Learn about our certifications & accreditations and how we protect your data.
What certifications are on this page?
- Commercial Product Assurance
- Common Critera
- FIPS 140-2
- ISO/IEC 27001:2013
- ISO 9001:2015
- Cyber Security Supplier to Government Scheme
- NATO IACD
- Pan Government Accreditation (PGA)
- Cyber Essentials Plus Certification
- Skyhigh CloudTrust
- Privacy Shield Framework
- International Privacy Verification (IPV) programme
- SOC 2 Type 1
- PCI DSS
- NHS Digital - Data Security and Protection Toolkit
Commercial Product Assurance
Certificate No: 1433053936-3453
Issue date: November 11th, 2020 (to present)
Egress has held the UK Government CPA Foundation Grade as a certified email encryption product since 2014. This makes Egress suitable for sharing OFFICIAL and OFFICIAL-SENSITIVE under the current government classification policy. As a result Egress helps fill the gap between existing accredited government networks and external delivery partners, citizens and third sector businesses.
At the time of the award a NCSC spokesperson commented: "Egress’ innovative technology and commitment to demonstrating that it meets NCSC’s standards means that the end-user has confidence that they are selecting an email encryption product that has been approved by UK Government and is capable of protecting their organisation and the data they share from external threats.”
Certificate No: P302
Issue date: August 8th, 2017
Many businesses and government institutions require formal assurance that the data security solutions they deploy meet their information assurance requirements. Common Criteria is an internationally recognized scheme for technology products, providing formal proof that security functionality within the solutions has been independently tested and verified to meet levels of assurance against government-backed security standards.
By benchmarking our technology against this independent, internationally recognized certification, our customers and partners can be assured that they are investing in highly resilient data security technology that has been designed to deliver protection to their organization, their staff, and the information they share.
- #2937 (January 26th, 2017)
- #2936 (January 26th, 2017)
- #2606 (August 26th, 2016)
- #2605 (August 26th, 2016)
- #1894 (August 27th, 2013)
- #1111 (March 4th, 2009)
Additional certificates are listed on the FIPS 140 Validation page
Details: Egress Protect client and server software utilizes FIPS validated libraries, permitting FIPS mode operation. The product utilizes FIPS standard AES-256 (FIPS 197) for message encryption and attachment encryption.
Specifically, the current shipping product only utilizes validated cryptography for message and attachment encryption via Microsoft software libraries which have approved FIPS validations. These are Microsoft Cryptographic Modules with FIPS Certificates1 #2937, #2936, #2606, #2605, and #1894 for libraries bcryptprimitives.dll, ncryptsslp.dll, cng.sys and RSAENH.dll on supported windows platforms. These libraries provide AES-256 in software, and per Microsoft and Intel, on supported Intel CPUs with AES-NI hardware instructions2, AES acceleration and execution in on-chip hardware.
References: Egress Protect use the following cryptographic libraries:
- Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)
- Kernel Mode Cryptographic Primitives Library (cng.sys)
- Enhanced Cryptographic Provider (RSAENH.DLL)
Links to additional security policies are available on the FIPS 140 Validation page.
Certificate No: IS 611606
Issue date: July 14th, 2020 (valid until July 13th, 2023)
ISO27001 is the international best practice standard for information security management systems. Egress data centers are all certified to ISO27001 and our London, Sheffield, Boston and Toronto locations are in ISO27001 scope. The initial ISO27001:2013 certification was completed in July 2014 and continues to undergo regular independent audits by the BSI Group, who are accredited by the United Kingdom Accreditation Service (UKAS) as the sole national accreditation body for the United Kingdom.
Certificate No: FS 724198
Issue date: August 8th, 2020 (valid until August 9th, 2023)
ISO9001 is the international best practice standard for quality management systems. Our London, Sheffield, Boston, and Toronto locations are in ISO9001 scope and independently audited by the BSI Group, who are accredited by the United Kingdom Accreditation Service (UKAS) as the sole national accreditation body for the United Kingdom. UKAS is recognized by government to assess against internationally agreed standards, organizations that provide certification, testing, inspection and calibration services.
Cyber Security Supplier to Government Scheme
Egress Software is currently listed under the formal Cyber Security Supplier to Government Scheme. The scheme is administered by the Department for Business, Innovation and Skills (BIS) and is designed to clearly identify and recognize key suppliers to UK Government.
