We deliver highly trusted digital identities, usually in the form of digital signatures. The assurance level of these identities being high, a lot of care (and common sense) must be applied to protect our customers’ data and their digital identities.
Our ISO 9001 (quality), ISO 27001 (security) and eIDAS (identity) certifications guide the following principles when designing our solutions and processes:
We collect only the PII necessary to provide our services. It’s safer for you and simpler for us.
Your digital signature is created on your computer or, for AATL digital signatures, on a certified cryptographic device whose private key cannot be exported. You have sole control over your digital signature and its password; by design, Notarius employees, including our PKI Officers (Public Key Infrastructure), never have access to them.
Recovering your digital signature requires you to answer your security questions. These questions are only visible (and therefore protected) by accessing a link sent to your email. We do not have access to the answers to your security questions; this precaution was taken to make the process more secure for you and for us, and to thwart the possibility of social engineering among our staff.
The answers to your security questions are never stored “in the clear” or encrypted on our servers. When you fill out the online subscription form, a one-way hash function is applied to each of your answers, creating a unique “fingerprint” of the answer which cannot be reverted. Each time you authenticate with your security questions, our system compares the fingerprints. Note that, for operational reasons, our PKI Officers can recover a digital signature by following a strict and highly audited process.
The PII we store is encrypted at rest and in transit, and access is strictly controlled and audited. Access to the most sensitive PII, such as the video recording of the identity verification session, is limited to PKI Officers for access in special circumstances such as a doubt about the validity of the issuance of a digital certificate or a court order or order for disclosure of personal information.