Skip to main content
About Signicat

Signicat Identity Validation Privacy Statement

At Signicat, we value your privacy. The general privacy and cookie policy on this page, as well as the product privacy statements linked below, describe which personal data Signicat collects from you, how Signicat processes such personal data, and why Signicat collects the personal data in connection with Signicat's provision of products.

Signicat is an electronic identity services provider who enables connection and interaction between organizations and their customers through verified digital identities. Signicat is a private company registered in Norway with organization number 989 584 022 and its registered main office located at Beddingen 16, 7042 Trondheim, Norway. Please direct any questions or requests to or the channels provided at

Please refer to the product-specific descriptions below that set out any deviations from these main principles or for further details on our processing or collection of personal data for each product.

Please note that Signicat acts as a processor for most of the personal data we process, whereas Signicat's customer is the controller. Signicat has signed data processing agreements with customers acting as controllers to secure your privacy. In cases where you, as an end user, have questions about how personal data is processed, the controller must be contacted.

Signicat Identity Validation services

The Signicat Identity Validation services product family consists of the following products: Person Information services, Person Monitoring services, Organization Information services and Organization Monitoring services.

When Signicat retrieves and, if applicable, stores data from the external source, it acts as a data processor on behalf of our customer (company). Signicat’s customer is the data controller.

This responsibility is regulated by an agreement, including a data processing agreement (DPA), between Signicat and its customer. End users are managed by the merchant company that acts as a data controller. Signicat does not store any user data permanently.

Purpose and processing

The controllers and responsible entities for such content are Signicat's respective customers. As the data processor, Signicat signs a data processor agreement with the client as data controller. The data processor agreement establishes the framework for Signicat’s personal data processing activities. The specific security measures and deletion deadline for processing will be established in each individual data processor agreement.

The purpose of Identity validation is to perform anti-money laundering and attribute validation services. These services can retrieve or periodically monitor person or company information from central registries, determine roles and signing rights, and check details against PEP/sanction lists, providing assurance as to whether the party involved will fulfil their obligations.

With Person Information services and Organization Information services, in case data is needed by Signicat’s customer for an isolated event, data is retrieved from an external source and passes through Signicat’s systems, but is not stored by Signicat other than for temporary operational efficiency purposes (known as caching).

With Person Monitoring services and Organization Monitoring services, in case Signicat is asked to monitor an external source for changes (e.g. address changes), Signicat stores the personal information which it was asked to monitor, so that Signicat can determine if information is changed (by comparing current information from the external source with data it previously retrieved). In case of a detected change, Signicat will notify the customer about the change.

Signicat’s customer will decide how long data is retained by Signicat for monitoring purposes. Signicat’s customer can add and remove persons from Signicat’s monitoring services at any time.

Categories of data subjects

End users of the Controller: End users of the Controller's solutions or Processor's solutions used by Controller

The following types of personal data may be processed for end users of the controller:

  • Names
  • Identity numbers
  • Date of birth
  • Date of death
  • Gender
  • Addresses
  • Nationality
  • Compliance/risk rating information
  • Credit rating information
  • Roles in an organization
  • Organizational ownership details

Data is retrieved from external sources (public or commercial data registers) based on 'search keys' as defined by Signicat’s customer. An example is address information that is retrieved from a national population register based on a national identity number.