Security 101 03-31-2021

How DigiCert Ensures the Integrity of Certificates: FAQs about DigiCert Compliance & Infrastructure

Brenda Bernal

The majority of Fortune 500 companies and many Global 2000 organizations rely on DigiCert’s 14-plus years of experience in delivering cloud-based authentication solutions to millions of their users and devices worldwide. We take this responsibility seriously and are committed to making the internet a safer space through ensuring the integrity of our certificates and continually improving our processes. To accomplish this, we institute several extensive security practices to maintain trust of these systems and we submit to regular audits by independent third parties.

Frequently asked questions

What does DigiCert do to secure its infrastructure?

DigiCert is focused on a preventative strategy to maintain trust and ensure the integrity of our infrastructure. Our best practices to secure our infrastructure include:

  • Implementing multi-factor authentication on our physical security infrastructure
  • Restricting infrastructure access to trusted employees
  • Secure key management, storing keys in encrypted formats
  • Implementing safeguards to protect against DDoS, web application, resources attacks, etc.
  • Separating duties with role-based administration and access
  • Providing dedicated monitoring through DigiCert and third-party global services
What is DigiCert certified for?

Besides our own extensive security policies and practices, our solutions are regularly audited and certified by independent third parties across the world. DigiCert holds several global certifications in addition to about half a dozen U.S.-based certifications, two in Japan, and several across Europe and the EU.

Some of our notable certifications include:

  • EiDAS certified
  • SSAE-18 SOC 2 Type II and III
  • WebTrust™ for Certification Authorities
  • WebTrust™ for Baseline Requirements
  • WebTrust™ for Extended Validation
  • WebTrust™ for Code Signing
  • EU Qualified Trust Service Provider (QTSP)

View all of our certifications here.

What audits do we participate in?

DigiCert participates in about 25 audits a year. View this datasheet for a list of all the audits and accreditations we participate in.

Where are your data centers located?

DigiCert has localized data centers in the United States, Japan, Australia and Europe, with more locations coming in 2021. This geographical distribution maintains load balancing of all our critical web infrastructure globally. All our equipment is dual-powered and covered by redundant cooling systems. Additionally, all critical network and system components are fault tolerant.

Is DigiCert FedRAMP authorized?

No, DigiCert has not achieved a FedRAMP ATO and it is not currently on our compliance roadmap to pursue.

If I have an EU Qualified Signing Certificate issued by QuoVadis can I use it in another EU country?

Yes. Signatures issued by one member state must be recognized in other member states.

What certification best describes DigiCert’s compute control environment?  How can I get a copy?

The SOC 2/3 (SSAE-18) provides the controls overview of our data center infrastructure and compute environment.  The SOC 3 is a short form that can be distributed to the public. The SOC 2 version is the more detailed form that requires a mutual NDA to be signed to receive a copy.

Proven operational excellence

DigiCert is a proven leader in delivering a world-class, reliable and secure cloud-based infrastructure. With over 5 billion validations happening every year, DigiCert has proven its operational excellence for the past 14 years by delivering the expertise, ease of use and security that customers love. For more information, contact our security experts at pki_info@digicert.com.

UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories

07-03-2024

What is a CA’s Role in delivering digital trust?

Why certificate automation is an absolute must

11-15-2024

4 steps to secure the IIoT device lifecycle