CERTInext Security Model

CERTInext is designed with a defense-in-depth security model that addresses platform security, data protection, access control, and trust operations across both SaaS and integrated CA environments. The model aligns with what enterprise Infosec teams typically evaluate for cloud-based CLM and PKI platforms.

1) SaaS Security Assurance and Certifications

In the SaaS deployment model, CertiNext operates under independently validated security frameworks:

• SOC 2 Type II certified, covering security, availability, and operational controls over time

• ISO/IEC 27001 certified at the organizational level, ensuring a formal Information Security Management System (ISMS) with continuous risk management, controls, and audits

These certifications provide assurance that CertiNext follows structured, repeatable, and audited security practices.

2) Data Protection and Encryption

CertiNext enforces strong data protection controls across storage and transit:

• PII and sensitive data are encrypted at rest in the database

• When Bring Your Own Key (BYOK) is enabled, customer data is encrypted using the customer-provided encryption key

• All data in transit between users, APIs, bots, and services is encrypted using TLS 1.2 or higher

This ensures confidentiality of certificate metadata, audit records, and operational data.

3) Application and Infrastructure Security

At the application and infrastructure layers, CertiNext applies multiple security controls:

• Web Application Firewall (WAF) to detect and block malicious traffic, abuse patterns, and common attack vectors

• Regular Vulnerability Assessment and Penetration Testing (VAPT) covering:

  • Application layer

  • Infrastructure layer

  • Network exposure

• Findings are tracked and remediated as part of secure development and operations processes

These controls reduce exposure to both automated and targeted attacks.

4) Access Control and Least Privilege

Access to CertiNext systems and infrastructure is governed by the principle of least privilege:

• Administrative and operational access is tightly restricted

• Privileged access is granted only where required and reviewed periodically

• Strong authentication controls are enforced for system and platform access

This minimizes the risk of unauthorized access and lateral movement.

5) In-Application Role-Based Access Control (RBAC)

Within the CertiNext application, customers control access using fine-grained RBAC:

• Roles define what actions a user can perform

• Groups and tags define where those actions can be performed

• Separation of duties can be enforced between requestors, approvers, operators, and auditors

This allows customers to align platform access with internal security and governance policies.

6) Public Trust Security – emSign

Public trust operations integrated with CertiNext are provided by emSign, which operates as a WebTrust-accredited Certificate Authority.

Key aspects include:

• Trust operations aligned with WebTrust principles and controls

• Annual independent WebTrust audits covering CA operations, key management, issuance, revocation, and incident handling

• Secure, audited environments for all public trust services

This ensures that publicly trusted certificates managed through CertiNext are issued and operated within globally accepted trust frameworks.

7) Additional Security Controls Relevant to Infosec Teams

CertiNext also incorporates the following security measures commonly assessed by enterprise security teams:

• Audit logging for all administrative and certificate lifecycle actions

• Change tracking for policies, roles, and configurations

• Secure SDLC practices, including code reviews and security testing

• Segregation of environments (sandbox, staging, production) in SaaS deployments

• Monitoring and alerting for abnormal activity and operational anomalies

• Regular backups and resilience controls aligned with HA/DR objectives

Security as a Foundational Design Principle

Security in CERTInext is not treated as an add-on—it is embedded across platform architecture, operations, and trust services. By combining certified controls, strong encryption, layered defenses, strict access governance, and audited public trust operations, CertiNext meets the security expectations of enterprise Infosec teams while enabling scalable, automated certificate lifecycle management.