“Using Signicat for authentication and/or e-signature gives your business security benefits.”
– Harald Stendal, CISO, Signicat
The eID and eSignature services are delivered as Software-as-a-Service (SaaS).
In general, using Signicat for authentication and/or e-signature should give security benefits. These functions are our core business, and we have a great number of customers with high security requirements. This means that making these services secure is a primary concern for us, and it makes us focus on security in the development and operations of the services. We believe that we have good security, and try to continuously improve it.
Information security management
Signicat’s security organization includes an Information Security Management Board (ISMB) which includes top-level management from all divisions of Signicat, as well as the Chief Information Security Officer (CISO). Signicat conducts an annual information security audit, performed by KPMG. Signicat also conducts yearly penetration testing, performed by FortConsult.
When processing personal data for the customers’ users, Signicat will act as a data processor according to European data protection law.
Personal data collection
In Denmark, Signicat will, on behalf of customers, collect CPR numbers for caching PID-CPR relations for up to 3 months, only under the users’ express consent. The collected PID-CPR information will only be used for identification in the customers’ own services. Signicat do not collect any other personal data from the end users.
Personal data storage and processing
In implementing signature services as described above, Signicat will receive documents for signing from the customers, which may or may not contain personal data. For this data, the customer is responsible for informing the user and collecting consent where necessary. Signicat will then produce e-signatures on the documents. The documents and the e-signatures will be stored in Signicat’s system only as long as necessary to implement the agreed-upon services.
Signicat may store personal data in technical logs to support the security and stability of the service. The access to these logs is restricted to the authorized persons who need access to secure the stability and integrity of the system.
Personal data security
Signicat secures personal data through strong logical and physical access controls. All personal data is encrypted in transport, as described below. Signicat currently uses encryption of data-at-rest for confidential personal data.
All data communication between customer infrastructure and Signicat infrastructure is via web services. The authenticity, integrity and confidentiality of the communication is secured using all of the following measures:
- Enforced two-way SSL, with client authentication. Customer has their own client certificate.
- IP filtering. Only customer IPs that can do web service calls to customer service.
- Username and password (message level). Customer has their own username and password.
Signicat does not use the data the customer sends to Signicat for any other purpose than the agreed-upon services. Only authorized persons with explicit need have access to the data. All access to data is protected with personal accounts, and logged.
Business Continuity Management
To guarantee service delivery and availability, Signicat has a full HA configuration with fail-over running at two different sites with 4 km. in between on separate power grids and Internet access points. See also DRP document for description of HA solution. Backups (application + data) are taken every day and stored off-site, under the same security requirements as live data.
Physical and logical access control
Security requirements for physical and logical access control in Signicat’s operations center are described in Security requirements.
Secure Key Management is a central part of Signicat’s operations. We use a key management system which gives security benefits through fine-grained access control, audit logging and encrypted storage. For keys with special security requirements, we use Hardware Security Modules
Protocol and API security
Signicat’s eID API is based on the SAML protocol, which has security “built in”. The eSignature services are based on Web Services (REST and SOAP), and are protected by SSL with client authentication, username/passwords and IP filtering.
- Annual information security audit, performed by KPMG.
- ISO 27001 Certified
- Fail-over running at two different sites with 4 kilometers between them – on separate power grids and Internet access points