The Ministerial Government Departments participating in the scheme are listed at: https://www.gov.uk/government/organisations
NATO Classification: NATO Restricted
Issue date: July 16th, 2014
Details: The NATO Information Assurance Product Catalogue (NIAPC) provides NATO nations, and NATO civil and military bodies with a catalogue of Information Assurance (IA) products, Protection Profiles and Packages that are in use or available for procurement to meet operational requirements.
Pan Government Accreditation (PGA)
Certificate No: G230.001 IL2
Issue date: August 15th, 2014
Infrastructure and services are increasingly shared by multiple Government Departments as a way of reducing costs. The accreditation of these systems can be complex, since different departments will have different threat profiles and risk appetites. The Pan Government Accreditation (PGA) service is provided by CESG to manage the combined risks efficiently on behalf of all public sector organizations involved. Egress Protect Software as a Service (SaaS) achieved full PGA accreditation in August 2014, making it suitable as a fully managed service for OFFICIAL electronic data sharing across UK Government and the wider supply chain. Note: Whilst the Certificate states that the Switch "service only supports HMG customers" this is in the context of Switch being authorized for sales on the CloudStore (G-Cloud).
Cyber Essentials Plus Certification
Cyber Essentials Plus
Certificate No.: IASME-CEP-009703
Issue date: 8th June 2022
The Cyber Essentials scheme has been developed by Government and industry to fulfil two functions. It provides a clear statement of the basic controls all organizations should implement to mitigate the risk from common internet based threats, within the context of the Government’s 10 Steps to Cyber Security. And through the Assurance Framework it offers a mechanism for organizations to demonstrate to customers, investors, insurers and others that they have taken these essential precautions.
Under the Cyber Assurance Framework, Egress Software Technologies has been assessed against the Cyber Essentials Scheme Test Specification and formally certified to the Cyber Essentials PLUS level.
Egress Protect has been awarded the highest level Skyhigh CloudTrust™ rating of Enterprise-Ready. Skyhigh Enterprise-Ready cloud services fully satisfy the most stringent requirements for data protection, identity verification, service security, business practices, and legal protection.
The Skyhigh CloudTrust™ Rating provides an objective and comprehensive evaluation of a service's security controls and enterprise readiness based on a detailed set of criteria developed in conjunction with the Cloud Security Alliance (CSA). Because Skyhigh produces the most extensive, current, and credible trust ratings for cloud services, enterprises rely on the Skyhigh CloudTrust Rating to inform both decisions and policy pertaining to the use of cloud services in their environment.
Privacy Shield Framework
We participate in the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks and have self-certified to the U.S. Department of Commerce our adherence to the Privacy Shield Principles for all personal information received from countries in the European Economic Area, Switzerland, and the United Kingdom in reliance on the Privacy Shield. To learn more about Privacy Shield, visit the Privacy Shield website at www.privacyshield.gov/list.
International Privacy Verification (IPV) program
Whilst the Court of Justice of the European Union (CJEU) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) ruled the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks invalid in the summer of 2020, we remain committed to the Privacy Shield Principles. In recognition of our continued commitment, in October 2020 we self-certified with the International Privacy Verification program (IPV). The IPV’s assessment criteria are aligned with those of the Privacy Shield and therefore by certifying with the IPV we are able to continue to demonstrate our compliance with the core Privacy Shield Principles in relation to the protection of personal data transferred outside of the UK and EU.
SOC 2 Type 2
Latest annual report issue date: 25th November 2021
An independent audit report across our Egress Platform, on the suitability of the design of its controls relevant to security, availability and confidentiality. Conducted in accordance with the attestation standards established by the AICPA, all Egress sites were in scope of this assessment, where – after all testing procedures – our service commitments and system requirements were assured to have been achieved.
Digital River, a Level 1 PCI DSS-compliant merchant, powers our online eCommerce platform. Additional information on PCI standards is available at: https://www.pcisecuritystandards.org
NHS Digital - Data Security and Protection Toolkit
Egress exceeds the NHS Digital standards requirements, as determined by their Data Security and Protection Toolkit.
This Toolkit allows organizations to measure their performance against the National Data Guardian’s 10 data security standards. It is mandatory for all organizations that have access to NHS patient data and systems must use this Toolkit to provide assurance that they are practicing good data security and that personal information is handled correctly.