Validated Security Assurance

Our commitment to your security.

Committed to Protecting Your Privacy

We regularly subject our business practices to rigorous third-party audits to determine what we’re doing well and where we can improve.

The following comprehensive list of programs, certifications and accreditations claimed by Echoworx demonstrates our organization’s commitment to integrating security and data integrity into every facet of our business:

Security Assurance & Certification Programs

Security Assurance and Certification Programs


AWS Qualified Software Certification

The AWS qualified software certification is awarded to companies upon successful completion of the AWS Foundational Technical Review (FTR).

Primary purpose

The AWS FTR enables AWS Partners to identify and remediate any risks in their products or solutions. It ensures that AWS Partner products and solutions meet a specific set of requirements based around security, reliability and operational excellence, as defined by the AWS Well-Architected Framework.

To whom does this concern?

Organizations that prioritize cloud-based email encryption solutions place great importance on reliable vendor protection, trustworthy processes, and robust security measures to safeguard their sensitive communications.

For more information on AWS Qualified Software certification, visit the official site of AWS.

Financial Services Qualification System (FSQS) Registration

Representing a whole community of financial institutions, the FSQS is a single standard for assessing third-party organizations – based on compliance with regulators, internal policies and governance controls.

Primary purpose

As a registered FSQS supplier, Echoworx has demonstrated compliance with FSQS standards. These standards are organized into a strict rubric of guidelines designed to assess the inherent risk of Echoworx across key risk control areas, including cybersecurity, data privacy, information security, business continuity, financial crime, conduct risk, financial, legal and corporate responsibility.

By completing our FSQS evaluation, Echoworx is pre-qualified as a trusted SaaS provider – reducing the time, cost, resources and duplication needed to provide relevant information to banking, insurance and investment organizations looking to upgrade their email data protection capabilities.

Frequency of evaluation

FSQS evaluations of Echoworx are performed on a per annum basis.

To whom does this concern?

The FSQS is designed to make purchasing decisions easier for large enterprise-level financial and insurance organizations. Registered suppliers have met the pre-qualified vetting conditions of the system – providing prospective buyers with efficient access common supplier information.

Click here to see Echoworx’s FSQS certification. For more information on the FSQS, visit the official website of Hellios.

G-Cloud 13 Approved Supplier for Cloud Software (SaaS) UK

Crown Commercial Service (CCS) is the biggest public procurement organization in the UK, promoting government-wide adoption of cloud-based services.

Primary purpose

Focused on security and stringent standards for protection against cyber-attacks, the UK government’s CCS suppliers are those with only the most up-to-date security technology and software. As an approved CCS supplier, Echoworx has demonstrated our commitment to offering best-in-breed encryption services.

By completing our CCS approval, Echoworx is pre-qualified as a trusted SaaS provider – offering quick and easy access to organizations in the UK public sector looking to upgrade their message encryption.

Frequency of evaluation

CCS evaluations of Echoworx are performed on a per annum basis.

To whom does this concern?

The CCS G-Cloud 13 is a Public Procurement Gateway designed to help the public sector achieve maximum commercial value when procuring common goods and services. Approved suppliers have met the pre-qualified vetting conditions of the system – saving buyers time finding suppliers, checking their reliability and managing their performance.

For more information on CCS G-Cloud 13, visit the official website.

PCI DSS Level 1 Certification

In its essence, the Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations which handle credit card information – administered by the Payment Card Industry Security Standards Council. As a Level 1-certified organization, Echoworx occupies a position at the highest level of PCI DSS – a level reserved for organizations which process more than six million transactions per year.

Primary purpose

Given the rigorous nature and scope of the PCI DSS Level 1 certification program, this seal of approval shows that Echoworx has taken adequate steps to address vulnerabilities and to fortify our digital defences.

Frequency of evaluation

Given the high-volume nature of PCI DSS Level 1, the validation demands are stricter and more stringent – requiring annual assessments for certification.

To whom does this concern?

Despite the focus of PCI DSS on credit card transactions, the stringent nature of the assessment makes this certification a keystone security seal to look for when determining the application of an organization’s digital defences to other sectors. While not a guarantee of compliancy with other privacy or security mandates, the presence is a PCI DSS seal is a good sign for those shopping for a product which supports contemporary security measures.

For more information of PCI DSS certification, visit the official website of the PCI Security Standards Council.

SOC 2 Type II

As a formal evaluation by an independent accounting and auditing company, a SOC2 Type II report assesses the security, availability, confidentiality and processing integrity of Echoworx’s system, processes, procedures and security controls. This specific type of report evaluates how well an organization safeguards customer data.

Primary purpose

At Echoworx, our primary purpose is to protect the data and sensitive information our clients send in transit. To that end, we need assurance that our own system security is tested to ensure we are taking every precaution to protect the data sent to us. The primary purpose of a SOC2 Type II evaluation is to identify vulnerabilities and suggest improvements to further fortify our digital infrastructure.

Frequency of evaluation

SOC2 Type II evaluations of Echoworx are performed on a per annum basis.

To whom does this concern?

As a third-party SaaS provider, our customers need to be assured the data and sensitive information they send us is safe and secure. The SOC2 Type II report specifically addresses how well we protect customer data on our systems.

For more information on SOC assurance programs, visit the official website of the AICPA.

Privacy Programs

General Data Protection Regulation (GDPR)

The GDPR is the most significant change in privacy regulation in decades – and Echoworx is proud to support this initiative. The aim of it is clear – to protect the data and privacy of citizens belonging to countries under the European Union (EU). And, with 11 chapters, consisting of 99 articles and 260 pages, the GDPR’s reach is as substantial as it is specific, setting the baseline for how companies must protect their own information and that of their clients.

Primary purpose

The GDPR employs a two-pronged approach to protecting the data of EU residents:

State protection for personal data – The GDPR forbids mishandling the personal data of citizens of EU member countries. Failure to protect said data can result in massive fines – up to €20M or four per cent of a violating organization’s global annual income.

Clear guidelines for protecting data – Before the GDPR came about in May 2018, Europe operated under a patchwork of regional laws. The GDPR unifies privacy laws under one umbrella directive – eliminating confusion or misinterpretation of the proper handling of personal data.

To whom does this concern?

The GDPR specifically concerns organizations which conduct business in EU member countries or with EU residents. But the grey area here occurs when an EU resident or dual citizen lives abroad – and is theoretically still covered under EU jurisdiction. In layman’s terms, it’s safe to assume the GDPR affects your business at some point.

How does Echoworx help?

Email data protection is a logical solution for organizations looking to comply with the GDPR – and is even mandatory under some regional interpretations of the regulation. Encryption is referenced throughout the GDPR as a recognized tool for enhancing data protection and breach notification practices. Echoworx’s extensive suite of email data protection services help EU companies comply with the GDPR and protect sensitive data at an affordable cost.

Is Echoworx GDPR-compliant?

Echoworx abides by the laws of the countries we do business in or with. With many of our client base spread across the European continent, in addition to across the globe, we comply with the GDPR in every capacity of our EU-business. We are controller with respect to our internal business operations – namely the data stored about our employees who work in the EU and any data we store in sales databases containing the personal data of EU citizens.

As a Canadian-headquartered organization, Echoworx is also subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) – a law designed to satisfy current GDPR demands. As such, we are subject to MLATs – but only for data stored on Canadian or American servers. To avoid this pitfall, we have SOC2-, PCI DSS- and ISO-certified data centres located in Ireland, the UK, Germany and Mexico, in addition to Canada and the US.

For more information of the GDPR, visit the official website of the European Union.

Learn more about how Echoworx ensures your privacy & security. Read the Full Guide