This text is translated from Finnish. The original can be viewed here.
Principles for identification and identity broker
Signicat acts as an intermediary for the following identity methods:
Level of Assurance
|Finnish online bank authentication||Substantial (korotettu)|
Identity Broker Service
Level of Assurance
|Signicat Connect||Substantial (korotettu)|
1) Key information about the service provider
Signicat is a member of the Finnish Trust Network, acting as an identity broker. Signicat offers strong electronic identification services for the public. The principles for strong identification have been established in Finnish legislation: Laki vahvasta sähköisestä tunnistamisesta ja sähköisistä luottamuspalveluista 533/2016: http://www.finlex.fi/fi/laki/ajantasa/2009/20090617.
Any online service provider can take advantage of Signicat’s services as a one-stop shop: one commercial agreement and technical integration provides access to several strong identification methods. Signicat offers strong identification methods, including Finnish online bank authentication and Mobiilivarmenne.
Signicat AS is headquartered in Norway, with local sales offices in Finland, Sweden, Denmark, the Netherlands, Belgium, Germany and the United Kingdom. Signicat has been operating since 2006 and acts as a broker for over 270 million identification transactions per year. For Finnish customers, Signicat has been providing the award-winning services since 2008, and the company opened a local office in Finland in 2013. More information can be found at https://www.signicat.com/contact/signicat-suomi.
2) Key information about services and pricing
The central part of Signicat’s membership in the Finnish Trust Network is its authentication service (Signicat Connect), used for end-user identification.
Signicat’s identity broker service is an easily integrated service, which appends different online services providers’ identification options with a growing number of methods via one point of integration.
An authenticating end-user does not have to pay for using Signicat’s broker service, instead Signicat has commercial agreements with the online service providers (online shops, service portals, etc.). Pricing is based on subscription (fixed monthly fee) and transaction fees (dynamic based on usage). Signicat bills through the 3rd party fees for identity service providers (e.g. online banks) as described in Finnish legislation: Laki vahvasta sähköisestä tunnistamisesta ja sähköisistä luottamuspalveluista (29.3.2019/412), section 12 c §. http://www.finlex.fi/fi/laki/ajantasa/2009/20090617.
In addition to its authentication service, Signicat offers services for new user onboarding (Signicat Assure), electronic signing of documents (Signicat Sign), signed documents archiving/preserving (Signicat Preserve) and identity management (Signicat Identity).
The above-mentioned Assure service does not refer to the initial identification, which is stipulated in Section 17 in The Finnish Act on Strong Electronic Identification and Electronic Signatures.
More information about Signicat services can be found at https://www.signicat.com/products/.
3) Key information about applicable terms and conditions
Signicat follows the code of conduct provided by Traficom when concluding trust network agreements with the identity providers. In its customer agreements, Signicat follows applicable privacy legislation.
In identification processes, Signicat acts as Data Processor according to EU data protection regulations. Signicat transmits the Personal ID number (Henkilötunnus, HETU), first name, last name and date of birth (extracted from HETU) according to Traficom’s decree 72.
The Identity Service Provider (such as an online bank) returns the information mentioned above to Signicat. Signicat forwards the received identity data to the online service provider as it is. Signicat does not use personal data for any other purpose.
Signicat stores transaction information of identifications in technical logs to support the security and stability of the service as required in 24§ of The Finnish Act on Strong Electronic Identification and Electronic Signatures.
The personal data that is used in the identification process is handled according to the applicable regulation, such as the Finnish Data Protection Act, the EU’s General Data Protection Regulation, the Finnish Act on Strong Electronic Identification and Electronic Signatures, and the regulation on the Finnish Trust Network.
The security of handling personal data is guaranteed in the following ways:
All data communication between customer infrastructure and Signicat infrastructure is via web services. The authenticity, integrity and confidentiality of the communication is secured using all of the following measures:
- Enforced two-way SSL, with client authentication. The customer has their own client certificate.
- Message-level encryption: All messages containing personal data are encrypted to ensure that only the customer can read the data. The customer has their own certificate for this purpose.
- IP filtering. Only customers’ IPs can perform web service calls to the customer service.
- Username and password (message level).
- Customer has their own username and password.
Signicat does not use the data the customer sends to Signicat for any other purpose than the agreed-upon services. Only authorized persons with explicit need have access to the data. All access to data is protected with personal accounts and logged.
Business Continuity Management
To guarantee service delivery and availability, Signicat has a full HA configuration with fail-over running at two different sites 4 km apart on separate power grids and Internet access points.
A backup (application + data) is taken once a day and stored off-site, under the same security requirements that apply to live data.
Physical and logical access control
Security requirements for physical and logical access control in Signicat’s operations center follow the Information Security Management System (ISMS) documented processes, in accordance with ISO 27 001.
Secure Key Management is a central part of Signicat operations. Signicat uses a key management system which gives security benefits through fine-grained access control, audit logging, and encrypted storage. For keys with special security requirements, Signicat uses Hardware Security Modules.
Protocol and API security
Signicat offers the SAML2 (Security Assertion Markup Language 2.0 and OpenID Connect (OIDC) protocols.
Signicat has published information security principles, which can be found at https://www.signicat.com/about/support-and-security/.
If you have questions concerning how Signicat processes personal data, please email us at firstname.lastname@example.org.
5) Key partnerships
Signicat cooperates with international ICT enterprises such as Tieto, Accenture, Salesforce, and Microsoft. The local partners in the Nordics include Vincit, Nixu, HiQ, and Knowit. More information about partnerships can be found at https://www.signicat.com/products/apps-integrations/. Currently, Basefarm AS is the hosting service provider for Signicat.
6) Conformity assessment as described in legislation (Tunnistuslaki 29§)
Nixu Certification Oy has assessed Signicat’s services as of October 2019. The report of the assessment has been approved by Traficom as of September 2019. The conformity assessment will be completed every 2 years, or sooner if the Signicat Connect service is changed significantly.
In the context of the Finnish Trust Network, the controlling authority for identity brokerage services is The Finnish Transport and Communications Agency (TRAFICOM). More information can be found at