Security and privacy at EchoMark

Privacy is as the heart of EchoMark's mission, to enable the seamless flow of private information by enhancing stewardship. Stewardship at EchoMark begins with our own security and compliance posture.

Data security

Encryption

Data in transit
All data transferred between the user’s browser or client app and EchoMark’s servers is encrypted in transit.  EchoMark uses TLS v1.2.

Data at rest
Data is encrypted at rest in AWS using AES-256.

Data center

Data center provider
EchoMark uses Amazon Web Services (AWS) to host its production servers, databases, and supporting services.

Data tenancy
By default, EchoMark’s hosting is multi-tenant, but EchoMark can be configured to run on a co-managed single-tenant within your organization.

Availability

Backups
EchoMark uses managed databases that regularly backs up data to external geographic regions. Blob data is stored redundantly across geographic regions.

Status page
EchoMark service status, maintenance updates, and incidents affecting our users are documented and available at https://echomark.statuspage.io/

Product security

Development

Access controls
Access to EchoMark’s systems is limited based on employee roles and responsibilities. The principle of least privilege is enforced.

Testing and review
All changes to our application are subject to peer review and testing before being merged.

Separate environments
EchoMark maintains segregated testing, development, and production environments.

Vulnerability management

Penetration testing
EchoMark regularly employs third party penetration testing services.

Vulnerability scanning
EchoMark uses third-party security tools to continuously scan our applications, systems and infrastructure for security risks and vulnerabilities.

Code analysis
EchoMark’s repositories are regularly scanned for security issues using static code analysis.

User access

Authentication
EchoMark uses Okta’s Auth0 to handle user-authentication into the EchoMark app.

Access permissions
Admins in an EchoMark business or enterprise account can manage access-levels for other EchoMark users in the org.

Corporate security

People

Policies
EchoMark maintains a robust set of security policies that are updated periodically to keep up with an ever-evolving security environment. Policies are shared with employees and available for review at any time.

Training
All EchoMark employees are required to complete security training as part of onboarding.

Background checks
EchoMark performs background checks for all potential candidates before hiring.

Devices

Endpoint protection
All corporate devices are equipped with agents to continually monitor security and compliance.

Secure remote access
EchoMark secures remote access to internal resources using corporate VPN.

Compliance

SOC
SOC 2 Type 2 audit is in progress.