Security & Privacy
At Ekata, respecting the individual rights of our data subjects is always top of mind. We provide identity verification and fraud prevention services worldwide to protect consumers and their identities – including in the EU where we offer GDPR compliant options to individuals. Our security and privacy team has been working for years to secure personal data and ensure individual rights, and will continue to do so.
Ekata has been a trusted name in identity verification and fraud prevention for years, and we take that trust seriously. Long before security and privacy buzzwords entered the mainstream, we based our first information security program on ISO 27001:2005. Today, we still take a risk-based approach to information security, which is to say a practical one: we protect systems and data according to their sensitivity and exposure to threats. Our security and risk assessments are provided by third-party PCI Qualified Security Assessor companies to ensure an unbiased approach. And because we’re a Data as a Service provider, we also formally document our compliance with the AICPA Service Organization Controls (SOC) 2 principles of security, confidentiality, availability, and privacy.
What are your risk management practices?
Ekata employs a risk-based information security program: we protect systems and data according to their sensitivity and exposure to threats. Our baseline risk assessments occur annually across both corporate and service environments, and are conducted by a third-party PCI Qualified Security Assessor. They include policy and procedure reviews, control design and functionality review, technical configuration analysis, network and web application penetration testing, and interviews with team members. All risks are documented with their associated vulnerabilities, controls, and recommendations for risk reduction.
These risk assessments feed into an enterprise-wide risk register which is maintained continuously. As new risks are identified, they’re formally documented and addressed. This whole process is overseen by our Information Security Officer and executive leadership.
How are access controls determined and maintained?
Ekata employs role-based access controls based on need-to-know and least privilege. Each team member is assigned a primary role at hire, or transfer, which determines their access to systems and applications. Each role is formally defined, as its access. In order to gain access outside an individual’s role, an access request ticket must be submitted, approved, and provisioned.
Access control reviews are performed quarterly as part of internal audits conducted by our Information Security Officer.
How do you respond to incidents?
Ekata has established a formal Incident Management Program that covers security, privacy, and availability incidents. For each type of incident, there are reporting, response, and retrospective requirements and supporting materials. Customer notifications are a formally documented aspect of each incident type.
Do your web applications have periodic third-party penetration tests?
Yes, Ekata employs a Qualified Security Assessor company to perform penetration tests annually against our web applications and external networks. The latest report is available to prospective and existing customers upon request.
Do you have a Security Incident and Event Management system?
Yes, Ekata employs an AlienVault SIEM across both service and corporate environments.
Do you have 24/7 monitoring for your environment?
In addition to our dedicated security staff, Ekata employs a Managed Security Service Provider for 24/7 monitoring of our service and corporate environments。
How is remote access to your service and corporate environment handled?
Ekata employs a Multi-Factor VPN with per-client certificates for remote network access to both corporate and service environments. An IAM policy enforces MFA for our AWS console, and alerting is configured should it be disabled.
What encryption standards are used for communication with your services?
All Ekata, and most other Ekata properties, use HTTP Strict Transport Security, which forces all connections to use HTTPS. We currently support TLS 1.0, 1.1, and 1.2, with our systems auto-negotiating to the highest supported version and cipher.
What do you do to mitigate DDoS attacks?
Ekata service environment is hosted in AWS across multiple availability zones and employs AWS Shield Advanced.
Is secure software development and OWASP Top 10 training required for your developers?
Yes. At hire, and annually thereafter, every software developer takes secure software development training, plus additional training relevant to their area of development. Web developers take OWASP Top 10 for instance, while backend database developers take courses on securing AWS database offerings.
What physical security controls are implemented for your service and corporate environments?
Ekata employs AWS for its service infrastructure at the physical layer, and we review AWS SOC 2 Type 2 reports twice annually as part of our risk management program. Ekata corporate offices all use proximity badges with access logging, 24/7 video surveillance, and formal visitor management procedures.
Ekata was founded under the guiding principle of “Data for Good,” and Ekata is guided by this core value as we focus on providing businesses with global identity verification and fraud prevention solutions. When it comes to safeguarding the data of our clients and their end-users, we maintain high privacy and security standards. We offer processes for data subjects to view, correct, or delete information above and beyond the minimum required by law, and we implement role-based access controls to prevent unnecessary exposure of personal information.
It is available here.
Does Ekata have an internal privacy program?