“Using Signicat for authentication and/or e-signature give your business security benefits.”
– Harald Stendal, CISO, Signicat
The eID and eSignature services are delivered as Software-as-a-Service (SaaS).
In general, using Signicat for authentication and/or e-signature should give security benefits. These function are our core business, and we have a great number of customers with high security requirements. This means that making these services secure is a primary concern for us, and it makes us focus on security in the development and operations of the services. We do believe that we have good security, and try to continuously improve it.
Information security management
Signicats security organization includes an Information Security Management Board (ISMB), which includes top level management from all divisions of Signicat, and the Chief Information Security Officer (CISO). Signicat conducts an annual information security audit, performed by KPMG. Signicat also conducts yearly penetration testing, performed by FortConsult.
When processing personal data for the customers users, Signicat will act as a data processor according to European data protection law.
Personal data collection
In Denmark, Signicat will on behalf of customer collect CPR-numbers for caching PID-CPR relations in up to 3 months, only under the users express consent. The collected PID-CPR information will only be used for identification in the customers own service. Signicat do not collect any other personal data from the end users.
Personal data storage and processing
In implementing signature services as described above, Signicat will receive documents for signing from the customer which may or may not contain personal data. For these data, customer is responsible for informing the user and collecting consent where necessary. Signicat will then produce e-signatures on the documents. The documents and the e-signatures will be stored in Signicat’s system only as long as necessary to implement the agreed upon services.
Signicat may store personal data in technical logs to support the security and stability of the service. The access to these logs are restricted to the authorized persons which need access to secure the stability and integrity of the system.
Personal data security
Signicat secures personal data through strong logical and physical access controls. All personal data are encrypted in transport, as described below. Signicat is currently implementing encryption of data-at-rest for confidential personal data.
All data communication between customer infrastructure and Signicat infrastructure is via web services. The authenticity, integrity and confidentiality of the communication is secured using all of the following measures:
- Enforced two-way SSL, with client authentication. Customer has its own client certificate.
- IP filtering. Only customers IPs that can do web service calls to customer service.
- Username and password (message level). Customer has its own username and password.
Signicat is not using the data Customer is sending to Signicat for any other purpose than the agreed-upon services. Only authorized persons with explicit need has access to the data. All access to data is protected with personal accounts, and logged.
Business Continuity Management
To guarantee service delivery and availability, Signicat have a full HA configuration with fail-over running at two different sites with 4 km. between on separate power grids and Internet access points. See also DRP document for description of HA solution. Backup (application + data) is taken every day and stored off site, under the same security requirements as live data.
Physical and logical access control
Security requirements for physical and logical access control in Signicat’s operations centre are described in Security requirements.
Secure Key Management is central part of Signicat operations. We use a key management system which gives security benefits through fine-grained access control, audit logging and encrypted storage. For keys with special security requirements, we use Hardware Security Modules
Protocol and API security
Signicat’s eID API is based on the SAML protocol, which has security “built in”. The eSignature services is based on Web Services (REST and SOAP), and are protected by SSL with client authentication, username/passwords and IP filtering.
- Annual information security audit, performed by KPMG.
- ISO 27001 Certified
- Fail-over running at two different sites with 4 kilometers between them – on separate power grids and Internet access points