EphronTech
Legal & Compliance

Security & Trust

Effective June 2, 2026

Security is foundational to how we build and operate. This overview describes the controls we apply across our infrastructure, applications, and operations. It is available to customers and partners for vendor due-diligence reviews.

1. Infrastructure

Our services run on Amazon Web Services (AWS), inheriting the physical and environmental security of AWS data centers and their portfolio of compliance attestations (including SOC 1/2/3 and ISO 27001). We deploy within isolated virtual private clouds (VPCs) with security groups and network controls that restrict access to only what is required.

2. Encryption

  • In transit: all traffic to our applications is encrypted using TLS 1.2 or higher.
  • At rest: data stored in our databases and object storage is encrypted at rest using AES-256, with keys managed through AWS Key Management Service (KMS).

3. Access control

  • Access to production systems is granted on a least-privilege, need-to-know basis and is reviewed periodically.
  • Administrative and cloud-console access requires multi-factor authentication (MFA).
  • Access is provisioned and de-provisioned promptly as roles change or personnel depart.

4. Application security

  • Changes follow a version-controlled workflow with peer review before release.
  • We use automated dependency scanning to identify and remediate known vulnerabilities in third-party libraries.
  • We follow secure-development practices to mitigate common risks such as injection, broken access control, and misconfiguration.

5. Monitoring & logging

We maintain logging and monitoring across our infrastructure to support operational visibility, anomaly detection, and incident investigation. Logs are retained in accordance with operational and contractual requirements.

6. Data protection

We process personal information in line with our Privacy Policy. When we process data on behalf of a customer, we do so under our Data Processing Agreement, which sets out our obligations as a processor, including confidentiality, security measures, sub-processor management, and breach notification.

7. Business continuity

We use managed, redundant cloud services and automated backups to support availability and recovery. Recovery objectives are defined per engagement based on each customer’s requirements.

8. Incident response

We maintain procedures to identify, contain, investigate, and remediate security incidents. In the event of a security incident affecting customer data, we will notify affected customers without undue delay and in accordance with our contractual and legal obligations.

9. Vendor due diligence

We recognize that our customers — particularly those in financial services — conduct vendor risk assessments. We are glad to support these reviews. Our Privacy Policy, Terms of Service, and Data Processing Agreement are published and available, and additional documentation can be provided under a mutual non-disclosure agreement on request.

10. Reporting a vulnerability

If you believe you have found a security vulnerability in our systems or this Site, please report it to info@ephrontech.com. We appreciate responsible disclosure and will work to validate and address legitimate reports promptly. Please do not publicly disclose an issue before we have had a reasonable opportunity to remediate it.

Related documents