Is all customer data stored in Canada?
While core customer personal information and documents always remain in Canada within our Canadian data centers, we have partnered with sub-processors located in the USA to provide optional services, such as texting and email services, should our customers require them. In those instances, which require contractual agreement, we only provide our sub-processors with very limited, high-level personal information, such as name, email address, and mobile telephone number.
Does customer data need to remain in Canada to remain compliant with PIPEDA?
No. Although many Canadian customers prefer to store their data in Canada.
Does the Signority eSignature Platform collect or store payment card data information?
No. If a customer is paying online using a credit or debit card, then that sensitive card information is passed directly and securely to our payments subprocessor (Stripe) in a PCI DSS-approved method. Enterprise customers usually pay Signority through electronic funds transfer.
Is customer data protected ‘in motion’ between a user and the Signority eSignature Platform?
Yes. Customers access Signority eSignature Platform services using strongly encrypted extended validation (EV) Transport Layer Security (TLS) certificates to encrypt the data in transit between users and the Signority eSignature Platform. We only allow the highest security TLS 1.2 and 1.3 protocols, and do not allow weaker TLS or SSL nor do we allow the use of older, weaker browser versions or weak encryption algorithms.
Is data protected internally within the Platform while in motion between various services?
Yes. We use various forms of encryption, such as TLS, when transmitting data between our microservices.
Is customer data protected while ‘at rest’?
Yes. We encrypt data at rest using strong data encryption methods, protocols and algorithms.
How is customer data separated from one another?
We use virtualization techniques to ensure the separation of customer accounts and users.
Is data sanitized when no longer required?
Yes. We use Amazon Web Services techniques detailed in NIST 800-88 (“Guidelines for Media Sanitization”) to sanitize and decommission media.
Does Signority have an Information Security Policy?
Yes. Signority has a very comprehensive Information Security Policy that covers all employees and contractors. Each individual must review and sign the policy. The policy undergoes mandatory annual review and update by security specialists and then is reviewed and approved by the CEO. Material changes are communicated to employees during their annual mandatory security and privacy training sessions.
Does Signority security screen its employees?
Yes. Signority undertakes mandatory federal government security clearance checks for its employees and contractors that may have access to federal government customer data. All other Signority employees and contractors must undergo police Criminal Records and Judicial Matters Checks as part of their hiring and contracting process.
Does Signority security train its employees?
Yes. In accordance with its Information Security Policy, all employees and contractors are required to undertake security and privacy training on a regular basis, including training on its policy. In addition, Signority employees are trained on the secure handling of customer information during the onboarding process. All employees have specific security duties identified within their job descriptions and are measured on those during their annual performance reviews. All employees undertake comprehensive, mandatory security and privacy training every October during international cyber security awareness month (CSAM). Specific privacy training is provided on or near-annual data privacy days. Anti-phishing campaigns are run several times per year. Employees also receive additional security awareness training, undergo testing, and take additional specific security training courses related to their positions, throughout the year.
Does Signority use a formal security framework for security governance?
Yes. Signority uses the globally accepted NIST Cyber Security Framework (CSF). We also select, map, and embed security controls from other security frameworks such as ISO 27001/02 (security controls), ISO 27017 (cloud security), ISO 27018 (cloud data security) the Center for Internet Security (CIS), Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM), Open Web Application Security Project (OWASP) Software Assurance Maturity Model (SAMM) and System and Organization Controls (SOC), among others.
Does Signority have vulnerability management processes to identify, triage and mitigate vulnerabilities?
Yes. Signority has a Threat and Vulnerability Management (TVM) program whereby new systems and applications are built securely from the onset; systems and applications are maintained on a regular and routine basis; vulnerabilities and threats are continually monitored; vulnerability assessments (VA) are conducted on a regular basis; penetration testing is undertaken on a regular basis, identified system and application-level vulnerabilities are assessed for risk and severity and remediated as required, and systems are sanitized and disposed of in a secure manner. We also maintain a cyber security task force (CSTF) team that meets on a regular basis to proactively monitor and formally manage cyber risks.
