Trust Center — Emeron

§ 01 / WHAT IS PUBLISHED

Four bodies of evidence.

Below is what is published openly. Additional documentation (internal audit reports, penetration test results, full sub-processor agreements) is available under NDA for active procurement processes.

— 01 / INFORMATION SECURITY

Security posture, audited and roadmapped

ISO 27001 program. SOC 2 roadmap. NIST SP 800-53 alignment. Penetration testing program. Incident response.

READ POSTURE ↓

— 02 / DATA PROTECTION

Multi-jurisdiction data protection

GDPR alignment. UAE PDPL. KSA PDPL. Multi-jurisdiction DPA. Sub-processor list. Data residency.

READ POSTURE ↓

— 03 / ACCESSIBILITY

WCAG 2.2 AA across the suite

WCAG 2.2 AA. Section 508. EN 301 549. Accessibility statement. Third-party audit on roadmap.

READ POSTURE ↓

— 04 / PROCUREMENT KIT

Everything most RFPs require

Capability statement, insurance, past performance, security questionnaire responses, standard contract templates, pricing model.

DOWNLOAD KIT →

§ 02 / INFORMATION SECURITY

Posture, roadmap, and the work behind both.

ISO 27001:2022

Certification roadmap Q3 2026. ISMS in place. Information security policy framework published internally. Annual internal audit cadence operating since 2024.

SOC 2

Type I roadmap Q1 2027. Type II roadmap Q3 2027. Trust service criteria mapping complete. Audit firm selection in progress.

NIST SP 800-53

Architectural alignment with moderate baseline. Implementation evidence available under NDA for active procurement.

Penetration testing

Annual third-party penetration testing program. Most recent: Q1 2026. Executive summary available under NDA. Critical findings remediated within 30 days; high findings within 90.

Vulnerability management

Continuous dependency scanning. Critical CVEs patched within 14 days. Monthly platform-wide patch cadence. Customer notification process documented.

Incident response

Documented incident response plan. Quarterly tabletop exercises. Customer notification within 72 hours for material incidents. Post-incident reports under NDA.

Personnel

Pre-employment background screening. Annual security training. Privileged access reviewed quarterly. Separation procedures audited.

Encryption

At rest: AES-256. In transit: TLS 1.3. Key management: customer-managed keys supported. HSM integration available.

Backup & recovery

RPO 15 minutes / RTO 4 hours for standard deployments. Tighter SLAs available. Geographic redundancy per deployment topology. Annual recovery testing.

Responsible disclosure

Published security contact: security@emeron.io. Acknowledgment within 24 hours. Coordinated disclosure. Hall of recognition for credited researchers.

§ 03 / DATA PROTECTION

Multi-jurisdiction by design.

GDPR (EU/EEA)

Architecture aligned with GDPR principles. Standard contractual clauses. EU Cloud Code of Conduct adherence statement available. Data Protection Officer designated.

UK GDPR

UK Data Protection Act 2018 alignment. ICO registration. International data transfer agreement supported.

UAE PDPL

Federal Decree-Law No. 45 of 2021 alignment. UAE Data Office registration where applicable. Sovereign-data deployment standard.

KSA PDPL

Personal Data Protection Law alignment. SDAIA registration where applicable.

Data residency

Selectable per deployment. Customer-controlled keys. No customer data transferred outside the chosen jurisdiction without explicit consent.

Sub-processors

Sub-processor list published per deployment. Updated quarterly. Customer notification before new sub-processor activation. 30-day objection window.

Data Processing Agreement

Standard DPA available. Jurisdiction-specific variants. Customer-redlined versions supported in procurement.

Data subject rights

Native platform support for access, rectification, erasure, portability, restriction, objection. Automated workflows for citizen-side requests.

Cross-border transfer

Standard contractual clauses. Adequacy decisions honored where applicable. Customer-controlled per deployment.

Privacy impact assessment

Template PIA available for customer use. Emeron's own platform PIA available under NDA.

§ 04 / ACCESSIBILITY

Accessibility is a citizen right.

Government services must work for every citizen, including those with disabilities. Emeron's accessibility posture is engineering-grade, not just compliance-grade.

WCAG 2.2 AA

Compliance across all citizen-facing workflows. Most administrative workflows also AA compliant. Conformance statement published per deployment.

Section 508

US Section 508 alignment. VPAT (Voluntary Product Accessibility Template) available for US federal procurement.

EN 301 549

European accessibility standard alignment. EU public-sector accessibility directive compliance.

Assistive technology

JAWS, NVDA, VoiceOver, TalkBack tested. ARIA landmarks throughout. Form structure optimized for assistive technology.

Keyboard

100% keyboard navigable. No keyboard traps. Skip links throughout. Focus indicators visible and configurable.

Visual

Color contrast WCAG AA minimum. Text resize to 200% without loss. High-contrast mode optional. Reduced-motion support.

Cognitive

Plain-language defaults. Reading-level configurable. Save-and-resume on every workflow.

Third-party audit

External audit Q2 2027 with a recognized accessibility consultancy. Annual cadence thereafter.

Accessibility statement

Published per deployment. Customer-side accessibility statement template provided.

Read the accessibility statement →

Security, compliance, and the work behind them.

Four bodies of evidence.

Security posture, audited and roadmapped

Multi-jurisdiction data protection

WCAG 2.2 AA across the suite

Everything most RFPs require

Posture, roadmap, and the work behind both.

Multi-jurisdiction by design.

Accessibility is a citizen right.

Pick the document or conversation you need.