used to provide the Services have access control systems that permit only authorized personnel to have access to secure areas. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions, utilize redundant electrical and telecommunications systems, employ environmental systems that monitor temperature, humidity and other environmental conditions, and contain strategically placed heat, smoke and fire detection and suppression systems. Facilities are secured by around-the-clock guards, interior and exterior surveillance cameras, two-factor access screening and escort-controlled access. In the event of a power failure, uninterruptible power supply and continuous power supply solutions are used to provide power while transferring systems to on-site back-up generators.

essensys Information Security Policy

essensys has set forth in our business plan information security objectives consistent with ISO 27001. Department and project managers are informed and trained on these objectives for incorporation into their respective roles and teams.

We stand by the following on-going security objectives:

• Information is only accessible to authorised persons from within or outside the organisation and levels of access are determined by CIO or by delegated authority.
• Confidentiality, integrity and availability of information and systems are maintained.
• Business continuity plans are established, maintained and tested.
• All personnel are trained on information security and are informed that compliance with the policy is mandatory.
• All breaches of information security and suspected weaknesses are to be reported to the CIO and investigated and appropriate actions taken.
• Relevant procedures exist to support the policies in place.
• Regular audits of the processes and policies are conducted to ensure continuous review and improvement of the IBMS.
• New systems or services are deployed in a controlled and secure manner
• As far as is possible, essensys avoids breaches of legal, regulatory and contractual requirements.

Whilst the above company objectives are high-level, we have further analysed and categorised these into our Risk & Opportunities Matrix. In some cases, this may allow for specific objectives to be set across different functions. This demonstrates how we measure and set targets in meeting the high-level objectives.

essensys Quality Management Policy

essensys adheres to a quality management system relevant across all levels of the organization and consistent with ISO 9001. Our quality objectives have been defined in accordance with SMART; they are Specific, Measurable, Achievable, Realistic, and Timed.

• We endeavour to deliver our services to specification, on time and to the price quoted. This is measured by onboarding KPIs, NPS surveys, customer satisfaction surveys, client feedback, and stats around project delivery time frames and budget reports.
• We endeavour to satisfy our clients’ requirements and get things right the first time. Should we make a mistake, we acknowledge the error and rectify the situation as quickly as possible. This is measured by a number of non-conformances, complaints, corrective action reports, customer feedback, quantity of customer credits issued over a period.
• We aim to achieve and maintain a level of quality which enhances our company’s reputation with customers. This is measured by Net Promoter Scores and Case Quality checks.
• We analyse customer feedback data and business performance data to ensure that our Quality Objectives are being met. This is measured by our customer satisfaction audit following our NPS surveys.
• We aim to deliver services that are available 24/7/365, with minimal disruption during core business hours to our customers. This is measured by our infrastructure operations team using system uptime and availability metrics.
• We aim to deliver customer invoices and reports on the first working day of the month. We measure this with our active site invoice audit each month.
• We aim to sell quality products and services to customers whilst working to continuously expand the functionality and capabilities of our offerings to meet market needs.

essensys Service Organisation Control 2

At essensys, we recognise the importance of the data we collect and process on behalf of our customers. The SOC Type II Report signifies how privacy, confidentiality and integrity of data handling is a priority to essensys. This includes our customer’s data.

SOC 2 compliance is an essential component of information security for many organisations and the audits are designed to examine the policies, procedures, and internal controls of businesses. Testing and reporting on these controls are important because they impact the security, privacy, and confidentiality of an entity’s sensitive data. The goal here is to help outline the standards that are necessary to keep sensitive data private and secure while it’s in transit or at rest.

Every audit is conducted in accordance with the AICPA audit guide and Attestation Standards Section 101. As proof of compliance to the AICPA auditing procedure, SOC 2 Type II report shows that essensys has best practices in place and are taking the appropriate steps to ensure customer data is secure.

What is SOC 2 Type II report?

According to the AICPA, this report covers the “management’s description of a service organization’s system and the suitability of the design of controls.” This report evaluates the controls at a specific point in time.

SOC 2 Type II reports on non-financial reporting controls and focuses on five key trust services criteria – Security, Availability, Processing Integrity, Confidentiality, and Privacy.