Compliance around the world

SOC 2 Type II

• Trust Service Requirements: Detail operational effectiveness of systems to manage customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality, and privacy.
• Audit Description: Annual audits to ensure data is securely managed to protect the interests of organizations and clients.
• Product/Platform: DNSTrust
• Supervisory Authority: American Institute of Certified Public Accountants (AICPA)
• Accreditation Body/Auditor: A-Lign (DNSME)
• Geographical Applicability: Global

SOC 2 Type II / Type III

• Trust Service Requirements: Detail operational effectiveness of systems to manage customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality, and privacy.
• Audit Description: Annual audits to ensure data is securely managed to protect the interests of organizations and clients. SOC 2 replaces legacy SAS 70 reporting standard.
• Product/Platform: CertCentral, DigiCert ONE, DigiCert PKI Platform 8
• Supervisory Authority: American Institute of Certified Public Accountants (AICPA)
• Accreditation Body/Auditor: BDO (DigiCert)
• Geographical Applicability: Global

WebTrust Program for Certification Authorities (CAs)

• Trust Service Requirements: Adequacy and effectiveness of controls deployed by a Certification Authority (CA). 
• Audit Description: Annual audit performed on DigiCert's key management cycle management authority (CA) business practices disclosures and CA environmental controls supporting DigiCert public and managed PKI CA services.
• Product/Platform: CertCentral, DigiCert ONE, DigiCert PKI Platform 8, MPKI 7 (Japan)
• Supervisory Authority: Chartered Professional Accountants of Canada (CPA Canada).
• Accreditation Body/Auditor: BDO
• Geographical Applicability: Global

WebTrust for Baseline Requirements

• Trust Service Requirements: CA/B Forum “Baseline Requirements for the Issuance and Management of Publicly Trusted Certificates.”
• Audit Description: Annual audit performed on DigiCert’s key management cycle management authority (CA) business practices disclosures and CA environmental controls supporting DigiCert public and managed PKI CA services.
• Product/Platform: CertCentral, DigiCert PKI Platform 8 (for S/MIME in 2024)
• Supervisory Authority: CPA Canada
• Accreditation Body/Auditor: BDO
• Geographical Applicability: Global

WebTrust for Extended Validation

• Trust Service Requirements: CA/B Forum “Guidelines for the Issuance and Management of EV Certificates.”
• Audit Description: Annual audit performed on DigiCert’s key management cycle management authority (CA) business practices disclosures and CA environmental controls supporting DigiCert public and managed PKI CA services.
• Product/Platform: CertCentral
• Supervisory Authority: CPA Canada
• Accreditation Body/Auditor: BDO
• Geographical Applicability: Global

WebTrust for Code Signing

• Trust Service Requirements: Code Signing Working Group’s Minimum Requirements for the Issuance and Management of Publicly Trusted Code Signing Certificates.
• Audit Description: Annual audit performed on DigiCert’s key management cycle management authority (CA) business practices disclosures and CA environmental controls supporting DigiCert public and managed PKI CA services.
• Product/Platform: DigiCert ONE Software Trust Manager (STM)
• Supervisory Authority: CPA Canada
• Accreditation Body/Auditor: BDO
• Geographical Applicability: Global

WebTrust for VMC

• Trust Service Requirements: Based on the Minimum Security Requirements for the Issuance of Verified Mark Certificates.
• Audit Description: Annual audit performed on DigiCert’s issuance of Verified Mark Certificates.
• Product/Platform: CertCentral
• Supervisory Authority: CPA Canada
• Accreditation Body/Auditor: BDO
• Geographical Applicability: Global

WebTrust for AATL

• Trust Service Requirements: Adobe Approved Trust List program, which verifies digital signatures in PDF documents that can be traced back to high-assurance, trustworthy certificates trusted by Acrobat and Reader.
• Audit Description: Annual audit performed on DigiCert’s issuance of Qualified Certificates.
• Product/Platform: CertCentral, DigiCert PKI Platform 8
• Supervisory Authority: CPA Canada
• Accreditation Body/Auditor: BDO

WebTrust for Matter

• Trust Service Requirements: Adequacy and effectiveness of controls deployed by a Certification Authority (CA).
• Audit Description: Annual audit performed on DigiCert’s key management cycle management authority (CA) business practices disclosures and CA environmental controls supporting DigiCert private and matter PKI CA services.
• Product/Platform: DigiCert ONE IoT Trust Manager (IoT)
• Supervisory Authority: Chartered Professional Accountants of Canada (CPA Canada)
• Accreditation Body/Auditor: BDO
• Geographical Applicability: Global

