Evidos is a market leader in the field of electronic signatures and electronic identification. Ondertekenen.nl and Signhost.com are solutions that are supplied by Evidos. The security of information is imperative to Evidos. We make every conceivable effort to prevent unauthorised access to our clients’ confidential information, to ensure that the information is correct and available whenever required. That is why Evidos takes a proactive approach to secure its systems and keep all information safe.
The method that is used for electronic signatures must be reliable and secure. We guard the quality and reliability of our services 24/7. The security of our services satisfies the industry’s most stringent standards at every level. We are the partner you can trust when it comes to having documents, such as PDF files, signed electronically. Furthermore, Evidos ensures that its procedures and processes are drawn up and designed in accordance with commonly accepted standards (good practices), such as ISO 27001 and COBIT.
Evidos’ Certifications and Accreditations
Evidos holds the following certifications and accreditations:
- ISO/IEC 27001: 2013 certification.
- Service Organization Control (SOC) 2 Type 2 – statement
- DigiD TPM statement
- iDIN – Digital Identity Service Provider (DISP)
Evidos wants to demonstrate to clients that it has information security under control, which is why, since March 2017, we have been in compliance with the conditions provided for under ISO/IEC 27001: the de facto standard for information security.
To provide, develop, maintain and support a cloud signing and authentication service.
DEKRA Certification carries out an annual check to establish whether we still meet the criteria, and a full ISO audit is conducted once every three years.
Click here for the certificate.
SOC2 Type 2
Evidos is compliant to the SOC 2 Type 2 requirements. This statement garantuees customers the high service level of product development and Signhost.com. SOC 2 Type 2 refers to the infrastructure, software, procedures, people and data of an online service provider and what requirements are needed to meet the highest international standards. Hereby both foreign as domestic organisations know what to expect.
Third-Party Statement (TPM) for DigiD
Logius requires an annual report on the ICT security assessment of DigiD. That audit is conducted by a registered EDP auditor (RE auditor) of an independent certified party, which will draw up a Third-Party Statement (TPM) following the audit.
Evidos issues the TPM to its clients who use DigiD every year.
iDIN – Digital Identity Service Provider (DISP)
Evidos is Digital Identity Service Provider (DISP) for iDIN. The Dutch Payments Association has officially certified Evidos to help companies use iDIN on their own website. As a DISP, Evidos is allowed to provide iDIN services directly to “acceptors” without the intervention of a bank. These can be web shops or government services that use iDIN to identify a user or to allow a customer to log in.
Signhost operates in a secure data centre in the Netherlands. This data centre also meets the requirements of ISO/IEC 27001:2013 and NEN 7510:2011.
Every year, our hosting provider issues an ISAE 3402 Type II accreditation to provide insight into the reliability of its services.
Coordinated Vulnerability Disclosure
Evidos has guidelines for reporting vulnerabilities, which helps us to protect our systems and clients. Should you discover any specific security issues, please let us know as soon as possible so that we can take immediate action.
All connections to the Signhost web application or connections made via an API link travel through a secure SSL connection. The technology behind an SSL connection ensures that data are encrypted; it is also used for Internet banking.
Secure data centre
Signhost operates in a secure data centre in the Netherlands. Our secure-hosting partner meets the ISO 27001 information security standard. Our hosting provider also has ISAE3402 Type II Assurance accreditation.
Signhost meets the requirements for advanced electronic signatures as laid down in Section 3:15(a) of the Dutch Civil Code and the eIDAS Regulation. See our explanation of legal validity.
Internal and external tools are used to ensure round-the-clock protection of the Signhost service against vulnerabilities. We use the OWASP guidelines to detect any security issues.
At least once a year, Signhost’s web environments are subjected to penetration tests as part of the ICT security assessment for DigiD in line with the NOREA ‘DigiD Assessments Manual V2.0’. These penetration tests are carried out by multiple external parties on a rotating basis.
In our privacy and cookie statement we explain, among other things, which of your personal data we collect and the purposes for which they are collected. We also use this statement to provide information on the cookies that are installed. We attach great importance to providing you with information on these subjects in a clear and transparent way. Please do not hesitate to contact us if you have any questions about the processing of your personal data or about this statement.
It is important that agreements concerning the processing of personal data are laid down by contract to remain in line with current and future privacy legislation. As an additional service, Evidos provides all its clients with a standard processing agreement to ensure that both parties act in accordance with privacy legislation. This processing agreement takes account of the requirements that arise from the General Data Protection Regulation.
Contingency plan for data leaks
We believe it is important not only to enter into contractual agreements with you on reporting data leaks, but also to ensure that these agreements are honoured. That is why we have developed internal processes that enable us to identify and follow up on data leaks in good time. Evidos has a contingency plan for data leaks that describes how we deal with any such leaks. You may inspect the contingency plan upon request.
Personal data security
In accordance with Section 13 of the Dutch Personal Data Protection Act (Wet bescherming persoonsgegevens) and with the General Data Protection Regulation, as from 25 May 2018, Evidos has taken appropriate technical and organisational measures to protect personal data against loss and unlawful processing. Evidos also takes account of the policy rules of the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), such as the ‘Policy rules on the security of personal data (2013)’.
General Data Protection Regulation (GDPR)
As from 25 May 2018, the Dutch Data Protection Act has been replaced by the GDPR. The GDPR entails additional obligations for organisations, such as keeping a processing register, honouring additional rights of data subjects and, in certain cases, conducting mandatory data protection impact assessments. Evidos is aware of these changes and has ensured that it has been acting in accordance with the GDPR since 25 May 2018.
Start vandaag nog en laat al uw documenten voortaan digitaal ondertekenen.
Probeer het gratis!