This text is translated from Finnish. The original can be viewed here.
Principles for identification and identity broker
Signicat acts as an intermediary for the following identity methods:
Level of Assurance
|Finnish online bank authentication||Substantial (korotettu)|
Identity Broker Service
Level of Assurance
|Signicat Connect||Substantial (korotettu)|
1) Key information about the service provider
Signicat is a member of the Finnish Trust Network, acting as an identity broker. Signicat offers strong electronic identification services for the public. The principles for strong identification have been established in Finnish legislation: Laki vahvasta sähköisestä tunnistamisesta ja sähköisistä luottamuspalveluista 533/2016, section 2.2§: http://www.finlex.fi/fi/laki/ajantasa/2009/20090617.
Any online service provider can take advantage of Signicat’s services as a one-stop shop: one commercial agreement and technical integration provides access to several strong identification methods. Signicat offers strong identification methods, including all Finnish TUPAS banks and Mobiilivarmenne.
Signicat AS is headquartered in Norway, with local sales offices in Finland, Sweden, Denmark, the Netherlands, and the United Kingdom. Signicat has been operating since 2006 and acts as a broker for over 100 million identification transactions (2016). For Finnish customers, Signicat has been providing the award-winning services since 2008, and the company opened a local office in Finland in 2013. More information can be found at www.signicat.fi.
2) Key information about services and pricing
The central part of Signicat’s membership in the Finnish Trust Network is its authentication service (Signicat Connect), used for end-user identification.
Signicat’s identity broker service is an easily integrated service, which appends different online services providers’ identification options with a growing number of methods via one point of integration.
An authenticating end-user does not have to pay for using Signicat’s broker service, instead Signicat has commercial agreements with the online service providers (online shops, service portals, etc.). Pricing is based on connection (fixed establishment fee), subscription (fixed monthly fee) and transaction fees (dynamic based on usage). Signicat bills through the 3rd party fees for identity service providers (e.g. TUPAS banks) as described in Finnish legislation: Laki vahvasta sähköisestä tunnistamisesta ja sähköisistä luottamuspalveluista 533/2016, section 12 a 3§: http://www.finlex.fi/fi/laki/ajantasa/2009/20090617.
In addition to its authentication service, Signicat offers services for new user onboarding (Signicat Assure), electronic signing of documents (Signicat Sign), signed documents archiving/preserving (Signicat Preserve) and identity management (Signicat Identity).
The above mentioned Assure service does not refer to the initial identification, which is stipulated in Section 17 in The Finnish Act on Strong Electronic Identification and Electronic Signatures.
More information about Signicat services can be found at https://www.signicat.com/products/.
3) Key information about applicable terms and conditions
Signicat follows the code of conduct provided by Traficom in the trust network agreements with the identity providers. In its customer agreements, Signicat is compliant to the privacy legislation (Henkilötietolaki), the identification legislation’s (Tunnistuslaki) personal information management requirements, and the data protection regulation (Tietosuoja-asetus).
In identification processes, Signicat acts as Data Processor according to EU data protection regulations. Signicat transmits the Personal ID number (Henkilötunnus, HETU), first name, last name and date of birth (extracted from HETU) according to Ficora’s decree 72.
The Identity Service Provider (such as aTUPAS bank) returns the information mentioned above to Signicat. Signicat forwards the received identity data to the online service provider as it is. Signicat does not use personal data for any other purpose.
Signicat stores transaction information of identifications in technical logs to support the security and stability of the service. These technical logs are kept according to 24§ of The Finnish Act on Strong Electronic Identification and Electronic Signatures.
The personal data that is used in the identification process is handled according to the applicable regulation, such as the Finnish Personal Data Act, the EU’s General Data Protection Regulation, the Finnish Act on Strong Electronic Identification and Electronic Signatures, and the regulation on the Finnish Trust Network.
The security of handling personal data is guaranteed in the following ways:
All data communication between customer infrastructure and Signicat infrastructure is via web services. The authenticity, integrity and confidentiality of the communication is secured using all of the following measures:
- Enforced two-way SSL, with client authentication. The customer has their own client certificate.
- IP filtering. Only customers’ IPs can perform web service calls to the customer service.
- Username and password (message level).
- Customer has their own username and password.
Signicat does not use the data the customer sends to Signicat for any other purpose than the agreed-upon services. Only authorized persons with explicit need have access to the data. All access to data is protected with personal accounts and logged.
Business Continuity Management
To guarantee service delivery and availability, Signicat has a full HA configuration with fail-over running at two different sites 4 km apart on separate power grids and Internet access points.
A backup (application + data) is taken once a day and stored off-site, under the same security requirements that apply to live data.
Physical and logical access control
Security requirements for physical and logical access control in Signicat’s operations center follow the Information Security Management System (ISMS) documented processes, in accordance with ISO 27 001.
Secure Key Management is a central part of Signicat operations. Signicat uses a key management system which gives security benefits through fine-grained access control, audit logging, and encrypted storage. For keys with special security requirements, Signicat uses Hardware Security Modules.
Protocol and API security
Signicat offers the SAML2 (Security Assertion Markup Language 2.0 and OpenID Connect (OIDC) protocols.
Signicat has published information security principles, which can be found at https://www.signicat.com/about/security-information/.
If you would like to view what kind of personal information Signicat processes, or what information Signicat has saved about you, please email us at firstname.lastname@example.org.
5) Key partnerships
Signicat cooperates with international ICT enterprises such as Tieto, Accenture, Salesforce, and Microsoft. The local partners in the Nordics include Vincit, Nixu, HiQ, and Knowit. More information about partnerships can be found at https://www.signicat.com/products/apps-integrations/. Currently, Basefarm AS is the hosting service provider for Signicat.
6) Conformity assessment as described in legislation (Tunnistuslaki 29§)
Nixu Certification Oy has assessed Signicat’s services as of June 2017. The report of the assessment has been approved by Ficora as of September 2017. The conformity assessment will be completed every 2 years, or sooner if the Signicat Connect service is changed significantly.
In the context of the Finnish Trust Network, the controlling authority for identity brokerage services is The Finnish Transport and Communications Agency (TRAFICOM). More information can be found at