Technical and Organizational Measures for Data Security and Protection

Introduction

Edusign strives to be as transparent as possible when it comes to the management of your data. For more information, you can also refer to our privacy policy and our GDPR page.

We have implemented technical and organizational measures to protect your personal data. These measures are regularly updated to provide the highest level of protection possible.

Data Transfers and Encryption

The entire data processing chain is secured through encryption.

Edusign uses modern encryption technologies that comply with standards set by ANSSI.

Securing transactions via TLS encryption to and from our services.
Encryption at rest of documents before and after signing using AES-256 bit encryption.
Use of keys greater than 2048 bits and secure protocols such as RSA.

Certifications

Edusign has certifications in electronic signatures, electronic seals, and timestamps. Details about these certificates are available upon request at support@edusign.fr.

To ensure our compliance is maintained, we conduct regular audits.

Development Security

Internal development processes are established for our teams to ensure secure development of our solution.

Adherence to best practices outlined by the Open Web Application Security Project (OWASP).
“Security by design” approach, meaning development is not undertaken before analyzing security implications.
Automated and manual testing.
Code reviews and modifications.
Peer evaluations.

Personnel Management

All Edusign employees are familiar with IT tools and trained in best practices for information security recommended by ANSSI. Additionally, employees are kept informed about the latest practices and technological advancements in IT security.

The following measures are in place:

Information security and personal data protection training for new employees.
Regular communications to all teams to raise awareness.
Access and role management policy.
Password management policy.
Confidentiality commitment.

We have implemented a role management policy, limiting access to each employee’s role in line with the principle of least privilege. A review of rights management is conducted on a quarterly basis.

Infrastructure Access

Edusign relies on hosting partners to ensure optimal security of its infrastructures, including the implementation of an information systems security policy in line with the requirements of several standards and certifications (PCI-DSS certification, ISO/IEC 27001 certification, SOC 1 TYPE II and SOC 2 TYPE II attestations, etc.).

Physical Access Management:

Identity verification.
Centralized access control using a badge system.
Single-person airlock.
Surveillance equipment.

Logical Data Access Control:

Password management policy.
Firewalls and regularly updated antivirus.
Logging and documented access control policy.

Vulnerability Detection

Edusign regularly conducts analyses to detect potential vulnerabilities. Edusign also engages third parties to refine these analyses. Measures are then taken to eliminate or mitigate these vulnerabilities. A non-exhaustive list of implemented protocols includes:

Bug bounty program.
Regular vulnerability scanning.
Vulnerability alerts and monitoring.
Code reviews.

Incident Management

In the event of a vulnerability detection program failure leading to a cyberattack, Edusign commits to notifying clients and relevant authorities with the necessary information to effectively manage vulnerabilities.

Edusign will respond promptly to requests from authorities and clients regarding this vulnerability.

To date, Edusign has not reported any breaches of its computer system resulting in access to personal data. We make every effort to ensure this remains the case.

Service Availability and Data Backup

Edusign takes all necessary measures to ensure high availability and continuity of services. Your data is stored on secure servers with daily backups on another server. A non-exhaustive list of implemented protocols includes:

Real-time monitoring of servers and databases with alerts.
Notification protocols in the event of a partner’s failure.
Scalable servers with redundant backup.
Vulnerability and intrusion testing.
Business continuity plan.
Activity recovery plan.

In the event of service unavailability, Edusign will inform users through any available means.

If you have any questions regarding the technical and organizational measures for data security and protection, please contact support@edusign.fr.

In the event of problems, this version will prevail.