Shared Security Responsibility Model (SSRM)
This Signority Shared Security Responsibility Model outlines and defines each party’s scope of responsibility when it comes to the compliance and security of one party’s use of the other’s platform.
Signority’s scope of responsibility is determined by the side of the relationship it is situated. Signority may hold one of two positions, either as the:
- Cloud Service Provider (CSP), Signority
- Cloud Service Customer (CSC), Signority Customer
Signority uses AWS to host our Signority eSignature Platform, therefore we have adopted their SSRM model for the shared responsibilities between Signority and AWS. The Signority platform is sold as a ‘Software as a Service’ business model. This influences our approach to the SSRM between our clients and ourselves.
The Shared Security Responsibility Model below outlining the areas of responsibility reflects who (AWS, SIGNORITY, Signority Client) owns each security responsibility and which ones are a shared responsibility and by whom.
Signority as the SAAS provider using a serverless environment (AWS) can be either the Cloud Service Client (CSC) or the Cloud Service Provider (CSP) depending on the area of responsibility.
Area of Responsibility
Information & Data
Applications Logic & Code
Identity & Access
Platform & Resources
ID & Directory Infrastructure
Physical Hosts, Network, Datacenter
Signority as the Cloud Service Provider
From a Signority customer point, Signority is responsible for all AWS responsibilities shown in the chart above as the SAAS provider who has chosen AWS as our third party partner.
Signority is responsible for maintaining the Signority eSignature Platform on the AWS servers and ensuring all controls meet or exceed the requirements set forth by SOC 2 and CSA STAR compliance.
Here we will outline the Areas of Responsibility (AoR) that Signority and the Client share, and how the area’s are divided.
Shared >> Client and Signority
Information & Data
Signority has created a safe and secure environment for clients to store their data (encrypted at rest and in transit) and uses multiple AWS tools to ensure data recovery and restore if required.
Client has the responsibility to secure their clients information and data by taking such steps as:
- Secure their data and information by ensuring any/all documentation uploaded is authorized and you are following any/all relevant compliance guidelines and laws.
- Securely design your team / sub-team structure
- Use the appropriate tags to mask any confidential information (PII)
Identity and Access
Signority is responsible for all facets of identity and access management (IAM), including authentication and authorization mechanisms, single sign-on (SSO), multi-factor authentication (MFA), access keys, certificates, user creation processes, and password management for the production, testing, and sandbox server environments.
Client is responsible for identify and access management for your users, including the use of Signority’s 2FA, SSO, and/or IP whitelisting options. This also includes password management, invitations, and the adding/removing of users.