Security & Privacy

Ekata employs a risk-based information security program: we protect systems and data according to their sensitivity and exposure to threats. Our baseline risk assessments occur annually across both corporate and service environments, and are conducted by a third-party PCI Qualified Security Assessor. They include policy and procedure reviews, control design and functionality review, technical configuration analysis, network and web application penetration testing, and interviews with team members. All risks are documented with their associated vulnerabilities, controls, and recommendations for risk reduction.

These risk assessments feed into an enterprise-wide risk register which is maintained continuously. As new risks are identified, they’re formally documented and addressed. This whole process is overseen by our Information Security Officer and executive leadership.

Ekata employs role-based access controls based on need-to-know and least privilege. Each team member is assigned a primary role at hire, or transfer, which determines their access to systems and applications. Each role is formally defined, as its access. In order to gain access outside an individual’s role, an access request ticket must be submitted, approved, and provisioned.

Access control reviews are performed quarterly as part of internal audits conducted by our Information Security Officer.

Ekata has established a formal Incident Management Program that covers security, privacy, and availability incidents. For each type of incident, there are reporting, response, and retrospective requirements and supporting materials. Customer notifications are a formally documented aspect of each incident type.

Yes, Ekata employs a Qualified Security Assessor company to perform penetration tests annually against our web applications and external networks. The latest report is available to prospective and existing customers upon request.

Yes, Ekata employs an AlienVault SIEM across both service and corporate environments.

In addition to our dedicated security staff, Ekata employs a Managed Security Service Provider for 24/7 monitoring of our service and corporate environments.

Ekata employs a Multi-Factor VPN with per-client certificates for remote network access to both corporate and service environments. An IAM policy enforces MFA for our AWS console, and alerting is configured should it be disabled.

All Ekata, and most other Ekata properties, use HTTP Strict Transport Security, which forces all connections to use HTTPS. We currently only support TLS 1.2.

Ekata service environment is hosted in AWS across multiple availability zones and employs AWS Shield Advanced.

Yes. At hire, and annually thereafter, every software developer takes secure software development training, plus additional training relevant to their area of development. Web developers take OWASP Top 10 for instance, while backend database developers take courses on securing AWS database offerings.

Ekata employs AWS for its service infrastructure at the physical layer, and we review AWS SOC 2 Type 2 reports twice annually as part of our risk management program. Ekata corporate offices all use proximity badges with access logging, 24/7 video surveillance, and formal visitor management procedures.

Yes, Ekata maintains an internal privacy policy and annual privacy training for all team members.

Yes, Ekata offers a DPA to its Customers here. However, not all Customer agreements will utilize this DPA; use cases will vary. The DPA is an agreement that sets out the legal framework under which Ekata Processes Customer Data and Personal Data. The DPA is an addendum or exhibit to the Principal Agreement, i.e., a Master Services Agreement (‘MSA’), etc., between Ekata and its Customer.

The Ekata DPA is specific to Ekata’s multi-tenant services and covers our processes in relation to these. For example, the DPA covers our processes around privacy-related notifications, audits, certifications, security measures, and sub-processing activities, all of which are aligned to the way in which Ekata’s services and its multi-tenant infrastructure work. The Ekata DPA is also drafted to seamlessly interoperate with the MSA and other relevant Ekata and Mastercard agreements.

The covers Customers globally and sets out relevant legal obligations and commitments related to the processing of Customer Data and Personal Data. For ease of reference, it uses certain terminology from specific privacy and data protection laws, e.g., “Controller” and “Processor” from the European Union’s General Data Protection Regulation (“GDPR”) which are recognized globally.The DPA also includes a specific addendum to address the California Consumer Privacy Act (“CCPA”). There may be other addenda added to the DPA, as privacy regulations continue to evolve globally.

Yes, the majority of the DPA applies to Customers regardless of their connection to the European Economic Area (“EEA”), Switzerland and the United Kingdom (“UK”) (together, “Europe”). Most of the commitments in the DPA stem from general privacy requirements in all data protection laws globally and are not specific to European laws.

Ekata acts as the Controller with respect to Persona lData submitted by Customers to Ekata’s services. The Customer either acts as a Controller or a Processor of such Personal Data. This is set out in Section 2(“Roles of the Parties”) of the DPA.

Ekata must control the purposes of means of the processing of Customer Data to support the ongoing improvement of Mastercard’s ta products and enable full capability to return more consistent, reliable results for our customers.

Ekata responds to Data Subject requests to exercise rights granted to Data Subjects under EU Data Protection law and CCPA, as applicable.

An effective and efficient performance of Ekata’s services requires the use of Sub-processors. These Sub-processors can include Affiliates of Mastercard, Ekata, and/or other third parties such as vendors or service providers. Ekata’s use of Sub-processors may require the transfer of Customer Data to Sub-processors for purposes like hosting Customer Data, providing customer support, and ensuring the services are functioning properly.

Ekata maintains appropriate technical and organizational measures to protect Customer Data. Please also see Ekata’s dedicated Security page detailing our compliance certifications and approach to security, or Annex 1 to the DPA.

Ekata maintains security incident management policies and procedures, which are described in the applicable Security FAQ (available here). In Section 9.1 of the DPA (available here) Ekata commits to notify Customers without undue delay after becoming aware of a Personal Data Breach.

If your organization is impacted by a security breach, your organization’s Security Contact(s) will be notified. Steps on how to create and maintain your Security Contact List are available here.

Under EU Data Protection Law, Personal Data cannot be transferred outside of Europe unless (i) the importing country has been deemed adequate by the relevant governmental body; or (ii) the data exporter has appropriate safeguards in place to ensure that the Personal Data transferred is subject to an adequate level of data protection. The “appropriate safeguards” include transfer mechanisms such as standard data protection clauses (i.e., the Standard Contractual Clauses) and binding corporate rules.

Depending on the specific Services the Principal Agreement, Ekata may transfer data based on one of two independent transfer mechanisms:

• Binding Corporate Rules (“BCRs”) – company-specific, group-wide data protection policies approved by data protection authorities to facilitate transfers of personal data outside of Europe within the Mastercard group; and
• Standard Contractual Clauses published in 2021 (the “SCCs”) – legal contracts entered into between contracting parties who are transferring personal data outside of jurisdiction to countries that have not been deemed adequate.

Yes, Ekata has updated its DPA to incorporate the June 2021 SCCs.

If you have additional questions, please contact your Account Manager.