Security is a posture, not a slogan.

This page documents Emeron's information-security and compliance posture in the level of detail a procurement security review actually needs. It distinguishes between what we have built into the platform, what we have certified, what we have on the roadmap, and what is under NDA.

§ 01 / FRAMEWORK ALIGNMENT

What we align with and how.

We do not claim certifications we do not hold. Where a framework is on our roadmap, we say so and we say when. Where the platform is architecturally designed to meet a control set without being audited against it, we say "designed for" or "compatible with". The procurement officer reading this page can distinguish what has been audited from what has been engineered.

ISO/IEC 27001

Roadmap: Q3 2026. Information security management system documented. Risk register, control baseline, internal audit programme operational. External audit scheduled.

SOC 2 Type I

Roadmap: Q1 2027. Trust services criteria (Security, Availability, Confidentiality) in scope. Type II to follow twelve months later.

FedRAMP

Compatible architecture. Platform designed against FedRAMP Moderate control baseline. Not currently authorized. Path to authorization runs through a US partner with an existing FedRAMP-authorized cloud environment.

UK G-Cloud

Listing ready. Service descriptions, pricing model, and terms aligned to G-Cloud 14 framework. UK reseller / partner required for listing.

eIDAS / eIDAS 2.0

Compatible. Identity layer supports qualified electronic signature integration. Wallet-compatible flows on roadmap for 2027.

GDPR

Aligned. Data processing agreement available. Records of processing activity templated per tenant. Subject access, rectification, erasure, and portability flows configurable per record type.

UAE NESA / TDRA

Aligned. Information assurance standards mapped. UAE-resident deployment options available with in-country data storage.

UAE FTA ASP accreditation

Pilot phase July 2026. E-invoicing accredited service provider under the Peppol DCTCE model.

WCAG 2.2 AA

Aligned. All citizen-facing surfaces audited against AA. AAA targeted where statutorily required.

§ 02 / CONTROLS BY DOMAIN

What is in the platform by design.

D-01

Identity & access

SSO via SAML 2.0, OIDC. MFA enforceable per role. Role-based access with attribute-level constraints. Service accounts isolated.

D-02

Data at rest

AES-256 encryption. Per-tenant keys. Bring-your-own-key supported. Hardware security module integration for FIPS-140-2 deployments.

D-03

Data in transit

TLS 1.3 minimum. Certificate pinning for inter-service. Mutual TLS for sensitive endpoints.

D-04

Audit logging

Every read, write, and configuration change. Immutable append-only. Per-tenant. Exportable to customer SIEM in standard formats.

D-05

Secrets management

Vault-backed. Rotation policy enforced. No secrets in code, configuration files, or repositories. Access logged.

D-06

Network isolation

Per-tenant network segmentation in cloud deployments. Private connectivity options. IP allow-listing per service.

D-07

Vulnerability management

Continuous dependency scanning. Container image scanning. Critical-severity remediation SLA of 7 days.

D-08

Backup & recovery

Point-in-time recovery to any minute within 35 days. Cross-region replication optional. Documented RTO/RPO per deployment tier.

D-09

Penetration testing

Annual external penetration test. Report available under NDA. Findings tracked to remediation with re-test.

D-10

Secure SDLC

Code review required. Static and dynamic analysis in pipeline. Threat modelling on every new module.

D-11

Incident response

Documented playbook. Severity classification. Customer notification SLA of 24 hours for confirmed data incidents.

D-12

Personnel security

Background checks for production access. Annual security training. Production access logged and reviewed quarterly.

§ 03 / DATA RESIDENCY

Where the data actually lives.

Data residency is the single most-asked question in a government procurement. The answer depends on the deployment model the customer chooses. We support five.

R-01

On-premises

Data never leaves the customer's data centre. Emeron does not have access except under explicit support session.

R-02

Sovereign cloud

In-country cloud (G42, e& UAE, OCI Sovereign, AWS GovCloud equivalents). Data and operations within national borders.

R-03

Regional cloud

UAE, EU, UK, US, India, Singapore regions available. Customer designates primary and backup regions.

R-04

Hybrid

Sensitive records on-prem, non-sensitive in cloud. Defined per record type. Cross-zone transfer logged.

R-05

Air-gapped

Disconnected environment for classified deployments. Releases delivered on signed media. Patches via controlled gateway.

§ 04 / SUB-PROCESSORS

Who else touches the data, if anyone.

A customer running on-premises has no Emeron sub-processors. A customer on a managed cloud deployment has a published list of sub-processors per region. The list is maintained on the Sub-processors page and customers are notified thirty days before any addition or change.

Infrastructure (cloud)

Per-region cloud provider as designated by customer. Microsoft Azure, AWS, Oracle Cloud Infrastructure, G42 Cloud, e& UAE in active use.

Email transactional

Customer-designated SMTP or in-region transactional email provider. No PII routed through third-party email APIs without customer consent.

SMS & voice

Customer-designated telco or aggregator. In-country routing where regulator requires.

Observability

Customer-tenant isolated. No customer data sent to third-party APM by default. Optional integration with customer's SIEM.

Identity (optional)

Where the customer uses a national identity scheme (UAE Pass, GOV.UK One Login, eIDAS wallet), that scheme is a sub-processor under its own terms.

A complete, region-by-region list is maintained at /legal/sub-processors/ and updated as changes occur.

Need the evidence pack?

Security questionnaires, the current penetration test summary, the DPA, the records-of-processing template, and the architecture diagrams are all available under NDA. Request the procurement kit and we will scope what you need.

Procurement kitFull RFP response library→ Talk to the security teamDirect line to Head of Trust→ Architecture referenceHow the platform is built→