EHS Insight Cloud Security

How we maintain cloud security for your sensitive EHS data.

We Make Cloud Security the Top Priority

This page contains information about various standards and regulations, our approach to privacy and security, and reporting deficiencies to us. If you are looking for more information, please click on Learn More to make a request to our team.


ISO 27001 Certified

ISO 27001, also known as IEC 27001, is a compliance standard that specifies the requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS) within the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. StarTex Software, the company behind EHS Insight, is 100% compliant without exception with each specification for Information Security Management Systems. ISO 27001:2013 and ISO 27017:2015 certificates available.


In 2014, the American Institute of Certified Public Accountants (AICPA) Assurance Services Executive Committee (ASEC) released the revised version of the Trust Services Principles and Criteria (TSP). SOC (Service Organization Controls) is an audit framework for non-privacy principles that include security, availability, processing integrity, and confidentiality. Our hosting provider, AWS, has both SOC 2 and SOC 3 reports. The SOC 3 report is available for download without a nondisclosure agreement. The SOC 3 confirms compliance with the principles of security, availability, processing integrity and confidentiality.

General Data Protection Regulation (GDPR)

On May 25, 2018, a new landmark data protection law called the General Data Protection Regulation (GDPR) came into effect. The GDPR unifies data protection rules across the EU and creates new obligations on the protection and handling of personal data, including security requirements and stronger rights for individuals with regard to their personal data. We are committed to complying with the GDPR and supporting our partners and customers in their efforts to comply with the GDPR. See more at this link.

EU-U.S. Privacy Shield Framework

EHS Insight complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States. StarTex Software has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit

Cloud Security

Some people fear the cloud is risky, with hackers grabbing data day and night. To the uninformed, it seems obvious that keeping data safe requires it be kept in a self-controlled environment. To some that means on-site and away from the cloud. But is there any truth to this idea?

Not much, really. While it's theoretically possible to hack into the cloud, data stored in on-site servers is exposed to the same risks as data stored in the cloud. The simple truth is that the cloud has proven itself to be a reliable and secure choice for even the largest businesses, with more than half of enterprise companies noting that cloud infrastructure is a more secure data solution than legacy systems.

EHS Insight delivers market-leading EHS software capabilities in a secure, trustworthy manner. Here’s a document that shows how we do it, and here are some highlights:

Secure infrastructure – EHS Insight runs on Amazon Web Services (AWS) services. The AWS infrastructure puts strong safeguards in place to help protect your privacy. All data is stored in highly secure AWS data centers. AWS manages dozens of compliance programs in its infrastructure, all aimed at helping keep all customers’ data safe. All EHS Insight data is encrypted in transit and at rest. All data storage is located within the USA.

Secure development – EHS Insight is developed in-house, following strict policies and procedures to ensure the application is secure.

Monitoring – With 24x7 operational support and monitoring, EHS Insight data is protected under the watchful eye of security experts, who focus on always knowing exactly what important actions are occurring inside our system as they happen. Significant events are quickly posted to our status page ( to inform customers.

Multitenancy – The EHS Insight solution’s multitenant platform ensures users only access their own organization’s information. Using unique organization identifiers ensures your data is available only to those who are authorized to access it.

Authentication and encryption – EHS Insight security keeps up with changes occurring on the Internet. For instance, support for older HTTPS protocols and ciphers (TLS 1.0 and DES-CBC3-SHA) was dropped back on April 30, 2017. Requiring TLS 1.2 for browser encryption helps us keep our customer’s data safe. As technology continues to advance, so do the threats facing digital security. The included EHS Insight native applications also utilize these technologies. To enhance data security our customers can enable two-factor authentication (2FA). We handle all encryption so you don't have to worry about it, but you may feel at ease knowing we apply rigorous controls to ensure at least AES 256 is used for any Customer Data stored by us.

Network access control – EHS Insight leverages several security technologies and services to increase privacy and control network access. Although the cloud is an open environment, we recognize that one of the best ways to protect data is to keep it isolated. We host our customer data in an environment that is completely secure and uses advanced technology to prevent all unauthorized access. Multiple layers of security provide a significant roadblock to hackers.

