Swisscom Trust Services is a pure platform service that provides the legally required signature services as a remote signature to many European customers in a highly standardized and regulated manner using standard workflows for processing. The standard contract for this purpose has been submitted to the supervisory authorities and audited accordingly. Swisscom Trust Services, therefore, does not provide any project-specific services within the scope of the signature or registration or expenses for contract procedures that deviate from the standard contractual workflow, except separately commissioned consulting services in advance.
We can therefore offer all customers and partners the same favorable prices according to the service and price list. We appreciate your understanding.
This also applies in this respect and in particular (but not exclusively):
- Conclusion of all additional agreements and contracts, e.g., Code of Conducts, agreements for inclusion in the supplier directory, procurement policies, anti-corruption directives, project- or customer-specific GTCs, data protection declarations, data protection processing, etc., as these could also undermine the standardized, regulated contracts.
- Contract changes, particularly applicable law, are deviating from insurance wishes.
- Deviations from the contract processes, e.g., using additional platforms for supplier registration/contract signing.
- Special agreements on the inspection of architecture or disclosure of implementation details (e.g., backup procedures, programming, and security details such as access protection, accesses, cryptographic techniques, disaster recovery, etc.). Swisscom publishes all information on the practice of service provision in its CP/CPS (https://trustservices.swisscom.com/repository/) and the basic document for the CP/CPS. For security reasons, further details are not disclosed to any customer, so knowledge cannot be built up to design targeted attacks if necessary.
- Requests for connections to internal monitoring, Swisscom publishes faults in its service via Service Status, which can also be subscribed to within the framework of the RSS protocol. For security reasons, you won't be able to do any further intervention in the system for monitoring purposes.
The certification and trust services must describe their practices and procedures for performing a service in a so-called “CP/CPS” (Certificate Policy/Certificate Practice Statement) document. The services are audited at the beginning of the activity and regularly by state-recognized auditors. The state's recognition body (Switzerland) or supervisory body (EU) decides based on the audits on approval, continued operation, or expansion of the certification and trust services. It thus ensures a high-quality standard in the market for all signatories. In addition to the general legal requirements, numerous European standardization bodies' ETSI and CEN standards must be complied with.
The state publishes the compliance with the norms and audit standards and thus also the approval as a recognized certification or trust service on its websites: