Information security aspects in job offers and proposals

  • The client is aware of and accepts EMMSA's corporate policies published on the institutional site(Corporate Policies), especially the Information Security Policy, the Integrity Policy, the Code of Ethics and Conduct and the disclaimers.
  • If requested by the client, a framework NDA (confidentiality agreement) can be signed for the exchange of information. EMMSA has signed NDA with all its personnel, performing the complete development with its own personnel.
  • It is the client's responsibility to generate the test data by obfuscating, modifying or encrypting the corresponding information in order to protect its confidentiality in those elements deemed necessary. All data generated in environments accessible by EMMSA or sent to our company will be assumed as non-real sample data and must be managed by the client under the conditions described.
  • The validity and integrity of the data to be configured in testing or production environments are the responsibility of the customer.
  • The client will verify that the developed systems include all required validations and controls in the data input to ensure the integrity of the data to be handled.
  • The availability aspects of the system will depend on the infrastructure used by the customer and the fault tolerance features implemented by the customer in the testing and/or production environments used for the implementation of the system, as well as the specific cybersecurity care they wish to use in their infrastructure, which will be under their discretion and responsibility.
  • If there are no information security requirements specifically clarified by the client in the project scope, it will be assumed that the standard features of our developments meet the requirements in this regard, by applying user security profiles to restrict access levels to data, performing password hashing and implementing the usual log-in practices of the user who performed the transaction, as measures to protect the confidentiality and integrity of the information, and there is no need for additional information security measures.
  • EMMSA can perform specific security tests of the developed applications (vulnerability analysis) with advanced specialized tools such as Nessus, Acunetix, SonaQube, Hdiv, HCL AppScan or others, with the additional cost corresponding to the project, in which case there must be the corresponding clarification in the project scope, otherwise it is assumed that specific tests are not required in this aspect.
  • Similarly, if requested and clarified in the scope of the project, the participation of a third company specialized in computer security may be considered to review and validate the security aspects of the application, also considering the additional costs and time involved.
  • If requested by the customer as part of the contracted services, EMMSA may in the future perform periodic monitoring (quarterly, quarterly, semi-annually or annually) as requested of the update status of application components for the eventual publication of known vulnerabilities that may facilitate attacks, or the availability of new versions of components that may offer improvements, and perform a periodic re-check of the security of the application.
  • The published versions will be kept accessible for a limited period of time, after which they will be automatically withdrawn from publication for information security reasons.
  • Deliveries made by EMMSA are always sent to be initially implemented and tested in the testing environment. EMMSA's responsibility during development is to make the corresponding deliveries available for Testing for testing and the client's decision to move them to the production environment. The administration of environments and downloads/installation of versions will be done by the client.
  • The actual testing of the submitted versions, the participation of the key-users and the approval/passing to production will be performed internally by the client according to the priorities assigned and the availability of the necessary technical and human resources assigned by the client, and therefore are outside the scope of EMMSA. Definition of 'done': delivered and available to be implemented in testing environment.
  • The production release of any or all deliverables and/or the payment of the invoices corresponding to the project will be taken as implicit acceptance of the submitted installation/upgrade packages, for having successfully passed the previous testing phases.
  • The client agrees to respect and comply with all regulatory, intellectual property and legal aspects applicable to the scope of the project, including technical (e.g. software licenses in use), human and other elements.
  • The warranty on the deliverables requires that no changes are made to the delivered components and that the implementations are carried out respecting exactly the steps and indications made. Any non-agreed modification made by the client on the components of the solution or not respecting the steps or pre-requisites for the installation of versions may be cause for loss of warranty. In the same way, the lack of payment in time and form of the invoices presented by our company is sufficient reason for loss of warranty.
  • During the project EMMSA may eventually give access to the client's users to access its own management and task tracking tools, in which case the client agrees to provide the information required for the registration of such users and immediately inform EMMSA of any change of position in the company or removal of any of these people so that we can promptly withdraw the permissions granted.
  • In the event of receiving confidential information from EMMSA, the client agrees not to disclose such information or share it with its own or outside persons not involved in the project. All information received from EMMSA that is not in the public domain will be considered confidential.