Validated Security Assurance

Our commitment to your security.

Security concept: blue opened padlock on digital background, 3d render

Committed to Protecting Your Privacy

We regularly subject our business practices to rigorous third-party audits to determine what we’re doing well and where we can improve.

The following comprehensive list of programs, certifications and accreditations claimed by Echoworx demonstrates our organization’s commitment to integrating security and data integrity into every facet of our business:

Security Assurance & Certification Programs

  • Echoworx is a Crown Commercial Service Supplier
  • FSQS Registered
  • Microsoft Trusted Root Program
  • Apple Certificate Program

Security Assurance and Certification Programs

SOC 2 Type II

As a formal evaluation by an independent accounting and auditing company, a SOC2 Type II report assesses the security, availability, confidentiality and processing integrity of Echoworx’s system, processes, procedures and security controls. This specific type of report evaluates how well an organization safeguards customer data.

Primary purpose

At Echoworx, our primary purpose is to protect the data and sensitive information our clients send in transit. To that end, we need assurance that our own system security is tested to ensure we are taking every precaution to protect the data sent to us. The primary purpose of a SOC2 Type II evaluation is to identify vulnerabilities and suggest improvements to further fortify our digital infrastructure.

Frequency of evaluation

SOC2 Type II evaluations of Echoworx are performed on a per annum basis.

To whom does this concern?

As a third-party SaaS provider, our customers need to be assured the data and sensitive information they send us is safe and secure. The SOC2 Type II report specifically addresses how well we protect customer data on our systems.

For more information on SOC assurance programs, visit the official website of the AICPA.


The WebTrust of assurance for Certification Authorities program is designed to increase consumer confidence in ecommerce and in the Public Key Infrastructure (PKI) technology used to authenticate users and devices in our digital world. The program, originally developed as a collaboration, between the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA), is now administered by Chartered Professional Accountants of Canada (CPA Canada).

Primary purpose

Organizations like Echoworx, who display the WebTrust seal, are qualified by licensed third-party evaluators as being able to provide services which meet the principles and criteria outlined by CPA Canada’s ‘Trust Services’ criteria. These criteria, designed to assess an organization’s digital assets, are based on a qualifying rubric of security, availability, processing integrity, online privacy and confidentiality.

Frequency of evaluation

WebTrust controls are maintained and monitored on an on-going basis.

To whom does this concern?

WebTrust assures the integrity of Echoworx Root CA – helping our customers establish key and certificate life cycle management controls.

Click here to see Echoworx’s WebTrust Seal of assurance.

PCI DSS Level 1 Certification

In its essence, the Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations which handle credit card information – administered by the Payment Card Industry Security Standards Council. As a Level 1-certified organization, Echoworx occupies a position at the highest level of PCI DSS – a level reserved for organizations which process more than six million transactions per year.

Primary purpose

Given the rigorous nature and scope of the PCI DSS Level 1 certification program, this seal of approval shows that Echoworx has taken adequate steps to address vulnerabilities and to fortify our digital defences.

Frequency of evaluation

Given the high-volume nature of PCI DSS Level 1, the validation demands are stricter and more stringent – requiring annual assessments for certification.

To whom does this concern?

Despite the focus of PCI DSS on credit card transactions, the stringent nature of the assessment makes this certification a keystone security seal to look for when determining the application of an organization’s digital defences to other sectors. While not a guarantee of compliancy with other privacy or security mandates, the presence is a PCI DSS seal is a good sign for those shopping for a product which supports contemporary security measures.

For more information of PCI DSS certification, visit the official website of the PCI Security Standards Council.

Financial Services Qualification System (FSQS) Registration

Representing a whole community of financial institutions, the FSQS is a single standard for assessing third-party organizations – based on compliance with regulators, internal policies and governance controls.

Primary purpose

As a registered FSQS supplier, Echoworx has demonstrated compliance with FSQS standards. These standards are organized into a strict rubric of guidelines designed to assess the inherent risk of Echoworx across key risk control areas, including cybersecurity, data privacy, information security, business continuity, financial crime, conduct risk, financial, legal and corporate responsibility.

By completing our FSQS evaluation, Echoworx is pre-qualified as a trusted SaaS provider – reducing the time, cost, resources and duplication needed to provide relevant information to banking, insurance and investment organizations looking to upgrade their email data protection capabilities.

Frequency of evaluation

FSQS evaluations of Echoworx are performed on a per annum basis.

To whom does this concern?

The FSQS is designed to make purchasing decisions easier for large enterprise-level financial and insurance organizations. Registered suppliers have met the pre-qualified vetting conditions of the system – providing prospective buyers with efficient access common supplier information.

Click here to see Echoworx’s FSQS certification. For more information on the FSQS, visit the official website of Hellios.

G-Cloud 13 Approved Supplier for Cloud Software (SaaS) UK

Crown Commercial Service (CCS) is the biggest public procurement organization in the UK, promoting government-wide adoption of cloud-based services.

