Digidentity is certified against the requirements of standards, schemes and regulations

Digidentity has implemented and maintains an Information Security Management System (ISMS) based on requirements in ISO27001:2022. The ISMS is established to control risks regarding data and systems that process this data.

The management system includes policies, planning activities, responsibilities, practices, procedures, processes and resources to maintain a high level of information security to protect our systems and customer data.

Digidentity establishes information security based on the principles:

1] Risk-based: controls are based on risks to data and systems

2] Everyone: is responsible for correct and secure use of assets and authorisations

3] Always: security is in Digidentity's DNA

4] Security by Design: security is a starting point of every change and project

5] Security by Default: all systems are secure, and access is allowed on necessity

The ISMS manages security controls for logical and physical access, network security, human resource security, business continuity and disaster recovery, incident management and compliance.

Digidentity obtained certification in 2012 and is audited annually on compliance to ISO/IEC 27001:2022 by DNV (certificate).

Digidentity has implemented and maintains a Privacy Information Management System (PIMS) based on ISO27701:2019. The PIMS is established to control risks regarding personal data and systems that process this data.

On top of our Information Security policy, Digidentity has a documented Privacy Policy to ensure that a framework of controls is implemented to manage protection of personal data.

Digidentity establishes privacy or protection of personal data based on the principles:

1] End-user is the owner of their own data

2] Privacy by Design: privacy is built into our systems and the starting point of every change and project

3] Privacy by Default: all personal data is secure, and access is only allowed on necessity

4] Data minimalisation: only process data that is needed for the defined purpose, delete data that is no longer required

5] Process only verified personal data

Digidentity performs Data Privacy Impact Analysis (DPIA) on processing of personal data when significant changes to the processing of personal data is involved. Digidentity maintains a centralised register of processing activities.

Privacy by Design aims to integrate privacy as the “default mode of operation”. The concept can be applied to systems of all kinds, such as IT systems, apps, business practices and network infrastructure.

Our Privacy Information Management System is certified against the ISO/IEC 27701:2019 standard for privacy management. We meet the requirements regarding responsibility and accountability for processing Personal Data.

With ISO/IEC 27701:2019 certification, Digidentity demonstrates to customers and stakeholders that effective measures are in place to support compliance to GDPR and other related privacy legislation.

Digidentity obtained certification in 2021 and is audited annually on compliance to ISO/IEC 27701:2019 by DNV (certificate).

Digidentity implemented information security controls compliant with ISO/IEC 27017:2015 applicable to the provision and use of cloud services. The security controls cover responsibilities as protection of virtual environments, virtual machine hardening and configuration, maintenance procedures, logging and monitoring.

Digidentity's attestation to the ISO/IEC 27017:2015 guidance demonstrates our ongoing commitment to align with international standards and confirms that we have controls in place that are specific to cloud services.

Digidentity obtained certification in 2021 and is audited annually on compliance to ISO27017:2015 by DNV (certificate ISO27001).

The ISO27017:2015 certification is included on the ISO27001 certification.

Digidentity implemented information security controls to secure processing of personal data in the cloud compliant with ISO/IEC 27018:2019. With our ISO/IEC 27018:2019 certification, Digidentity established a baseline of security for all our services that processes data in the cloud. The security measures implemented reduce security risks related to processing personal data in the cloud.

The security controls cover responsibilities as protection of personal data in virtual environments, legal requirements of processing personal data, maintenance procedures, logging and monitoring.

Digidentity's certification to ISO/IEC 27018:2019 proves our commitment to comply to GDPR (Regulation (EU) 2016/679) and other data protection laws and regulations.

Digidentity obtained certification in 2021 and is audited annually on compliance to ISO/IEC 27018:2019 by BSI (certificate ISO27001).

The ISO27018:2019 certification is included on the ISO27001 certification.

Digidentity has a Quality Management System (QMS) to ensure that a framework of systems and processes are implemented to achieve our quality objectives. This QMS outlines a set of rules to all Digidentity employees to preserve and enhance the quality of the products being delivered and improve customer satisfaction and experience.

The QMS ensures that a framework of controls is implemented to manage quality by:

1] Build a mutually profitable relationship with our corporate customers, ensuring their long-term success

2] Achieve our objectives for quality, cost, and planning

3] Enhance the systematic research and use of best preventive practices at all levels and ensure reliable risk management

4] Drive continual improvement and innovation based upon efficient business processes, well-defined measurements, best practices, and customer surveys

5] Develop employee competencies, creativity, and accountability through appropriate development programs and show strong management involvement and commitment

All Digidentity employees are responsible for the quality of their work. Digidentity provides training and has established systems to assist all personnel to achieve the standards required. Only by providing an outstanding service and product quality will we achieve our aims of long-term success and sustained improvements.

Digidentity maintains an Quality Management System (QMS) which is certified against the ISO 9001:2015 standard. The QMS of Digidentity provides policies and procedures to maintain and improve the quality of our services to customers.

The QMS manages quality controls for product development, service delivery and customer satisfaction.

Digidentity obtained certification in 2022 and is audited annually on compliance to ISO 9001:2015 by DNV - Business Assurance (certificate C561445).

Business continuity is critical for Digidentity and our customers. Digidentity has implemented business continuity controls such as business continuity plans, disaster recovery plans, redundant systems and facilities to reduce the risk of disruption of our products. In the event of a continuity issue, Digidentity is able to recover our products in time and limit the disruption for our customers.

