S I G N W A R D

Security & Trust

Your identity provider is your most critical dependency, so this page tells you plainly what we do, how we test it, and what we don't claim yet. If anything here is unclear, ask us

EU data residency & GDPR

  • All identity data is hosted and processed on Microsoft Azure EU regions (West Europe) — it never leaves the EU
  • Operated by an EU company (BitRoll Kft., Hungary) — your data controller relationship stays under EU jurisdiction
  • GDPR-native stack: signed DPA, consent management, data export, full tenant deletion

Authentication security

  • Passwords hashed with Argon2; tokens hashed with SHA-256; TLS on all communication
  • Passkeys (WebAuthn / FIDO2) and TOTP MFA in every plan — phishing-resistant sign-in by default
  • Standard OIDC / OAuth 2.0 with PKCE — no proprietary protocol in your critical path
  • Per-login risk scoring: impossible travel, new device and network patterns, brute-force velocity — high-risk attempts are challenged or blocked, and your admins are alerted

Operational security

  • Strict per-tenant data isolation — every customer runs in a fully separated tenant
  • The admin plane is not reachable from the public internet — administration happens over a private VPN tunnel only
  • Daily encrypted backups to separate, private EU storage
  • Full audit log of administrative and authentication events

No lock-in, by design

  • Everything is standard OIDC / OAuth 2.0 — migrating out means swapping the authority URL
  • SDKs (.NET, Python, JavaScript, PHP) are MIT-licensed and open source
  • Built-in data export (GDPR Art. 20) — your user data is yours
  • You can run Signward in parallel with another IdP during any migration, in or out

How we test

  • Recurring internal security reviews against the OWASP ASVS / Top 10 — every release, not once a year
  • External black-box penetration test — most recent: June 2026
  • Payments handled end-to-end by Stripe, a PCI-DSS Level 1 certified provider — card details never touch our servers

What we don't claim — yet

We don't hold a SOC 2 or ISO 27001 certification today. They're on the roadmap; at our size we'd rather tell you that plainly than imply otherwise. What you get instead is everything above, a public DPA, and direct answers from the people who built the system — usually within hours, not via a ticket queue

Our continuity commitment

We're a small EU company, and your identity provider is a critical dependency — so we want to be explicit about what happens in the worst case. If we ever had to wind Signward down, here's what we commit to

  • At least 90 days' written notice before anything stops working — never a silent cutoff
  • Your data export stays available for the entire notice period: user records and tenant configuration in standard formats you can import elsewhere
  • Because everything is standard OIDC / OAuth 2.0, moving to another provider means repointing one authority URL — and you can run both in parallel while you switch
  • We help you migrate hands-on during the wind-down — not a download link and silence

One honest limit: password hashes are never portable between providers, so your end users would re-enroll their credentials (password, passkey or MFA) on the new system. We'd rather tell you that now than at the worst moment

Found a vulnerability? Report it to support@signward.com — we acknowledge reports quickly and won't take legal action against good-faith research

See also: Privacy Policy · Data Processing Agreement · Terms of Service