Signicat Assure Privacy Statement

At Signicat, we value your privacy. The main section of this privacy statement describes which personal data Signicat collects from you, how Signicat process such personal data, and why Signicat collects the personal data in connection with Signicat's provision of products.

Signicat is an electronic identity services provider who enables connection and interaction between organizations and their customers through verified digital identities. Signicat is a private company registered in Norway with organization number 989 584 022 and its registered main office at Gryta 2A, 7010 Trondheim Norway. Please direct any questions or requests to or the channels provided for at

Please refer to the product-specific descriptions below that sets out any deviations from these main principles or further details on our processing or collection of personal data for each product.

Please note that Signicat acts as a processor for most of the personal data we process, whereas Signicat's customer is the controller. Signicat has entered into data processing agreements with all such customers that secures your privacy. In cases where you as an end user have questions about processing personal data, the controller must be contacted.

This privacy statement only describes the collection and processing of personal data that Signicat is the controller for, meaning the personal data that Signicat determine why and how we process. The description of the processing of personal data for which Signicat's customers acts as controller can be found in their respective privacy policies.


Signicat Assure

Signicat Assure family of products consists of the following products: Signicat Assure API, Signicat Assure over SAML/OIDC and Signicat Paper. 

In all Assure related products, Signicat act as a data processor on behalf of our customer (company). End users are managed by the merchant company that acts as a data controller. Signicat does not store any user data permanently. GDPR related information is kept during the sign session and then deleted. 

Necessary logs/audit for an Assure session will be kept according to retention policy to be able to resolve issues that can come up after the Identity Verification request is completed.


Purpose and processing

The controllers and responsible entities for such content are Signicat's respective customers. As the data processor, Signicat signs a data processor agreement with the client as data controller. The data processor agreement establishes the frameworks for Signicat`s personal data processing activities. The specific security measures and deletion deadline for processing will be established in each individual data processor agreement.

The purpose of Assure transactions is to perform Know Your Customer and perform Customer Due Diligence on behalf of Signicat Customers. This is done by Identifying natural or legal persons using available electronic ID methods or electronic Identity Document Verification methods, Facematch and Liveness detection and relevant registries to verify Address or check if the subject is listed as a Politically Exposed Person or on sanctions lists.

The collected information will be obtained by the Signicat Customer, and will be deleted from Signicat systems after the default (maximum) retention time of 30 days, or as defined by the controller. The Controller can delete the collected information in Signicat's systems at own discretion at any point before the default 30 days.


Categories of data subjects and personal information being processed

End users of the Controller
End users of the Controller`s solutions or Processor`s solutions used by Controller

During the Assure processing some PII related to Data Subjects will be processed to perform Know Your Customer and Customer Due Dilligence.

The following types of personal data could be processed on end users of the controller:

  • Account number
  • Age
  • Birth Location
  • Client meta information
  • Date of birth
  • Device ID
  • Device type
  • Digital certificate number
  • Email address
  • Gender
  • Height
  • Identity document
  • Information contained in provided Identity documents
  • IP address
  • Mobile phone number
  • Name
  • National ID
  • Nationality
  • PEP/Sanctions status
  • Physical address
  • Picture or video from optical capture of Identity document
  • Picture or video from selfie during face match and liveness detection session
  • Portrait from Identity Document
  • Signature
  • Sound from video based document capture and facematch/liveness
  • TaxID

Get in touch

Want to talk to us about what we do, or need some additional information? Don’t hesitate to get in touch.