Federal PKI Policy Authority

• Trust Service Requirements: NIST SP800-53, which specifies security controls for information systems supporting the executive agencies of the U.S. federal government. Adherence to Common Policy.
• Audit Description: Annual audit of services, procedures, and practices as part of the identity federation agreement with the U.S. Government to provide services.
• Product/Platform: DigiCert Direct
• Supervisory Authority: Federal Public Key Infrastructure Policy Authority (FPKIPA)
• Accreditation Body/Auditor: Federal Public Key Infrastructure Policy Authority (FPKIPA)
• Geographical Applicability: United States

DirectTrust™ Accreditation Program for Certificate Authorities (CAs)

• Trust Service Requirements: Direct Standard™ and requirements of the DirectTrust Security and Trust framework.
• Audit Description: Biennial audit of CA services against a series of technical, physical, and operational criteria.
• Product/Platform: DigiCert Direct
• Supervisory Authority: DirectTrust
• Accreditation Body/Auditor: DirectTrust
• Geographical Applicability: United States

DirectTrust™ Accreditation Program for Registration Authorities (RAs)

• Trust Service Requirements: Direct Standard™ and requirements of the DirectTrust Security and Trust framework.
• Audit Description: Biennial audit of RA services against a series of technical, physical, and operational criteria.
• Product/Platform: DigiCert Direct
• Supervisory Authority: DirectTrust
• Accreditation Body/Auditor: DirectTrust
• Geographical Applicability: United States

WebTrust for Certipath

• Trust Service Requirements: Adequacy and effectiveness of controls deployed by a Certification Authority (CA).
• Audit Description: Annual audits performed on Certipath’s key management cycle management authority (CA) business practices disclosures and CA environmental controls supporting Certipath public and managed PKI CA services.
• Product/Platform: DigiCert PKI Platform 8
• Supervisory Authority: CPA Canada
• Accreditation Body/Auditor: BDO
• Geographical Applicability: Americas

WebTrust for DirectTrust

• Trust Service Requirements: Adequacy and effectiveness of physical controls deployed by a Certification Authority (CA).
• Audit Description: Annual audit performed on DigiCert’s physical management of DirectTrust CA services.
• Product/Platform: DigiCert Direct
• Supervisory Authority: CPA Canada
• Accreditation Body/Auditor: BDO
• Geographical Applicability: Americas

ISAE 3402

• Trust Service Requirements: ISAE 3402, an international assurance standard that describes Service Organization Control (SOC) engagements, which provides assurance to an organization's customer that the service organization has adequate internal controls.
• Audit Description: Annual audit on internal controls over financial reporting.
• Product/Platform: DigiCert ONE Trust Lifecycle Manager (TLM) (Japan), MPKI 7 (Japan)
• Supervisory Authority: International Auditing and Assurance Standards Board (IAASB), International Federation of Accountants (IFAC)
• Accreditation Body/Auditor: BDO Sanyu
• Geographical Applicability: Japan

ISO 27001

• Trust Service Requirements: Compliance with ISO 27001 Information Security Management Systems Requirements Specification (formerly known as BS7799-2)
• Audit Description: Annual audit to evaluate how securely an organization manages and stores its information and data in our Japan Data Center.
• Product/Platform: DigiCert ONE Trust Lifecycle Manager (TLM) (Japan), MPKI 7 (Japan)
• Supervisory Authority: International Organization for Standardization
• Accreditation Body/Auditor: BDO Sanyu
• Geographical Applicability: Japan

Gatekeeper Public Key Infrastructure Framework

• Trust Service Requirements: Digital ID Policy Branch, Gatekeeper PKI Framework v3.1 (research)
• Audit Description: Annual audit that cover protective security governance, personnel security, information security and physical security.
• Product/Platform: Gatekeeper (product), MPKI 7 system 
• Supervisory Authority: Australian Government Department of Finance 
• Accreditation Body/Auditor: Sekuro
• Geographical Applicability: Australia 

ZertES Qualified Certification Services Provider

• Trust Service Requirements: Swiss Law and ETSI standards for Qualified Certification Service Providers (CSP) and Time Stamping Authorities.
• Audit Description: Annual audit of QuoVadis Trustlink Schweiz AG to ensure conformity with the requirements for Qualified and Regulated Certificates and Qualified Time-Stamps.
• Product/Platform: TrustLink (QuoVadis legacy), CertCentral/DigiCert ONE
• Supervisory Authority: Swiss Accreditation Service (SAS), Bundesamt für Kommunikation (BAKOM)
• Accreditation Body/Auditor: KPMG
• Geographical Applicability: Switzerland

Netherlands Qualified Trust Services Provider 

• Trust Service Requirements: ETSI EN 319 411-1, ETSI EN 319 411-2, Regulation (EU) nº 910/2014
• Audit Description: Annual audit of QuoVadis Trustlink Netherlands BV for accreditation to be a Qualified Trust Services Provider (QTSP), to issue Qualified Certificates for Electronic Signature, Electronic Seal, Website Authentication and Qualified Time-Stamps.
• Product/Platform: TrustLink (QuoVadis legacy), CertCentral/DigiCert ONE
• Supervisory Authority: RDI
• Accreditation Body/Auditor: BSI (QuoVadis legacy), TayllorCox (DigiCert Europe)
• Geographical Applicability: Netherlands – but applies across the European Union.

