Data Center Certifications & Safeguards
OneSpan Sign is hosted in multiple data centers across the globe for high availability. We’ve partnered with market leaders in cloud infrastructure services – Amazon Web Services (AWS), IBM SoftLayer, and Microsoft Azure – that operate, manage and control all of our hosting components. This includes the host operating system and virtualization layer to the physical security of the facilities in which the services operate.
OneSpan Sign Compliance Audits & Certifications
OneSpan Sign meets additional security and compliance requirements set forth by third-party evaluators for its e-signature application.
ISO/IEC 27001 is a security management standard that specifies security management best practices and comprehensive security controls following the ISO/IEC 27002 best practice guidance. The basis of this certification is the development and implementation of a rigorous security program, which includes the development and implementation of an Information Security Management System (ISMS) which defines how OneSpan Sign continuously manages security in a holistic, comprehensive manner.
OneSpan takes a structured approach to cloud security by implementing a series of best practices to comply with the ISO/IEC 27017 standard for specific requirements for cloud security services and cloud security controls. ISO/IEC 27017 is designed to assist in the recommendation and implementation of controls for cloud-based organizations. This is not only relevant to organizations which store information in the cloud, but also for providers which offer cloud-based services to other companies who may have sensitive information. This standard is built upon the ISO/IEC 27002 standard, but allows for specific controls to be added for the needs of cloud organizations and their end-users.
OneSpan meets the standard for protecting customer data in the cloud as an ISO/IEC 27018 certified organization. ISO/IEC 27018 is a code of practice that focuses on protection and privacy of personal data in the cloud. It is based on ISO/IEC information security standard 27002 and provides implementation guidance applicable to storing of Personally Identifiable Information (PII) in a public cloud. It also provides a set of additional controls and associated guidance intended to address public cloud PII protection requirements not addressed by the existing ISO/IEC 27002 control set.
SOC 2 Type II
The Service Organization Control (SOC) 2 attestation is among the highest standards for cloud security and data protection. It recognizes our commitment as a service organization to create and maintain the strictest controls needed to ensure the highest quality and security of services for our customers. OneSpan Sign has successfully completed the SOC 2 security audit and is protected against unauthorized access, use and modification.
OneSpan Sign is the first comprehensive e-signature solution available in a FedRAMP compliant cloud. We enable U.S. government agencies to securely leverage e-signatures in the cloud.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
For the U.S. healthcare industry, OneSpan Sign is compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA outlines the requirements for the management of, storage and transmission of protected health information in both physical and digital form.
OneSpan Sign is “Skyhigh Enterprise-Ready” and fully satisfies the most stringent requirements for data protection, identity verification, service security, business practices, and legal protection.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) expands the privacy rights granted to EU individuals and places many new obligations on organizations that market to, track or manage EU personal data, regardless of where the organization is located. The GDPR emphasizes increased transparency and choice for individuals, while requiring organizations that process personal data to be responsible for it. Customers can rely on OneSpan Sign for the GDPR-compliant processing of their documents.
ESIGN Act (Electronic Signatures in Global and National Commerce Act)
OneSpan Sign complies with the Electronic Signatures in Global and National Commerce Act (ESIGN), a U.S. Federal law that was passed in 2000 that enabled the use of electronic records and signatures for commercial transactions. The Act enables organizations to adopt a uniform e-signature process across all 50 states with the assurance that records cannot be refused by a court of law solely on the basis that they were signed electronically.
UETA Act (Uniform Electronic Transactions Act)
The Uniform Electronic Transactions Act (UETA) goes hand-in-hand with the Electronic Signatures in Global and National Commerce Act (ESIGN), in that both were enacted to help ensure the validity of electronic contracts and the defensibility of electronic signatures. UETA gives states a framework for determining the legality of an electronic signature in both commercial and government transactions. OneSpan Sign electronic signatures comply with the UETA Act.
eIDAS (Electronic Identification and Trusted Services Regulation)
Electronic signatures created using OneSpan Sign comply with regulation 910/2014/EC based on eIDAS (replacing the former European EC/1999/93 Directive). eIDAS establishes the criteria for the legality of e-signatures and sets out three levels of e-signature (simple, advanced, qualified). According to the Directive, an advanced e-signature based on a qualified certificate satisfies the legal requirements of a signature in relation to data in electronic form – in the same way a handwritten signature satisfies those requirements in relation to paper-based data.
Cloud Security Alliance
We are a member of the Cloud Security Alliance. The CSA is a global association dedicated to defining and raising awareness of best practices around cloud computing and security.