Security & Compliance

Ema maintains an enterprise-grade security posture backed by independent audits, automated tooling, and privacy-by-design principles. This page summarizes the certifications, architecture controls, and data-protection practices that underpin the platform.

For up-to-date compliance certificates and supporting evidence, visit the Ema Trust Center.


Compliance Portfolio

ISO 42001 AIMS & EU AI Act

Ema is one of the industry's earliest adopters of ISO 42001 AIMS (AI Management System), demonstrating that AI governance -- covering data handling, bias mitigation, and lifecycle controls -- aligns with internationally recognized best practices. The certification provides assurance that generative-AI features are designed, audited, and improved under a formal management system.

Ema's alignment with the EU AI Act (effective 2025) ensures that regulated customers in healthcare, finance, and other sectors meet both current GDPR mandates and impending AI regulations without additional remediation.

Core Certifications

CertificationScope
SOC 2 Type IIIndependent audit confirming design and operating effectiveness of controls for security, availability, and confidentiality over a sustained period.
ISO 27001International ISMS standard, audited annually to verify policies, risk processes, and technical controls.
ISO 42001 AIMSAI risk management framework audited under a formal ISMS for AI, from data collection to post-deployment monitoring.
CSA STAR Level 1Transparent, documented controls aligned with the CSA Security, Trust & Assurance Registry framework.
HIPAA-Aligned ControlsTechnical security controls (access management, encryption, logging) meet HIPAA Security Rule requirements for Protected Health Information.
GDPRData-protection policies, breach notifications, and Data Processing Addendum (DPA) satisfy EU personal-data regulations.
NIST AI RMF, NIST CSF 2.0 & NIST 800-171Frameworks guiding internal risk management, serving as reference points for customers with U.S. government or defense requirements.

Security Architecture & Tooling

Cloud Native Application Protection Platform (CNAPP)

A cloud-configuration posture and application-protection platform continuously inventories all cloud assets, runs automated misconfiguration checks against industry benchmarks, and detects container-runtime threats. Customers benefit from real-time visibility into risk exposure and automated alerts when configurations drift.

Endpoint Data Loss Prevention (DLP)

An endpoint DLP solution monitors and controls data in motion on managed devices, applying context-aware policies to block unauthorized exports. Sensitive information cannot leave any endpoint without meeting preconfigured security requirements.

Endpoint Firewall & Mobile Device Management (MDM)

Company-issued devices are hardened, patched, and continuously monitored via a central MDM platform, with host-level firewalls enforcing strict security baselines.

Security Information and Events Monitoring (SIEM)

A cloud-native SIEM ingests logs from audit trails, container APIs, and network sensors into a scalable data lake, enabling near-instant search across historical events for rapid threat hunting and forensic investigations.

Security Orchestration, Automation, and Response (SOAR)

An integrated SOAR platform orchestrates automated playbooks that enrich alerts, assign severity, and trigger containment actions such as isolating hosts or revoking credentials.

Intrusion Detection System (IDS)

Deep-packet inspection monitors both north-south and east-west traffic within every virtual network, identifying malware callbacks, lateral-movement attempts, and exploit activity.

Web Application Firewall (WAF) & DDoS Mitigation

An enterprise-grade WAF sits at the edge to protect applications and APIs by applying managed rulesets, custom signatures, and behavioral bot-management controls. Built-in DDoS mitigation absorbs volumetric and application-layer floods before they reach origin servers.

Zero Trust Network Access (ZTNA)

Identity-aware, MFA-gated tunnels to internal services replace traditional VPN. Only authenticated and posture-verified devices can reach sensitive internal platforms.


Data Security & Privacy

Encryption

LayerStandard
In TransitTLS 1.2+ for all data traveling between clients, services, and third-party integrations.
At RestAES-256 for all stored data -- object storage, databases, and backups. Customer-managed keys (CMEK) available in single-tenant deployments.

Tenant Isolation & Segmentation

  • Multi-Tenant (default): Logical separation via namespaces, row-level security, and strict network policies. Each customer's data and compute remain logically separated from other tenants.
  • Single-Tenant (optional): Dedicated VPC, separate database cluster, and unique KMS keys for customers with stringent isolation or regulatory requirements.

For details on tenant models and data isolation, see Workspaces & Tenants.

Data Retention & Deletion

Customer data is retained only as long as necessary to provide services, or as specified in the DPA. Customers act as data controllers; Ema is the data processor. Automated pipelines remove data across storage, caches, and backups upon request.

PII Redaction

Configurable ingestion stages can strip, mask, or hash personally identifiable information (PII) before data is stored or used in downstream indexes. Customers choose their desired level of anonymization to match regulatory requirements.


Secure Development & Vulnerability Programs

Secure SDLC

  • SAST and Secret Scanning: Every pull request is scanned for vulnerabilities and secrets; critical or high-severity findings block merges until resolved.
  • Software Composition Analysis (SCA): Real-time scanning of open-source dependencies. Detected CVEs generate pull requests; patch timelines are tracked centrally to ensure compliance with SOC 2, ISO 27001, NIST, and HIPAA.

Vulnerability Assessment & Penetration Testing (VAPT)

ProgramCadenceDetails
Automated ScansWeeklyIndustry-standard crawlers and scanners run each week to catch new weaknesses from code changes.
Manual PentestsOngoingSecurity engineers perform targeted reviews, simulating attacker tactics using OWASP Top 10-aligned tests.
Third-Party AuditsAnnualIndependent firms validate controls and identify runtime vulnerabilities. Findings are prioritized by severity and addressed per patching-cycle SLAs.

FAQs

What is your data retention and disaster recovery policy? Backups are retained for 365 days by default (configurable for single-tenant customers). Recovery Time Objective (RTO) is 4 hours; Recovery Point Objective (RPO) is 30 minutes.

Do you have cyber insurance? Yes. Ema maintains cyber insurance that extends to client-related incidents with no known coverage gaps.

How do you handle data privacy? Ema is GDPR- and HIPAA-aligned. Customers can execute a Data Processing Addendum (DPA) that outlines processing, storage, and deletion workflows.

How do you ensure tenant isolation? Multi-tenant deployments use logical separation via namespaces, row-level policies, and network segments. Single-tenant deployments provide dedicated VPCs, databases, and KMS keys.

How do you handle AI bias and fairness? Ema leverages industry-standard models and inherits their baseline performance. The focus is on ensuring no additional bias is introduced and maintaining accuracy, supported by ISO 42001 certification.

Do you use sub-processors? Yes. Sub-processors undergo thorough vendor risk assessment before onboarding and regular reviews thereafter. A complete list is available at trust.ema.co/subprocessors.

What compliance training do employees receive? All employees complete mandatory training in compliance, ethics, and their functional areas upon hiring and annually thereafter.

Last updated: Jul 3, 2026