Trust Service Provider (TSP) for PKIoverheid

• Trust Service Requirements: ETSI EN 319 411-1, ETSI EN 319 411-2, PKIoverheid Program of Requirements standards to issue Qualified Certificates for Electronic Signature, Electronic Seal and Website Authentication under the Staat der Nederlanden Root.
• Audit Description: Annual audit to maintain accreditation as a TSP for the Dutch government.
• Product/Platform: TrustLink (QuoVadis legacy), CertCentral/DigiCert ONE
• Supervisory Authority: Logius Policy Management Authority for PKIoverheid
•  Accreditation Body/Auditor: BSI (QuoVadis legacy), TayllorCox (DigiCert Europe)
•  Geographical Applicability: Netherlands

Belgium Qualified Trust Services Provider

• Trust Service Requirements: ETSI EN 319 411-1, ETSI EN 319 411-2, Regulation (EU) nº 910/2014
• Audit Description: Annual audit of DigiCert Europe Belgium BV for accreditation to be a Qualified Trust Services Provider (QTSP), to issue Qualified Certificates for Electronic Signature and Electronic Seal.
• Product/Platform: TrustLink (QuoVadis legacy), CertCentral/DigiCert ONE
• Supervisory Authority: Belgian FPS Economy - Quality and Safety
• Accreditation Body/Auditor: BSI (QuoVadis legacy), TayllorCox (DigiCert Europe)
• Geographical Applicability: Belgium – but applies across the European Union.

WebTrust Program for Certification Authorities (CAs)

• Trust Service Requirements: Adequacy and effectiveness of controls deployed by a Certification Authority (CA).
• Audit Description: Annual audit performed on DigiCert’s key management cycle management authority (CA) business practices disclosures and CA environmental controls supporting DigiCert public and managed PKI CA services.
• Product/Platform: TrustLink (QuoVadis legacy)
• Supervisory Authority: Chartered Professional Accountants of Canada (CPA Canada)
• Accreditation Body/Auditor: Ernst & Young (EY)
• Geographical Applicability: Global

WebTrust for Baseline Requirements

• Trust Service Requirements: CA/B Forum "Baseline Requirements for the Issuance and Management of Publicly Trusted Certificates."
• Audit Description: Annual audit performed on DigiCert’s key management cycle management authority (CA) business practices disclosures and CA environmental controls supporting DigiCert public and managed PKI CA services.
• Product/Platform: TrustLink (QuoVadis legacy)
• Supervisory Authority: CPA Canada
• Accreditation Body/Auditor: EY
• Geographical Applicability: Global

WebTrust for Extended Validation

• Trust Service Requirements: CA/B Forum “Guidelines for the Issuance and Management of EV Certificates.”
• Audit Description: Annual audit performed on DigiCert’s key management cycle management authority (CA) business practices disclosures and CA environmental controls supporting DigiCert public and managed PKI CA services.
• Product/Platform: TrustLink (QuoVadis legacy)
• Supervisory Authority: CPA Canada
• Accreditation Body/Auditor: EY
• Geographical Applicability: Global

WebTrust for Code Signing

• Trust Service Requirements: Code Signing Working Group’s Minimum Requirements for the Issuance and Management of Publicly Trusted Code Signing Certificates.
• Audit Description: Annual audit performed on DigiCert’s key management cycle management authority (CA) business practices disclosures and CA environmental controls supporting DigiCert public and managed PKI CA services.
• Product/Platform: TrustLink (QuoVadis legacy)
• Supervisory Authority: CPA Canada
• Accreditation Body/Auditor: EY
• Geographical Applicability: Global

WebTrust for S/MIME

• Trust Service Requirements: CA/B Forum “Guidelines for the Issuance and Management of S/MIME Certificates.”
• Audit Description: Annual audit performed on DigiCert’s key management cycle management authority (CA) business practices disclosures and CA environmental controls supporting DigiCert public and managed PKI CA services.
• Product/Platform: CertCentral (EU), TrustLink (QuoVadis legacy)
• Supervisory Authority: CPA Canada
• Accreditation Body/Auditor: EY
• Geographical Applicability: Global