This text is translated from Finnish. The original can be viewed here.
Principles for identification and identity broker
Signicat intermediates the following identity methods:
Level of Assurance
Identity Broker Service
Level of Assurance
|Signicat Connect||Substantial (korotettu)|
1) Key information about service provider
Signicat is a member of Finnish Trust Network, acting as an identity broker. Signicat offers strong electronic identification services for public. The principles for strong identification have been established in Finnish legislation: Laki vahvasta sähköisestä tunnistamisesta ja sähköisistä luottamuspalveluista 533/2016, section 2.2§. http://www.finlex.fi/fi/laki/ajantasa/2009/20090617.
Any online service provider can take advantage of Signicat services as a one-stop shop: one commercial agreement and technical integration provides access to several strong identification methods. Signicat offers all Nordic strong identification methods including all Finnish TUPAS banks and Mobiilivarmenne.
Signicat AS headquarters is in Norway and local sales offices in Finland, Sweden, Denmark, Netherlands and the United Kingdom. Signicat has been operating since 2006 and acts as a broker for over 100 million identification transactions (2016). For Finnish customers Signicat has been providing the award winning services since 2008 and opened a local office in 2013. Finnish office employs currently three persons. More information can be found at www.signicat.fi.
2) Key information about services and pricing
The most central part of Signicat’s membership in Finnish Trust Network is the authentication service (Signicat Connect) used for a user identification.
Signicat’s identity broker service is easily integrated service, which appends different online services’ identification options by growing number of methods via one integration and agreement.
An authenticating end user does not have to pay for using Signicat’s broker service, instead Signicat has commercial agreements with the online service providers (webshops, service portals, etc). Pricing is based on connection (fixed establishment fee), subscription (fixed monthly fee) and transaction fees (dynamic based on usage). Signicat bills through the 3. party fees for identity service providers (e.g. TUPAS banks) as described in Finnish legislation: Laki vahvasta sähköisestä tunnistamisesta ja sähköisistä luottamuspalveluista 533/2016, section 12 a 3§. http://www.finlex.fi/fi/laki/ajantasa/2009/20090617.
In addition, Signicat offers services for a new user on-boarding (Signicat Assure), the electronic signing of documents (Signicat Sign), the signed documents archiving/preserving (Signicat Preserve) and the identity management (Signicat Identity).
The above mentioned Assure service does not refer to the initial identification, which is stipulated in Section 17 in The Finnish Act on Strong Electronic Identification and Electronic Signatures.
More information about Signicat services: https://www.signicat.com/products/.
3) Key information about applicable terms and conditions
Signicat follows the Code of conduct provided by Ficora in the trust network agreements with the identity providers. In the customer agreements Signicat is compliant to the privacy legislation (Henkilötietolaki), the identification legislation’s (Tunnistuslaki) personal information management requirements and the data protection regulation (Tietosuoja-asetus).
In identification process, Signicat acts as Data Processor according to the data protection regulation of EU. Signicat transmits the Personal ID number (Henkilötunnus, HETU), first name, last name and birthdate (extracted from HETU) according to Ficora’s decree 72.
The Identity Service Provider (e.g. Tupas Bank) returns the information mentioned above to Signicat. Signicat forwards received ID information for the online service provider as it is. Signicat does not use personal data to any other purpose.
Signicat stores transaction information of the identifications in technical logs to support the security and stability of the service. These technical logs are kept according to 24 § of The Finnish Act on Strong Electronic Identification and Electronic Signatures.
The personal data that is used in identification process is handled according to the applicable regulation such as Finnish Personal Data Act, EU’s General Data Protection Regulation, The Finnish Act on Strong Electronic Identification and Electronic Signatures and the regulation on Finnish Trust Network.
The security of handling the personal data is guaranteed in the following ways:
All data communication between customer infrastructure and Signicat infrastructure is via web services. The authenticity, integrity and confidentiality of the communication is secured using all of the following measures:
- Enforced two-way SSL, with client authentication. Customer has its own client certificate.
- IP filtering. Only customers IPs that can perform web service calls to the customer service.
- Username and password (message level).
- Customer has its own username and password.
Signicat does not use the data Customer sends to Signicat for any other purpose than the agreed-upon services. Only authorized persons with explicit need have access to the data. All access to data is protected with personal accounts, and logged.
Business Continuity Management
To guarantee service delivery and availability, Signicat have a full HA configuration with fail-over running at two different sites with 4 km between on separate power grids and Internet access points. See also DRP document for description of HA solution.
Backup (application + data) is taken every day and stored off site, under the same security requirements as live data.
Physical and logical access control
Security requirements for physical and logical access control in Signicat’s operations centre are described in Security requirements.
Secure Key Management is central part of Signicat operations. We use a key management system which gives security benefits through fine-grained access control, audit logging and encrypted storage. For keys with special security requirements, we use Hardware Security Modules.
Protocol and API security
Signicat offers the interfaces which Ficora recommends in Finnish Trust Network:
- SAML2 (Security Assertion Markup Language 2.0)
- OpenID Connect (OIDC)
Signicat has published information security principles, which can be found here: https://www.signicat.com/about/security-information/
If you would like to view what kind of personal information Signicat processes or what information Signicat has saved about you, please email us at email@example.com.
5) Key partnerships
Signicat cooperates with international ICT enterprises, for example Tieto, Accenture, Salesforce and Microsoft. The local partners in Nordics include e.g. Vincit, Nixu, HiQ and Knowit. More information about partnerships: https://www.signicat.com/products/apps-integrations/.
Currently, Basefarm AS is the hosting service provider for Signicat.
6) Conformity assessment as described in legislation (Tunnistuslaki 29§)
Nixu Certification Oy has assessed Signicat services at June 2017. The report of the assessment has been approved by Ficora as of September 2017. The conformity assessment will be done every 2 years or sooner if the Connect service is changed significantly.
In the context of Finnish Trust Network, the controlling authority for identity brokerage service is Ficora (Finnish Communications Regulatory Authority) in Finland. More information: