������

SOC 2 Type II

• Trust Service Requirements: Detail operational effectiveness of systems to manage customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality, and privacy.
• Audit Description: Annual audits to ensure data is securely managed to protect the interests of organizations and clients.
• Product/Platform: DNSTrust
• Supervisory Authority: American Institute of Certified Public Accountants (AICPA)
• Accreditation Body/Auditor: A-Lign (DNSME)
• Geographical Applicability: Global

��

SOC 2 Type II / Type III

• Trust Service Requirements: Detail operational effectiveness of systems to manage customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality, and privacy.
• Audit Description: Annual audits to ensure data is securely managed to protect the interests of organizations and clients. SOC 2 replaces legacy SAS 70 reporting standard.
• Product/Platform: CertCentral, ������ ONE, ������ PKI Platform 8
• Supervisory Authority: American Institute of Certified Public Accountants (AICPA)
• Accreditation Body/Auditor: BDO (������)
• Geographical Applicability: Global

��

WebTrust Program for Certification Authorities (CAs)

• Trust Service Requirements: Adequacy and effectiveness of controls deployed by a Certification Authority (CA).��
• Audit Description: Annual audit performed on ������'s key management cycle management authority (CA) business practices disclosures and CA environmental controls supporting ������ public and managed PKI CA services.
• Product/Platform:��CertCentral, ������ ONE, ������ PKI Platform 8, MPKI 7 (Japan)
• Supervisory Authority: Chartered Professional Accountants of Canada (CPA Canada).
• Accreditation Body/Auditor: BDO
• Geographical Applicability: Global

��

WebTrust for Network Security

• Trust Service Requirements: CA/B Forum "Network and Certificate Systems Security Requirements"
  
• Audit Description: Annual audit performed on ������’s Network and Certificate Systems Security compliance against the CA/B Forum Baseline Network Security Requirements.
  
• Product/Platform:��CertCentral, ������ ONE, ������ PKI Platform 8, TrustLink (QuoVadis Legacy) supporting CA infrastructure.
• Supervisory Authority: CPA Canada
  
• Accreditation Body/Auditor: BDO
• Geographical Applicability: Global

WebTrust for Baseline Requirements

• Trust Service Requirements: CA/B Forum “Baseline Requirements for the Issuance and Management of Publicly Trusted Certificates.”
• Audit Description: Annual audit performed on ������’s key management cycle management authority (CA) business practices disclosures and CA environmental controls supporting ������ public and managed PKI CA services.
• Product/Platform: CertCentral, ������ PKI Platform 8 (for S/MIME in 2024)
• Supervisory Authority: CPA Canada
• Accreditation Body/Auditor: BDO
• Geographical Applicability: Global

��

WebTrust for Extended Validation

• Trust Service Requirements: CA/B Forum “Guidelines for the Issuance and Management of EV Certificates.”
• Audit Description: Annual audit performed on ������’s key management cycle management authority (CA) business practices disclosures and CA environmental controls supporting ������ public and managed PKI CA services.
• Product/Platform: CertCentral
• Supervisory Authority: CPA Canada
• Accreditation Body/Auditor: BDO
• Geographical Applicability: Global

��

WebTrust for Code Signing

• Trust Service Requirements: Code Signing Working Group’s Minimum Requirements for the Issuance and Management of Publicly Trusted Code Signing Certificates.
• Audit Description: Annual audit performed on ������’s key management cycle management authority (CA) business practices disclosures and CA environmental controls supporting ������ public and managed PKI CA services.
• Product/Platform: ������ ONE Software Trust Manager (STM)
• Supervisory Authority: CPA Canada
• Accreditation Body/Auditor: BDO
• Geographical Applicability: Global

��

WebTrust for S/MIME

• Trust Service Requirements: CA/B Forum “Guidelines for the Issuance and Management of S/MIME Certificates.”
• Audit Description:��Annual audit performed on ������’s key management cycle management authority (CA) business practices disclosures and CA environmental controls supporting ������ public and managed PKI CA services.
• Product/Platform: CertCentral (EU), TrustLink (QuoVadis legacy)
• Supervisory��Authority: CPA Canada
• Accreditation��Body/Auditor: EY
• Geographical��Applicability: Global

WebTrust for VMC

• Trust Service Requirements: Based on the Minimum Security Requirements for the Issuance of Verified Mark Certificates.
• Audit Description: Annual audit performed on ������’s issuance of Verified Mark Certificates.
• Product/Platform: CertCentral
• Supervisory Authority: CPA Canada
• Accreditation Body/Auditor: BDO
• Geographical Applicability: Global

��

WebTrust for AATL

• Trust Service Requirements: Adobe Approved Trust List program, which verifies digital signatures in PDF documents that can be traced back to high-assurance, trustworthy certificates trusted by Acrobat and Reader.
• Audit Description: Annual audit performed on ������’s issuance of Qualified Certificates.
• Product/Platform: CertCentral, ������ PKI Platform 8
• Supervisory Authority: CPA Canada
• Accreditation Body/Auditor: BDO

��

WebTrust for Matter

• Trust Service Requirements: Adequacy and effectiveness of controls deployed by a Certification Authority (CA).
• Audit Description: Annual audit performed on ������’s key management cycle management authority (CA) business practices disclosures and CA environmental controls supporting ������ private and matter PKI CA services.
• Product/Platform: ������ ONE IoT Trust Manager (IoT)
• Supervisory Authority: Chartered Professional Accountants of Canada (CPA Canada)
• Accreditation Body/Auditor: BDO
• Geographical Applicability: Global

��

Federal PKI Policy Authority

• Trust Service Requirements: NIST SP800-53, which specifies security controls for information systems supporting the executive agencies of the U.S. federal government. Adherence to Common Policy.
• Audit Description: Annual audit of services, procedures, and practices as part of the identity federation agreement with the U.S. Government to provide services.
• Product/Platform: ������ Direct
• Supervisory Authority: Federal Public Key Infrastructure Policy Authority (FPKIPA)
• Accreditation Body/Auditor: Federal Public Key Infrastructure Policy Authority (FPKIPA)
• Geographical Applicability: United States

��

DirectTrust™ Accreditation Program for Certificate Authorities (CAs)

• Trust Service Requirements: Direct Standard™ and requirements of the DirectTrust Security and Trust framework.
• Audit Description: Biennial audit of CA services against a series of technical, physical, and operational criteria.
• Product/Platform:�������� Direct
• Supervisory Authority: DirectTrust
• Accreditation Body/Auditor: DirectTrust
• Geographical Applicability: United States

��

DirectTrust™ Accreditation Program for Registration Authorities (RAs)

• Trust Service Requirements: Direct��Standard™ and requirements of the DirectTrust Security and Trust framework.
• Audit Description: Biennial audit of RA services against a series of technical, physical, and operational criteria.
• Product/Platform:�������� Direct
• Supervisory Authority: DirectTrust
• Accreditation Body/Auditor: DirectTrust
• Geographical Applicability: United States

��

WebTrust for Certipath

• Trust Service Requirements: Adequacy and effectiveness of controls deployed by a Certification Authority (CA).
• Audit Description:��Annual audits performed on Certipath’s key management cycle management authority (CA) business practices disclosures and CA environmental controls supporting Certipath public and managed PKI CA services.
• Product/Platform: ������ PKI Platform 8
• Supervisory Authority: CPA Canada
• Accreditation Body/Auditor: BDO
• Geographical Applicability: Americas

��

WebTrust for DirectTrust

• Trust Service Requirements: Adequacy and effectiveness of physical controls deployed by a Certification Authority (CA).
• Audit Description: Annual audit performed on ������’s physical management of DirectTrust CA services.
• Product/Platform: ������ Direct
• Supervisory Authority: CPA Canada
• Accreditation Body/Auditor: BDO
• Geographical Applicability: Americas

��

ISAE 3402

• Trust Service Requirements: ISAE 3402, an international assurance standard that describes Service Organization Control (SOC) engagements, which provides assurance to an organization's customer that the service organization has adequate internal controls.
• Audit Description: Annual audit on internal controls over financial reporting.
• Product/Platform: ������ ONE Trust Lifecycle Manager (TLM) (Japan), MPKI 7 (Japan)
• Supervisory Authority: International Auditing and Assurance Standards Board (IAASB), International Federation of Accountants (IFAC)
• Accreditation Body/Auditor: BDO Sanyu
• Geographical Applicability: Japan

