Trust and Security

Our Commitment

At EPSG, we are deeply committed to employee training, product security, data privacy, and regulatory compliance. Our focus is on creating and maintaining services that are inherently reliable and secure. To achieve this, we have invested substantial resources, time, and effort into both developing and continuously maintaining an Information Security Program (ISP) known internally as EPSG SHIELD. This program is designed to ensure the confidentiality, integrity, and availability of our services, while also rigorously protecting the privacy of our customers data. 


EPSG SHIELD incorporates a wide array of security measures across multiple domains. The program includes rigorous Infrastructure Security measures like network segmentation, intrusion detection, and data backup procedures. Our Organizational Security encompasses training programs, confidentiality agreements, background checks, encrypted portable media, anti-malware technology, and more. Product Security is ensured through penetration testing, data encryption, and monitoring procedures. Internal Security procedures involve vulnerability remediation, access reviews, disaster recovery plans, and incident management protocols. Finally, Data and Privacy are safeguarded through comprehensive policies for data deletion, retention, and classification, ensuring compliance with privacy standards. This multifaceted approach ensures robust protection of our systems, products, and customer data against various threats. 


Infrastructure Security

  • Unique production database authentication enforced 
  • Encryption key access restricted 
  • Unique account authentication enforced 
  • Production application access restricted 
  • Access control procedures established 
  • Production database access restricted 
  • Firewall access restricted 
  • Production OS access restricted 
  • Production network access restricted 
  • Access revoked upon termination 
  • Unique network system authentication enforced 
  • Remote access MFA enforced 
  • Remote access encrypted enforced 
  • Intrusion detection system utilized 
  • Log management utilized 
  • Infrastructure performance monitored 
  • Network segmentation implemented 
  • Network firewalls utilized 
  • Network and system hardening standards maintained 
  • Service infrastructure maintained 
  • Network firewalls reviewed 
  • Password policy enforced 

Organizational Security

  • Asset disposal procedures utilized 
  • Production inventory maintained 
  • Portable media encrypted 
  • Anti-malware technology utilized 
  • Code of Conduct acknowledged by contractors 
  • Code of Conduct acknowledged by employees and enforced 
  • Confidentiality Agreement acknowledged by contractors 
  • Confidentiality Agreement acknowledged by employees 
  • Performance evaluations conducted 
  • MDM system utilized 
  • Visitor procedures enforced 

Product Security

  • Data encryption utilized 
  • Control self-assessments conducted 
  • Penetration testing performed 
  • Data transmission encrypted 
  • Vulnerability and system monitoring procedures established 

Data and Privacy

  • Data retention procedures established 
  • Customer data deleted upon leaving 
  • Data classification policy established 

Internal Security Procedures

  • Continuity and Disaster Recovery plans established 
  • Continuity and disaster recovery plans tested 
  • Cybersecurity insurance maintained 
  • Configuration management system established 
  • Change management procedures enforced 
  • Production deployment access restricted 
  • Development lifecycle established 
  • SOC 2 – System Description 
  • Whistleblower policy established 
  • Executive meetings conducted 
  • Backup processes established 
  • System changes externally communicated 
  • Management roles and responsibilities defined 
  • Organization structure documented 
  • Roles and responsibilities specified 
  • Security policies established and reviewed 
  • Support system available 
  • System changes communicated 
  • Access reviews conducted 
  • Access requests required 
  • Incident response plan tested 
  • Incident response policies established 
  • Incident management procedures followed 
  • Physical access processes established 
  • Data center access reviewed 
  • Company commitments externally communicated 
  • External support resources available 
  • Service description communicated 
  • Risk assessment objectives specified 
  • Risks assessments performed 
  • Risk management program established 
  • Third-party agreements established 
  • Vendor management program established 
  • Vulnerabilities scanned and remediated