Security framework
Introduction
The Smart Certificate platform is based on secure technologies (e.g. Blockchain) and protocols fully compliant with privacy laws and GDPR framework guaranteeing documents’ integrity (time-stamping and signature), authenticity (guaranty of the issuer identity of the document) and validity (the document is still valid, has not been revoked or its expiration date has not been reached).
So, the Smart Certificate platform makes fraud impossible for any digital documents and allows a 100% secure verification.
Beside database encryption, and as part of our data protection system, data for each recipient of documents are also encrypted with a specific key for each set of data until recipient accepts terms and conditions to activate granted documents (patented method). Data for those granted documents are then decrypted and documents are generated (with those decrypted data) but stay in a secure environment (dedicated servers).
We have undergone and keep on-going a personal data audit and oversight activities to ensure consistent GDPR compliance. We have a DPO to oversee activities.
We are proceeding regularly PEN TEST by SECTIGO and freqently monitored by SECURITY SCORECARD .
Technical Specifications: best practices
The Smart Certificate platform was designed and developed by our R&D team which, in addition to the technical and technological background provided, has acquired over the years the experience and skills specific to the dematerialization and security of data and documents.
All developments of the Smart Certificate platform follow a quality approach respected by all those involved in the analysis, design, development and testing process. Our development approach is centered on the client and its needs. We opt for an Agile development methodology where functionalities are prioritized according to customer needs and according to risk management in the development of the platform. Each development cycle of maximum one calendar month includes the classic phases of analysis, customer validation, technical design, development, testing and integration.
In addition, the Smart Certificate platform, the operational procedures and the Terms & Conditions of the platform (lists of the articles of general conditions that govern the use of the Smart Certificate platform and that must be approved by any user) are compliant with GDPR and privacy frameworks.
FRAMEWORK & TECHNOLOGIES
The Smart Certificate platform is based on Microsoft framework/technologies (.NET) for the back end, and VUE JS framework for front end, and complies with market standards in terms of web development but also in terms of deployment and configuration.
Here is an overview of the Smart Certificate platform that meets all the expected architecture standards, particularly in terms of information security: The infrastructure is ISO27001 compliant.
DATABASE
The platform is linked to a Microsoft SQL Server database with the following characteristics:
- Relational database respecting the schematization standard
- Artificial identifiers for relational entities
- Documents related to recipients are stored on a file server outside the database. The link between the recipients and their files are kept in the database. Documents are named only using GUID to preserve their anonymity.
- Privacy control is guaranteed by an individual encryption/decryption system using a certified procedure. As long as the recipients have not activated their documents, personal data are fully encrypted with a unique and personal encryption key. The encryption protocol used guarantees the privacy of the recipients.
- By using the Advanced Encryption Standard Rijndael algorithm method with the SHA1 hash algorithm and a key size of 256 bits, encryption of sensitive data ensures that, even in the unlikely event of an intrusion directly into the database, the information found there will be useless because it is encrypted to the highest standards.
- It is key to mention that the encryption/decryption approach for all documents issued by the Smart Certificate platform is precisely the most reliable and efficient approach to document issuance, especially for documents containing private data; Indeed, since these documents are encrypted until the moment of their activation by the recipients themselves (by accepting the General Conditions of Use), the 'encryption/decryption' approach is the only real approach to respect privacy rules (European law). Any other approach or process would be tantamount to compromising the rules regarding the communication, delivery, sharing, of sensitive private data. Therefore, only recipients have the possibility to decrypt their documents (by generating them via the activation of the secure link sent to them) and the issuing entity via an interface where their password (linked to the encrypted secure private key) must be integrated.
Security Overview
The SMART CERTIFICATE platform uses some of the most advanced technologies for internet security. Being aware of the sensitivity of the data it holds, the SMART CERTIFICATE workflow includes a 360° security approach, communication channels and storage facilities.
- Secured Channels: communication channels between the platform and all stakeholders (issuers, recipients) are protected by Class 3 Extended Validation SSL Certificate. This is the most trusted and secured platform for web site security in terms of SSL Certificate. It uses a minimum of 128-bits and up to 256-bits SSL encryption, enabling strong encryption of any data communicated from and to the platform. This will protect it and its users from any interceptors willing to catch on-the-fly information transiting between the platform and its clients.
- Secured Identity Verification of the issuers: Anyone could claim being the representative of any organization. We have put in place a manual process of authentication of any client willing to create an account. Any client willing to open an account and to grant certified document will have to pass this process.
- Secured Storage: not only is our database on a secured server, all sensitive data (names, email addresses, phone numbers, etc.) are natively encrypted within our database using Advanced Encryption Standard method: Rijndael algorithm with hash algorithm SHA1 and key size 256 bits. The encryption of sensitive data will ensure that even in the improbable case that an intruder access directly our database, the information which will be found will be useless because encrypted with the highest standards.
- Secured Data Privacy: In addition to the secured storage of sensitive data, the Smart Certificate platform has implemented an in-house process for ensuring the data privacy control of recipients and document’s information. This process ensures that no personal data will ever be accessible to the platform without the consent of the issuer.
- Secured documents: In the particular case of documents’ generation, the Smart Certificate platform strengthens the security by guaranteeing the content of the document and digitally sign and secure all PDF documents on the blockchain (Bitcoin) by issuing a cryptographic hash (SHA256) for any document, in order to independently guarantee a secure timestamp for each document.
Thanks to these innovations, the Smart Certificate platform is able to guarantee:
- The identity of the institution
- The content of each certified document
- Respect for the privacy of recipients
- The inalterability of Smart Certificate documents
Special protection of private data
Security and privacy protection have always been N°1 priority since the conception of the Smart Certificate platform, via a specific architecture to protect recipients’ private data and their documents.
The scope of the proposed architecture makes it possible to protect documents until they are activated by the recipient by keeping them encrypted while ensuring that decryption keys are not stored on the issuing server. This constraint ensures that:
- the ownership of the data remains in the hands of the organization and the recipient.
- any external intrusion (even unlikely) could only ever give access to data encrypted with strong encryption algorithms.
- to respect the European legislative framework in the field of private data law.
The architecture implemented also makes it possible to provide an authenticated document, allowing the third-party verifier to ensure that the document received by the recipient was actually issued by the Smart Certificate platform and has not been subsequently modified.
In addition to the security architecture put in place to protect private data, the Smart Certificate platform uses the most advanced Internet security technologies. Aware of the sensitivity of the data handled by the platform, we have specified and implemented a security bulwark around our data processing, communication channels and storage system.