Signicat is an electronic identity services provider who enables connection and interaction between organizations and their customers through verified digital identities. Signicat is a private company registered in Norway with organization number 989 584 022 and its registered main office located at Beddingen 16, 7042 Trondheim, Norway. Please direct any questions or requests to firstname.lastname@example.org or the channels provided at www.signicat.com.
Please refer to the product-specific descriptions below that set out any deviations from these main principles or for further details on our processing or collection of personal data for each product.
Please note that Signicat acts as a processor for most of the personal data we process, whereas Signicat's customer is the controller. Signicat has signed data processing agreements with customers acting as controllers to secure your privacy. In cases where you, as an end user, have questions about how personal data is processed, the controller must be contacted.
# Signicat Identity Verification
The Signicat Identity Verification product family consists of the following products: Signicat Assure API, Signicat Assure over SAML/OIDC and Signicat Paper.
In all Identity Verification-related products, Signicat acts as a data processor on behalf of our customer (company). End users are managed by the merchant company that acts as a data controller. Signicat does not store any user data permanently. GDPR-related information is kept during the identity assurance session and then deleted.
In order to be able to resolve issues that can arise after the identification is performed, necessary logs information will be kept for up to 60 days.
# Purpose and processing
The controllers and responsible entities for such content are Signicat's respective customers. As the data processor, Signicat signs a data processor agreement with the client as data controller. The data processor agreement establishes the framework for Signicat’s personal data processing activities. The specific security measures and deletion deadline for processing will be established in each individual data processor agreement.
The purpose of Identity Verification transactions is to perform Know Your Customer (KYC) and to perform Customer Due Diligence on behalf of Signicat Customers. This is done by identifying natural or legal persons using available electronic ID methods or electronic Identity Document Verification methods, Facematch and Liveness detection, as well as relevant registries to verify addresses or check if the subject is listed as a Politically Exposed Person or is on a sanctions list.
The collected information will be obtained by Signicat’s customer, and will be deleted from Signicat's systems after the default (maximum) retention period of 30 days, or as defined by the controller. The Controller can delete the collected information in Signicat's systems at their own discretion at any point before the default 30 day retention period.
# Categories of data subjects
End users of the Controller: End users of the Controller's solutions or Processor's solutions used by Controller
During the Identity Verification processing some Personally Identifiable Information (PII) related to Data Subjects will be processed to perform Know Your Customer (KYC) and Customer Due Diligence.
The following types of personal data may be processed for end users of the controller:
- Account number
- Birth Location
- Client meta information
- Date of birth
- Device ID
- Device type
- Digital certificate number
- Email address
- Identity document
- Information contained in provided Identity documents
- IP address
- Mobile phone number
- National ID
- PEP/Sanctions status
- Physical address
- Picture or video from optical capture of Identity document
- Picture or video from selfie during face match and liveness detection session
- Portrait from Identity Document
- Sound from video based document capture and facematch/liveness