Signicat customers can access our support team via the channels below. If you want to report a technical problem with our systems, call +47 400 03 410 or email firstname.lastname@example.org.
At our developer website you can find more information about:
In general, using Signicat for authentication and/or e-signature should give security benefits. These functions are our core business, and we have a great number of customers with high security requirements. This means that making these services secure is a primary concern for us, and it makes us focus on security in the development and operations of the services. We believe that we have good security, and try to continuously improve it.
Signicat’s security organization includes an Information Security Management Board (ISMB) which includes top-level management from all divisions of Signicat, as well as the Chief Information Security Officer (CISO). Signicat conducts an annual information security audit, performed by KPMG. Signicat also conducts yearly penetration testing, performed by FortConsult.
When processing personal data for the customers’ users, Signicat will act as a data processor according to European data protection law.
In Denmark, Signicat will, on behalf of customers, collect CPR numbers for caching PID-CPR relations for up to 3 months, only under the users’ express consent. The collected PID-CPR information will only be used for identification in the customers’ own services. Signicat do not collect any other personal data from the end users.
In implementing signature services as described above, Signicat will receive documents for signing from the customers, which may or may not contain personal data. For this data, the customer is responsible for informing the user and collecting consent where necessary. Signicat will then produce e-signatures on the documents. The documents and the e-signatures will be stored in Signicat’s system only as long as necessary to implement the agreed-upon services.
Signicat may store personal data in technical logs to support the security and stability of the service. The access to these logs is restricted to the authorized persons who need access to secure the stability and integrity of the system.
Signicat secures personal data through strong logical and physical access controls. All personal data is encrypted in transport, as described below. Signicat currently uses encryption of data-at-rest for confidential personal data.
All data communication between customer infrastructure and Signicat infrastructure is via web services. The authenticity, integrity and confidentiality of the communication is secured using all of the following measures:
Signicat does not use the data the customer sends to Signicat for any other purpose than the agreed-upon services. Only authorized persons with explicit need have access to the data. All access to data is protected with personal accounts, and logged.
To guarantee service delivery and availability, Signicat has a full HA configuration with fail-over running at two different sites with 4 km. in between on separate power grids and Internet access points. See also DRP document for description of HA solution. Backups (application + data) are taken every day and stored off-site, under the same security requirements as live data.
Security requirements for physical and logical access control in Signicat’s operations center are described in Security requirements.
Secure Key Management is a central part of Signicat’s operations. We use a key management system which gives security benefits through fine-grained access control, audit logging and encrypted storage. For keys with special security requirements, we use Hardware Security Modules.
Signicat’s eID API is based on the SAML protocol, which has security “built in”. The eSignature services are based on Web Services (REST and SOAP), and are protected by SSL with client authentication, username/passwords and IP filtering.