Does Signority monitor threat intelligence services?
Yes. Threat intelligence is monitored on a regular basis using several sources including the federal government Canadian Centre for Cyber Security (CCCS) program, MS-ISAC, FIRST, and CERT.
Does Signority hold third party certification with information security standards?
The Signority eSignature Platform is operated within highly secure and resilient Amazon Web Services (AWS) clustered data centers within Canada. AWS maintains ISO 27001, ISO 27017, ISO 27018, HIPAA, SOC 1/ISAE 3402, SOC 2, SOC 3, CSA Star Level 1, 2 and 3, FISMA, DIACAP, and FedRAMP externally audited security certifications. We also leverage numerous AWS security services to provide enhanced security for our eSignature Platform. Signority is PCI DSS compliant secure with its use of the Stripe payment gateway solution.
Do all Signority sub processors hold third-party certification with information security standards?
Yes. SendGrid holds SOC 2 Type 2. Twilio holds ISO 27001. GlobalSign DSS holds ISO 27001.
What are the Signority eSignature Platform password dynamics?
Passwords must have at least one upper character, one lower character, and one number, and be a minimum of eight characters in length. Using the Single Sign-On (SSO) capability, with SAML integration, customers can use their own user IDs and password dynamics, as well as their preferred methods of second-factor authentication.
Does the Signority eSignature Platform support two-factor authentication?
Yes. Customers and users are strongly encouraged to use provided two-factor authentication to protect their accounts. Users have a choice of using SMS authentication, email authentication, or answering security questions. In addition, multi-factor authentication can be set up for recipients of documents sent via the Signority eSignature Platform for signing. This includes email and SMS authentication.
What are Signority’s mitigation timescales for addressing (e.g. patching) known vulnerabilities?
Critical: Security vulnerabilities in systems, applications, and drivers assessed as extreme risk (or critical), likely associated with “zero-day” risks and associated published exploit kits, confirmed to exist within the Signority environment, are patched, updated, or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users.
Urgent: Security vulnerabilities in systems, applications, and drivers assessed as high risk (or urgent), confirmed to exist within the Signority environment, are patched, updated, or mitigated within one to two weeks of the security vulnerability being identified by vendors, independent third parties, system managers or users.
Important: Security vulnerabilities in systems, applications, and drivers assessed as moderate risk (or important) are patched, updated, or mitigated within two to four weeks of the security vulnerability being identified by vendors, independent third parties, system managers, or users.
Priority: Security vulnerabilities in systems, applications, and drivers assessed as low risk (or priority) are patched, updated, or mitigated within four to twelve weeks of the security vulnerability being identified by vendors, independent third parties, system managers, or users.
Does Signority maintain audit logs?
Yes. Signority creates audit logs of all relevant events on the Signority eSignature Platform, at various system and application levels.
The following is a list of categories of user activities that Signority logs:
Signing Activities: All activities that are part of the creation, signing, and managing of documents created for signing.
Account Activities: All activities that involve changes made to a user account, including password changes, plan changes, and payment information changes.
Team Activities: All activities that involve the team and users within the team. This includes editing team member settings and adding and removing users.
Audit logs for individual documents are retained indefinitely. Audit logs for all account, user, and team activities are retained for six months.
Does Signority have security incident, data breach, and disaster recovery plans?
Yes. Signority maintains a Data Breach Response Plan (DBRP), a Cyber Incident Response Plan (CIRP), and a Disaster Recovery Plan (DRP) and tests each of these on a regular basis with our response teams.
Does Signority maintain a software vulnerability and bug reporting program?
Yes. We strongly believe in providing such a program to allow others to report suspected vulnerabilities and bugs to us. Refer to https://signority.com/trust/security/vulnerability