Digidentity has implemented and maintains a Business Continuity Management System (BCMS) based on ISO22301:2019. The BCMS is established to control risks regarding business continuity, disaster recovery and overall business resilience.

Digidentity establishes a framework for business continuity based on the principles:

1] Resilient by Design – plan for failure as part of normal operations

2] Continuity by Design – redundancy, fail over, recovery

3] Adaptability by Design – flexibility to scale workload

4] Safeguard employees, clients, and stakeholders

5] Protect critical business functions and operations

6] Ensure timely and effective communication

7] Minimise financial losses and reputational damage

8] Enable the recovery of business operations as soon as possible

It also applies to the management of the supply chain and requires those negotiating contracts to ensure appropriate Business Continuity and Information Security measures are included in contracts, where possible, so that the supplier is able to deliver acceptable levels of service.

Digidentity maintains a Business Continuity Management System (BCMS) which meets the requirements in ISO22301:2019.

Digidentity obtained certification in 2024 and is audited annually on compliance to ISO22301:2019 by DNV - Business Assurance (certificate C707812).

Digidentity complies to the requirements of the ETSI technical specification ETSI TS 119 461 - Policy and security requirements for trust service components providing identity proofing of trust service subjects.

This technical specification describes the security, validation and verification requirements for remote identity proofing to answer the three questions for identity proofing:

1] Is the identity document real and valid (ID validation)?

2] Is the person real and alive (liveness detection)

3] Does the person and the identity document belong together (face comparison to bind the person to the ID)?

Digidentity has been leading the development of remote identity proofing and is the first Identity Provider that issues eIDAS High identities in The Netherlands using a fully remote identity proofing process (no physical presence required). The process takes on average eight minutes.

We also issue certificates for Qualified Electronic Signatures (QES) and Qualified Seal using our remote identity proofing process on level eIDAS High. Currently, Digidentity is the only one in Europe that is able to perform remote identity proofing for eIDAS Level High.

The use cases from ETSI TS 119 461 are included on our ETSI EN 319 411-1 and ETSI EN 319 411-2 certificates.

Digidentity is compliant with ETSI EN 319 401 defining the general requirements for Trust Service Providers.

The ETSI EN 319 401 standard specifies baseline policy requirements on the operation and management practices of Trust Service Provider. The general requirements cover controls for access management, network security, incident management, business continuity management and compliance.

Digidentity obtained the separate certificate for ETSI EN 319 401 in 2021 where the certification was always included in the ETSI 319 411 certification since 2011.

Digidentity is audited annually on compliance to ETSI EN 319 401 by Attestic (certificate CT 003).

Digidentity is certified against ETSI EN 319 411-1 defining the requirements for the issuance of public key certificates. Digidentity issues public key certificates for authentication, encryption, and non-repudiation as well as server certificates for authentication and encryption.

The ETSI EN 319 411-1 standard defines requirements for certificate life cycle (registration, issuance, revocation), security controls and compliance.

Digidentity obtained the certification in 2015 and is audited annually on compliance to ETSI EN 319 411-1 by Attestic (certificate CT 004).

Digidentity is certified against ETSI EN 319 411-2 defining the requirements for the issuance of qualified certificates for electronic signatures. Digidentity issues qualified certificates for electronic signatures for personal and business use (eSGN Qualified) and electronic Seals for organisations (eSGN Seal).

The ETSI EN 319 411-2 standard defines requirements for certificate life cycle (registration, issuance, revocation), security controls and compliance.

Digidentity obtained the certification in 2011 and is audited annually on compliance to ETSI EN 319 411-2 by Attestic (certificate CT 005).

Digidentity is certified against EU Regulation 910/2014 (eIDAS). eIDAS provides requirements for advance and qualified electronic signature, electronic Seals and electronic identification.

Digidentity issues qualified certificates for qualified electronic signatures for personal and business use (QES) and electronic Seals for organisations (Seal). Digidentity is a Qualified Trust Services Provider (QTSP) as defined in eIDAS. Digidentity is included on the EU Trust List for Trust Service Providers for issuance of EU qualified electronic certificates. Digidentity issues digital identities for eHerkenning (eID) which is eIDAS notified in Europe.

Digidentity obtained the certification in 2016 and is audited annually on compliance to eIDAS by Attestic as part of the ETSI audit (certificate CT 005).

Digidentity is also inspected annually by the Dutch Supervisory Body - Dutch Authority for Digital Infrastructure on compliance with eIDAS for both Trust Services and eID.

Digidentity is certified against the requirements from the UK Digital Identity & Attributes Trust Framework (known as Trust Framework) of the Department of Culture, Media & Sport (DCMS). The Trust Framework contains a set of rules and standards designed to establish trust in digital identity products in the UK.

Digidentity is certified as an IDSP (Identity Service Provider) to perform digital identity checks for the Right to Work (RtW), Right to Rent (RtR), and Disclosure and Barring Service (DBS) schemes respectively, in line with the Trust Framework. Digidentity performs identity checks using the requirements in GPG44 and GPG45 that included identity document validation, biometric verification and fraud detection.

Digidentity is audited annually on compliance to the Trust Framework requirements by Kantara Initiative from the UK and (Certificate of Conformance).

Digidentity is listed as a certified IDSP on the GOV.UK website.