Canadian-resident data
Customer Data is hosted in AWS Canada (Central) — Montréal region — with all primary and replica nodes inside Canada. No data leaves Canadian borders without an explicit Enterprise arrangement.
EMS holds the operational chain-of-custody for regulated, excise-stamped goods. Here's exactly how we protect it — where it's hosted, how it's encrypted, who can see it, and how to report a vulnerability.
Customer Data is hosted in AWS Canada (Central) — Montréal region — with all primary and replica nodes inside Canada. No data leaves Canadian borders without an explicit Enterprise arrangement.
TLS 1.3 in transit, AES-256 at rest. Database snapshots, blob storage (NOA documents, damage photos) and backups are all encrypted with keys managed in AWS KMS.
Customer accounts are isolated at the data layer, not just the UI. Customer-portal sub-accounts further restrict consignees to their own slice — they cannot read another consignee's shipments, inventory or reports.
Every state-changing action — receive a box, complete a stamp run, dispatch an outbound — is logged with user, timestamp and detail. Audit log is append-only and retained for at least 12 months.
Production access is restricted to a small set of named engineers. Every production action is logged and reviewed weekly. Customer Data is never accessed without an explicit support ticket.
Encrypted automated backups every 4 hours, cross-region copies daily. Quarterly disaster-recovery drills (most recently 23 March 2026, completed in 18 minutes) — see the status page.
Username + password by default with a configurable password policy and 30-minute auto-lock. Single sign-on (SAML, OIDC) available on Pro and Enterprise tiers, with mandatory MFA enforcement at the IdP layer.
Annual security training for all staff. Mandatory re-training for anyone with production access. Onboarding includes secure-coding fundamentals and incident-response procedures.
Continuous monitoring of authentication events, abnormal API usage, and infrastructure health. Anomalies page our on-call engineer 24/7. Customer-impacting events are posted to the status page within 15 minutes of detection.
Honest snapshot of our current certifications and their target dates. We update this page as soon as a status changes.
Audit period ends Q2 2026; report target Q3 2026.
Aligning controls during the SOC 2 cycle for streamlined audit.
For Enterprise customers we maintain a current internal security report covering controls, policies and architecture, available on request under NDA. Contact admin@excisems.com.
We treat security incidents the same way we treat compliance — visibly, accountably, and on a clock. Our response runbook is rehearsed quarterly.
Internal escalation and on-call paging within 15 minutes; the status page posts an "investigating" entry within an hour of confirming customer impact.
Affected customers receive a direct email within 24 hours of the incident being declared, with a plain-English summary of what we know and don't know yet.
Every customer-impacting incident gets a public post-mortem on the status page within seven days — root cause, customer impact, timeline, prevention actions.
If an incident involves personal information of EU/UK or CA data subjects, EMS will notify the relevant supervisory authority within the windows required by GDPR and PIPEDA respectively, and assist customers with their downstream obligations.
If you've found a security issue in EMS, please report it directly. We don't pursue good-faith researchers, and we acknowledge every valid report.
Enterprise customers can request our current internal security report under NDA — covers controls, policies, and architecture diagrams.