��

ISO 27001

• Trust Service Requirements: Compliance with ISO 27001 Information Security Management Systems Requirements Specification (formerly known as BS7799-2)
• Audit Description: Annual audit to evaluate how securely an organization manages and stores its information and data in our Japan Data Center.
• Product/Platform: ������ ONE Trust Lifecycle Manager (TLM) (Japan), MPKI 7 (Japan)
• Supervisory Authority: International Organization for Standardization
• Accreditation Body/Auditor: BDO Sanyu
• Geographical Applicability: Japan

��

Gatekeeper Public Key Infrastructure Framework

• Trust Service Requirements:��Digital ID Policy Branch, Gatekeeper PKI Framework v3.1 (research)
• Audit Description: Annual audit that cover protective security governance, personnel security, information security and physical security.
• Product/Platform:��Gatekeeper (product), MPKI 7 system��
• Supervisory��Authority: Australian Government Department of Finance��
• Accreditation��Body/Auditor: Sekuro
• Geographical��Applicability: Australia��

��

ZertES Qualified Certification Services Provider

• Trust Service Requirements: Swiss Law and ETSI standards for Qualified Certification Service Providers (CSP) and Time Stamping Authorities.
• Audit Description: Annual audit of QuoVadis Trustlink Schweiz AG to ensure conformity with the requirements for Qualified and Regulated Certificates and Qualified Time-Stamps.
• Product/Platform: TrustLink (QuoVadis legacy), CertCentral/������ ONE
• Supervisory Authority: Swiss Accreditation Service (SAS), Bundesamt für Kommunikation (BAKOM)
• Accreditation Body/Auditor: KPMG
• Geographical Applicability: Switzerland

��

Netherlands Qualified Trust Services Provider��

• Trust Service Requirements: ETSI EN 319 411-1, ETSI EN 319 411-2, Regulation (EU) nº 910/2014
• Audit Description: Annual audit of QuoVadis Trustlink Netherlands BV for accreditation to be a Qualified Trust Services Provider (QTSP), to issue Qualified Certificates for Electronic Signature, Electronic Seal, Website Authentication and Qualified Time-Stamps.
• Product/Platform: TrustLink (QuoVadis legacy), CertCentral/������ ONE
• Supervisory Authority: RDI
• Accreditation Body/Auditor: BSI (QuoVadis legacy), TayllorCox (������ Europe)
• Geographical Applicability: Netherlands – but applies across the European Union.

��

Trust Service Provider (TSP) for PKIoverheid

• Trust Service Requirements: ETSI EN 319 411-1, ETSI EN 319 411-2, PKIoverheid Program of Requirements standards to issue Qualified Certificates for Electronic Signature, Electronic Seal and Website Authentication under the Staat der Nederlanden Root.
• Audit Description: Annual audit to maintain accreditation as a TSP for the Dutch government.
• Product/Platform: TrustLink (QuoVadis legacy), CertCentral/������ ONE
• Supervisory Authority: Logius Policy Management Authority for PKIoverheid
• ��Accreditation Body/Auditor: BSI (QuoVadis legacy), TayllorCox (������ Europe)
• ��Geographical Applicability: Netherlands

��

Belgium Qualified Trust Services Provider

• Trust Service Requirements: ETSI EN 319 411-1, ETSI EN 319 411-2, Regulation (EU) nº 910/2014
• Audit Description: Annual audit of ������ Europe Belgium BV for accreditation to be a Qualified Trust Services Provider (QTSP), to issue Qualified Certificates for Electronic Signature and Electronic Seal.
• Product/Platform: TrustLink (QuoVadis legacy), CertCentral/������ ONE
• Supervisory Authority: Belgian FPS Economy - Quality and Safety
• Accreditation Body/Auditor: BSI (QuoVadis legacy), TayllorCox (������ Europe)
• Geographical Applicability: Belgium – but applies across the European Union.