We have engaged Amazon Web Services, Inc. (“AWS”) to provide cloud hosting for the Services. A summary of the controls in place at AWS facilities and environments is set out below (as described by AWS). View the AWS security page for more details.
AWS operates ISO27001, PCI DSS Level 1 & SOC 2 Type compliant data centers. Automated fire detection and suppression systems are installed in networking, mechanical, and infrastructure areas. All AWS data centers are constructed to N+1 redundancy standards.
AWS's global security operation centers conduct 24/7 monitoring of data center access activities, with electronic intrusion detection systems installed in the data layer.
Each of AWS' data centers have a controlled perimeter layer with 24/7 on-site security teams, restricted and controlled physical access, multi-factor authentication, electronic intrusion detection systems and door alarming.
We employ AWS security groups and IAM controls to lock down communication between components so access to Services must be granted explicitly on an as-needed basis.
DDoS Mitigation, Content Delivery, and Internet Security Monitoring
ESP’s system audit logs are maintained and checked for anomalies, and we use AWS services to protect from distributed attacks.
Least Privilege Access
Access to hosting servers for the Services and live environments are provided on least privilege access. A very limited number of personnel have access to live environments, which also require multiple levels of security access.
Security Incident Response
ESP continually monitors our cloud services and have a response team on call 24/7 to respond to security incidents. Our hosting provider, AWS, also provides 24/7 monitoring and support.
ESP conducts a third-party penetration test annually or after any major changes to the platform.
Platform & Product Security
We have a team of people who review and test all changes to our code base. For every update or release to the software, testing is performed by development and QA teams with a multi-level approach.
We maintain separate environments for both staging and testing. These environments are logically separated from the live production environment. No customer data is used in testing or development.
In addition to application penetration testing, unit testing, human auditing, static analysis, and functional tests, we perform a minimum of monthly third-party vulnerability scans of our production and test environments.
Mitigating Common Attacks (XSS, CSRF, SQLi)
Our tools have been built to mitigate common attack vectors such as SQL injection attacks and cross-site scripting attacks (XSS). ESP’s cloud environments also take advantage of AWS’ enterprise-grade Web Application Firewall (WAF) in an attempt to automatically block or challenge suspicious requests.
Data at Rest
All customer data is stored encrypted on AWS servers with the AES-256 encryption algorithm.
Data in Transit
Any data that is transmitted into and from the ESP Services is encrypted. Web traffic over HTTP is secured by AWS with TLS 1.2 or 1.3 using proven-secure cipher suites.
Single Sign On
Depending on how many licenses you have purchased, you may have access to an SSO option for the Services. Please contact us if you have any questions.
Two Factor Authentication (2FA)
ESP enables 2FA for all administrators of its Services, and makes 2FA available to you when you use certain Services.
Availability & Security Incidents
ESP uses AWS to host its Services, and maintains an uptime promise from AWS of at least 99% (subject to scheduled downtime, emergency maintenance, and issues outside our or AWS’ control).
We use AWS with redundancy over multiple availability zones, with database backups offering 35-days’ worth of point-in-time recovery, if needed. Additional encrypted off-site backups are updated weekly.
Responding to Security Incidents
We have established procedures and policies with regards to responding and communicating about security incidents. The level of the security incident will dictate how we communicate and respond to our customers. If a security incident does occur which affects your personal information, we will inform you as required by applicable law. We annually reevaluate our response procedures and amend them as we deem necessary.
Disaster Recovery and Business Continuity Plan
A business continuity plan has been put in place in the event an emergency or critical incident impacting any facet of ESP’s business operations, including the Services, occurs. This was created with the intent that we can continue to function as a business for our customers in the event of major disruptions. The business continuity plan is tested and checked on an annual basis for applicability and any additional improvements that could be made.
Personnel & Endpoints
Every employee workstation is set up and monitored to ensure data is encrypted at rest, passwords are strong (managed by a secure password management vault), up-to-date OS patches, and active, up-to-date antivirus.
We perform background checks on all new hires and on commencement of employment at ESP, and all personnel who have access to your personal information and Financial Information are required to execute nondisclosure agreements.
Security Training Program
All employees at ESP are required to participate in our security awareness training that focuses on helping each person understand the role they play in protecting data and preventing security breaches. Employees also are required to review the ESP security policies on a recurring annual basis.
In order for ESP to run efficiently, we rely on sub-service organizations to help us deliver our Services. When selecting a suitable vendor for a required Service, we take the appropriate steps designed to ensure that the security and integrity of our Services is maintained. Every sub-service organization is scrutinized, tested, and security checked prior to being implemented into ESP.
ESP monitors the effectiveness of these vendors and they are reviewed annually to confirm security and safeguards are being upheld per the terms of our agreements with them.