Security

We deliver a high level of security

We take security as one of our top priorities. Below you can find some of our security messures and methods to ensure that your data is safe and compliant with GDPR.

Creditworthiness

Simple Sign contains the highest credit rating according to UC (the national standard in Sweden).

Legality

SimpleSign is a secure e-signature provider that offers strong legal evidence built into its various processes from the ground up.

Blockchain

SimpleSign utilizes the latest in Blockchain technology to provide the utmost security possible for securing and validating all forms of electronic signature. Blockchain allows users to independently verify the authenticity of documents.

Therefore, once a document is signed users can verify a document’s authenticity directly without having to contact Simple Sign. Once a document is signed, it is sealed and added to an unchangeable database separate from SimpleSign.

The blockchain procedure utilized by SimpleSign is the same procedure used by companies such as Microsoft, Phillips, and Tierion to seal and secure their documents. All Document, User, and Detailed Logging information is stored through this procedure.

This blockchain procedure for securing data is enabled by default but can be disabled by users who opt to store their signing data in our database instead.

Penetration Testing

SimpleSign knows the value of security and takes strict proactive measures in order to ensure the absence of vulnerable holes. Thus, we perform penetration testing every three months.

Penetration testing, also called pen testing or ethical hacking, is the practice of testing in order to find security vulnerabilities that an attacker could potentially exploit. The test is performed to identify weaknesses (also referred to as vulnerabilities), including the potential for unauthorized parties to gain access to the system’s features and data.

This test helps determine whether the current system’s defenses are sufficient or if it is vulnerable to attack, and if so, which defenses (if any) the test defeated.

A number of tools (listed below) are used to check every area of the system during such a test.

Burp Suite (Java Program for Checking Intrusion)

SqlMap

Nikto

Wfuzz

Log Monitoring

System Development & Maintenance

The system development of SimpleSign follows market standards. Security design is documented for each component of the SimpleSign platform. Once per quarter (or at minimum one per year) a penetration test is performed in order to search for vulnerabilities in the system.

SimpleSign is continuously being developed in order to deliver a product of high standards with multiple functionalities, which might include reliance on external applications. In order to maintain the security standards of the Information System, each external application is examined and verified to make sure it meets its intended purpose.

In order to provide a secure platform with satisfying uptime, we use separate acceptance testing environments. In total, we perform four levels of segregation between our system environments.

Controlled acceptance testing is used with live data. This controlled testing is for using the combination of existing data with updated features, to avoid unexpected interference.

Development environment
Test environment
Acceptance testing
Production environment

White and Black Box Testing

During the development of new code and before deploying any new code on an acceptance testing environment we apply Web Application Vulnerability Scanners. These scanners allow us to look for security vulnerabilities such as Cross-site scripting, SQL Injection, Command Injection, Path Traversal, and insecure server configuration.

Black Box

Black Box Testing is a software testing method in which the internal structure/design/implementation of the item being tested is NOT known to the tester.

White Box

White Box Testing is a software testing method in which the internal structure/design/implementation of the item being tested is known to the tester. At SimpleSign, we believe that the ability to test an application both statically and dynamically will become increasingly important as technology and therefore potential security threats continue to increase. This is precisely why we use the best of both during different stages of the development cycle.

Static Application Security Testing (SAST) has the flexibility needed to perform in all types of SDLC methodologies. SAST solutions can be integrated directly into the development environment. This enables the Simple Sign team to monitor the code constantly and it leads to quick mitigation of vulnerabilities as well as enhanced code integrity. SAST is a white box testing method that covers a large part of our vulnerability testing.

Dynamic Application Security Testing (DAST) – or “Black Box testing” is ideally suited for later stage testing in which we leverage approved third-party solutions from Stockholm, Sweden that continuously improve with the latest vulnerability checks and protection.

Secure, Encrypted & GDPR Compliant

We understand that your agreements are important and therefore SimpleSign is encrypted. We use TLS encryption for all data transfers. For document storage, we use a state-of-the-art Tier III, SSAE-16 certified data center with ISO 27001 certification. SimpleSign is compliant with GDPR to the extent necessary to maintain a secure SaaS solution. All user data is stored within the EU.

Audit Trail Provided by Simple Sign

A complete Audit Trail is available for each activity performed on documents, workflow level, or on a user account. Here are the actions that will be logged and available for viewing in the audit trail:

Document Logging
- The Document Log covers in full the various actions performed on a particular document (i.e details, performed actions, etc.) along with the respective date and time stamps.

User Logging
- Logging Activities performed by users is stored in an activity log (i.e description, type, and details of each activity) with respective date and time stamps.

Detailed Logging
- Workflow evidence report that keeps a record of each activity performed within a specific document workflow by all recipients.

Private Information - Security

SimpleSign understands the sensitivity of private information. This is why we follow a very strict policy to secure sensitive information (account, users, passwords, documents etc.). All documents are stored and transported in an encrypted format to ensure the utmost security.

Recommended Practice to Secure Accounts

Here are some recommendations in order to further secure an account

Do not leave your machine while you are logged into SimpleSign
Use a strong alphanumeric password (including uppercase letters, lowercase letters, and special characters) with at least a 10+ character length

Use BankID for authentication, which will then be a requirement for signing in

Enable OTP based authentication. This is another form of multi-factor authentication done at the time of login and when signing a document. Contact us if you are interested in buying such a service.