Primary purpose

Focused on security and stringent standards for protection against cyber-attacks, the UK government’s CCS suppliers are those with only the most up-to-date security technology and software. As an approved CCS supplier, Echoworx has demonstrated our commitment to offering best-in-breed encryption services.

By completing our CCS approval, Echoworx is pre-qualified as a trusted SaaS provider – offering quick and easy access to organizations in the UK public sector looking to upgrade their message encryption.

Frequency of evaluation

CCS evaluations of Echoworx are performed on a per annum basis.

To whom does this concern?

The CCS G-Cloud 13 is a Public Procurement Gateway designed to help the public sector achieve maximum commercial value when procuring common goods and services. Approved suppliers have met the pre-qualified vetting conditions of the system – saving buyers time finding suppliers, checking their reliability and managing their performance.

For more information on CCS G-Cloud 13, visit the official website.

Microsoft Trusted Root Certificate Member

The Microsoft Trusted Root Certification Program is an elite group of less than 100 organizations of whom Microsoft distributes and guarantees root certificates belonging to members of this group to Windows products.

Primary purpose

For Echoworx, inclusion in this program means we are recognized by Microsoft as a legitimate safe and trusted email data encryption provider for users of its products. As one of the elite members of the Microsoft Root Program, our products are compatible, recognized and trusted additions to existing Microsoft infrastructure.

Frequency of evaluation

Microsoft Trusted Root evaluations of Echoworx are performed on a per annum basis.

To whom does this concern?

The Microsoft Trusted Root Program assures Echoworx subscribers that certificates issued are recognized and trusted.

For more information on the Microsoft Trusted Root Program, visit the official site of Microsoft.

Apple Root Certificate Member

The Apple Root Certificate Program protects Apple customers from security issues related to the use of Public Key Infrastructure (PKI) certificates – helping enhance customer experience for Apple users. Apple products, including Apple Mail (, use a common root Certificate Authority (CA) database to store certificates – and membership in the Apple Root program establishes Echoworx as a trusted CA.

Primary purpose

Echoworx’s membership in the Apple Root Certificate program guarantees a seamless service experience on Mac OS and iOS devices when making secure web connections, generating secure emails or other PKI interactions.

To whom does this concern?

Any organization realistically looking to compete on the global stage needs to consider and support Apple products – especially when it comes to email data protection. With many users operating on Apple devices, membership in this program ensures they are protected, supported and serviced.

For more information on Apple Root certification, visit the official site of Apple.

Privacy Programs

General Data Protection Regulation (GDPR)

The GDPR is the most significant change in privacy regulation in decades – and Echoworx is proud to support this initiative. The aim of it is clear – to protect the data and privacy of citizens belonging to countries under the European Union (EU). And, with 11 chapters, consisting of 99 articles and 260 pages, the GDPR’s reach is as substantial as it is specific, setting the baseline for how companies must protect their own information and that of their clients.

Primary purpose

The GDPR employs a two-pronged approach to protecting the data of EU residents:

State protection for personal data – The GDPR forbids mishandling the personal data of citizens of EU member countries. Failure to protect said data can result in massive fines – up to €20M or four per cent of a violating organization’s global annual income.

Clear guidelines for protecting data – Before the GDPR came about in May 2018, Europe operated under a patchwork of regional laws. The GDPR unifies privacy laws under one umbrella directive – eliminating confusion or misinterpretation of the proper handling of personal data.

To whom does this concern?

The GDPR specifically concerns organizations which conduct business in EU member countries or with EU residents. But the grey area here occurs when an EU resident or dual citizen lives abroad – and is theoretically still covered under EU jurisdiction. In layman’s terms, it’s safe to assume the GDPR affects your business at some point.

How does Echoworx help?

Email data protection is a logical solution for organizations looking to comply with the GDPR – and is even mandatory under some regional interpretations of the regulation. Encryption is referenced throughout the GDPR as a recognized tool for enhancing data protection and breach notification practices. Echoworx’s extensive suite of email data protection services help EU companies comply with the GDPR and protect sensitive data at an affordable cost.

Is Echoworx GDPR-compliant?

Echoworx abides by the laws of the countries we do business in or with. With many of our client base spread across the European continent, in addition to across the globe, we comply with the GDPR in every capacity of our EU-business. We are controller with respect to our internal business operations – namely the data stored about our employees who work in the EU and any data we store in sales databases containing the personal data of EU citizens.

As a Canadian-headquartered organization, Echoworx is also subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) – a law designed to satisfy current GDPR demands. As such, we are subject to MLATs – but only for data stored on Canadian or American servers. To avoid this pitfall, we have SOC2-, PCI DSS- and ISO-certified data centres located in Ireland, the UK, Germany and Mexico, in addition to Canada and the US.

For more information of the GDPR, visit the official website of the European Union.

Learn more about how Echoworx ensures your privacy & security. Read the Full Guide