Overview
This Signority Shared Security Responsibility Model outlines and defines each party’s scope of responsibility when it comes to the compliance and security of one party’s use of the other’s platform.
Signority’s scope of responsibility is determined by the side of the relationship it is situated. Signority may hold one of two positions, either as the:
- Cloud Service Provider (CSP), Signority
- Cloud Service Customer (CSC), Signority Customer
Signority uses AWS to host our Signority eSignature Platform, therefore we have adopted their SSRM model for the shared responsibilities between Signority and AWS. The Signority platform is sold as a ‘Software as a Service’ business model. This influences our approach to the SSRM between our clients and ourselves.
The Shared Security Responsibility Model below outlining the areas of responsibility reflects who (AWS, SIGNORITY, Signority Client) owns each security responsibility and which ones are a shared responsibility and by whom.
Signority as the SAAS provider using a serverless environment (AWS) can be either the Cloud Service Client (CSC) or the Cloud Service Provider (CSP) depending on the area of responsibility.
Signority as the Cloud Service Provider
From a Signority customer point, Signority is responsible for all AWS responsibilities shown in the chart above as the SAAS provider who has chosen AWS as our third party partner.
Signority is responsible for maintaining the Signority eSignature Platform on the AWS servers and ensuring all controls meet or exceed the requirements set forth by SOC 2 and CSA STAR compliance.
Here we will outline the Areas of Responsibility (AoR) that Signority and the Client share, and how the area’s are divided.
Shared >> Client and Signority
Information & Data
Responsibility: Shared
Signority has created a safe and secure environment for clients to store their data (encrypted at rest and in transit) and uses multiple AWS tools to ensure data recovery and restore if required.
Client has the responsibility to secure their clients information and data by taking such steps as:
- secure their data and information by ensuring any/all documentation uploaded is authorized and you are following any/all relevant compliance guidelines and laws.
- Securely design your team / sub-team structure
- Use the appropriate tags to mask any confidential information (PII)
Applications Logic & Code
Responsibility: Shared
Signority has the responsibility to secure and control the Signority Platform throughout the entire application lifecycle. This includes securing our code repositories from malicious misuse or intrusion, application build testing throughout the development and integration process, ensuring secure production access, and maintaining security of any connected systems. Signority must also ensure secure API Keys are generated and API code is clear, updated, and secure.
Client has the responsibility to ensure any application they integrate Signority with, whether through API or our Integration modules, is secure, stable, and tested. If a client creates a custom API connection it is the client’s responsibility to ensure the code is secure, complete, and compliant. And to ensure the third party application is secure, tested, and stable.
Identity and Access
Responsibility: Shared
Signority is responsible for all facets of identity and access management (IAM), including authentication and authorization mechanisms, single sign-on (SSO), multi-factor authentication (MFA), access keys, certificates, user creation processes, and password management for the production, testing, and sandbox server environments.
Client is responsible for identify and access management for your users, including the use of Signority’s 2FA, SSO, and/or IP whitelisting options. This also includes password management, invitations, and the adding/removing of users.