Data privacy – Every organization must protect data. Some have different requirements than others. Many organizations must comply with the General Data Protection Regulation (GDPR), an EU regulation that expands the protection of personal data of EU citizens. GDPR also expands the obligations of organizations who collect or process that data. The goals of the GDPR are to increase transparency and fairness in the handling of individuals’ personal information. Personal data is any information relating to an identifiable individual. To learn more about the steps EHS Insight has taken to meet the data transparency goals of the GDPR, visit our page dedicated to the topic. This continues our practice of protecting your data and providing for the legal and secure handling of your organization’s critical business information. You may review our public security policy here.

In summary, cloud security at EHS Insight is the highest priority. As an EHS Insight customer, you will benefit from secure coding practices, operations policies, data center design, and network architecture all built to meet the requirements of the most security-sensitive organizations.


Responsible Disclosure


We take security very seriously. If you find a security vulnerability, we ask you to responsibly disclose the details to us.

  • Reach out to or use our vulnerability report page, if you have found any potential vulnerability in our products meeting all the below mentioned criteria. You can expect a confirmation from our security team in about 48 working hours of submission.
  • Please refrain from doing security testing in existing customers' production accounts.
  • When conducting security testing, make sure not to violate our privacy policies, modify/delete user data, disrupt production servers, or to degrade user experience.
  • You’re allowed to disclose the discovered vulnerabilities only to or by using our vulnerability report page. Documenting any potential In/Out of scope vulnerability to the public is against our responsible disclosure policy.
  • If your finding is valid and unique, you may be eligible for a reward.

Out of Scope Vulnerabilities

  • Clickjacking / UI Redressing attack
  • Self-XSS and XSS that affects only outdated browsers
  • Using components of known vulnerability without relevant POC of attack
  • Host header and banner grabbing issues
  • Denial of Service attacks and Distributed Denial of Service attacks
  • Automated tool scan reports.Example: Web, SSL/TLS scan,Nmap scan results etc.,
  • Missing HTTP security headers and cookie flags on insensitive cookies
  • Rate limiting, brute force attack
  • Login/logout/low-business impact CSRF
  • Unrestricted file upload
  • Open redirects - unless they can be used for actively stealing tokens
  • Formula/CSV Injection
  • Vulnerabilities that requires physical access to the victim machine.
  • User enumeration such as User email, User ID etc.,
  • Phishing / Spam (including issues related to SPF/DKIM/DMARC)
  • Missing security best practices
  • Vulnerabilities found in third party services
  • Session fixation and session timeout


The Best Value in EHS Software Available Today

Save Time

Deliver a world class solution in days or weeks instead of months or years. This is a game changer. Gone are the days with half your budget tied up in just getting the solution to work. EHS Insight enables you to change as little as you like, saving money for other investments.

Save Money

The other guys make you pay for what should be out-of-the-box. Just getting the solution to run costs you a lot of money. EHS Insight can be up and running for little or no implementation fees. That changes your ability to control costs. Put your money to work as smart as possible.

Mobile First

Our solution works on mobile with no extra work. Available on the most popular mobile application stores, you can install the app and be up and running in minutes. All you need is an account on EHS Insight and you are good to go.


The Best Value in EHS Software Available Today

Less Expensive

Spend less than you think to get a comprehensive solution.

Quicker Setup

Be up and running in much less time thanks to standard templates.

Fantastic Support

Get the help you need during implementation and after.

EHS Insight is helping other companies improve.

Modec uses EHS InsightStrike uses EHS Insight9 Energy uses EHS InsightBabcock and Wilcox uses EHS InsightEnsign uses EHS Insight

"We chose EHS Insight as the tool for organizing our Incident Management processes due to its customizable nature. The forms and workflows were designed to have the look and feel of the processes we had already established."

-Tim Callais

Sidewinder.jpg Logo


"The key for me has been the transparency provided because it helps raise awareness and accountability. Our users report that the system is easy to use and that makes a huge difference."

-Eric Pfeiffer

Babcock.png Logo


"Best decision this company has ever made. Everything HSE related is at my fingertips 24/7. This software has allowed me to streamline my processes so that I can put effort into improving real life actions and not have to spend hours in front of a computer screen."

-Matt Merriott

Step Energy Services Logo

EHS Insight Cloud Security

Learn how we maintain cloud security for your sensitive EHS data.

Speak to a sales associate to learn more.