Compliance

The security of customer data is our top priority. With independent third-party assurance, we are committed to protecting both our systems and your data.

EasyDMARC performs an annual SSAE 18 SOC2 Type 2 audit to ensure third-party oversight of our services. The audit report is available upon request.
SOC3 report is available under this link.

Learn more about how we protect your data in our Privacy Policy,  Security Policy and  Privacy Shield Policy.

SOC2

SOC for Service Organizations

Privacy Shield

EU-U.S. and Swiss-U.S.Privacy Shield Framework enlisted

EU GDPR

General Data Protection Regulation

CCPA

California Consumer Privacy Act

Encryption

EasyDMARC uses AES-256 encryption by default when data is at-rest, and data-in-transit is encrypted with TLS 1.3 by default.

Data Security

The EasyDMARC Access Management Policy applies to all environments that collect, store, process, transmit, or dispose of data based on role-based access control and follows the principle of the least privilege, which states that permissions are only granted to allow the performance of specific job functions.

Logging and Monitoring

Our threat detection, logging, and alerting systems notify our on-call teams about potential incidents.

Privacy by Design

EasyDMARC has a long-standing practice of proactive incorporating privacy best practices in our product development efforts, which means we think about privacy at the outset when it comes to our software development lifecycle. This is also known as “privacy by design.”

Vulnerability Disclosure Program

EasyDMARC runs its own Bug Bounty program. Ethical hackers stress test systems and hunt bugs, and we fix vulnerabilities before anyone else even knows they exist.

Distributed Denial-of-Service

Protection

EasyDMARC employs a defense-in-depth strategy for Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) protection, using a well-known third-party mitigation service.

Internal Security Policy

Data Security: We leverage the philosophy of Principle of The Least Privilege in conjunction with Data Classification to ensure data is secured properly and only those who need access have access to data.

Encryption: EasyDMARC adheres to NIST standards for encryption, utilizing both at-rest and in-transit protection. AES 256 encryption for data at rest TLS 1.2 or higher for transmission, ensuring that data is secured by the highest industry standards.

Network Security: Our internal network is protected by an enterprise-grade firewall/IDS/IPS system, and we utilize network segmentation to keep the network secure. Our network is protected against DDoS attacks, as well as other well-known network attacks. We routinely scan our internal network for vulnerabilities and document remediation. Access to the production environment is restricted to only authorized IP addresses and requires key authentication on all endpoints. Our public addresses are reviewed on a quarterly basis to ensure a secure production environment.

Vulnerability Management: Our security team performs automated and manual application and infrastructure security testing to identify and patch potential security vulnerabilities and bugs on a regular basis. EasyDMARC identifies and mitigates risks via regular network security testing and auditing by both dedicated internal security teams and third-party security specialists.

Penetration Testing: EasyDMARC engages a third party to perform annual penetration testing for applications and all critical services. The objective of penetration testing is to find security vulnerabilities following industry standards and best practices (such as OWASP and OSSTMM). EasyDMARC documents and evaluates any vulnerabilities found by the third-party assessor and then creates remediation plans for fixing them.

Change Management: A formal change management policy has been defined by EasyDMARC’s engineering team to ensure that all changes have been authorized prior to implementation into the production environment. All changes are stored in a version control system and are required to go through automated quality assurance (QA) testing procedures and manual code review to verify that security requirements are met. Successful completion of QA procedures leads to implementation of the change. All QA-approved changes are automatically implemented in the production environment. Our software development lifecycle requires adherence to secure coding guidelines, as well as screening of code changes for potential security issues via our QA and manual review processes.

Cybersecurity Awareness: When a new employee joins EasyDMARC, they complete mandatory cybersecurity training to bring them up to speed with cybersecurity principles and best practices. We’ve built a custom management learning system to help further educate employees on cybersecurity issues: Passwords & multi-factor best practices Attack vectors (e.g., phishing, social engineering, malware) Device security and how devices should be properly secured and hardened Digital footprint (e.g., PII and how it can be easily accessed online, social media best practices) All EasyDMARC employees complete ongoing training related to cybersecurity and emerging threats to ensure they are well- trained and informed about protecting against potential security threats.

DDoS Prevention: We use technologies from well-established and trustworthy service providers to prevent DDoS attacks on our servers. These technologies offer multiple DDoS mitigation capabilities to prevent disruptions caused by bad traffic while allowing good traffic through. This keeps our websites, applications, and APIs highly available and performing.

Ops Security: All EasyDMARC employees undergo a strict off boarding process that ensures access to systems and client data is removed immediately when an employee leaves or is terminated.

Physical Security: We utilize data centers that have been thoroughly vetted and have strict physical security controls (e.g. RFID badges, biometrics, barbed wire fences, video surveillance, motion detection, and access logging) to ensure the data centers are secure. The data centers limit access for entry and utilize the principle of the least privilege for access. Additionally, we utilize SOC 2 audited/compliant data centers by geographic location whenever available by our data center providers.

Device Security: All company devices are hardened, adhering to the highest security standards, utilize full-disk encryption, and have antivirus software installed.

Intrusion Detection and Prevention: Our intrusion detection mechanism takes note of host-based signals on individual devices and network-based signals from monitoring points within our servers. Administrative access, use of privileged commands, and system calls on all servers in our production network are logged. Rules and machine intelligence built on top of this data give security engineers warnings of possible incidents. At the application layer, we have our proprietary WAF which operates on both whitelist and blacklist rules.

Data Isolation: Our framework distributes and maintains the cloud space for our customers. Each customer's service data is logically separated from other customers' data using a set of secure protocols in the framework. This ensures that no customer's data becomes accessible to another customer.