Security at NotarialOS

Regulatory framework

NotarialOS is a leading SC-accredited Electronic Notarization Facility (ENF) operating under A.M. No. 24-10-14-SC (the Supreme Court's 2024 Rules on Electronic Notarization), the Electronic Commerce Act (R.A. 8792), the Rules on Electronic Evidence, and the Data Privacy Act of 2012 (R.A. 10173). Our security program is shaped by these requirements and by the issuances of the National Privacy Commission.

Identity verification

Every electronic notarial act on the platform requires layered identity verification before the notary can proceed:

• Government-issued photo ID — captured, verified, and stored as part of the audit trail
• Facial recognition with liveness detection — matching the live person to the ID photo and rejecting recordings, masks, and deepfakes
• One-time password (OTP) — sent to a contact channel registered to the principal
• Knowledge-based authentication — used in higher-risk flows where the value or sensitivity of the document warrants it
• Recorded session — for Remote Electronic Notarization, the entire session is recorded and retained as part of the notarial record

This is materially stronger than the visual ID inspection used in traditional in-person notarization, and it is the single most important fraud safeguard in the system.

Document integrity

• Documents are accepted in PDF / PDF-A only, the formats prescribed by A.M. No. 24-10-14-SC
• Cryptographic hashes are computed at upload and re-verified before sealing
• The completed document is sealed with the notary's electronic notarial seal and digital signature, anchored to a Public Key Infrastructure (PKI) trust chain
• Any post-seal modification breaks the cryptographic seal and is immediately detectable by any standards-compliant PDF reader
• An immutable audit trail records every step from upload to delivery

Encryption

• In transit — all traffic is protected with TLS 1.2 or higher; HTTP Strict Transport Security (HSTS) is enforced; modern cipher suites only
• At rest — documents, recordings, biometric artifacts, and database contents are encrypted with industry-standard algorithms
• Key management — encryption keys are managed in dedicated key-management services with separation of duties and rotation policies

Access controls

• Role-based access for all users and operators, with least-privilege defaults
• Multi-factor authentication required for all administrative and operator access
• Detailed audit logs of administrative actions, retained per regulatory requirements
• Production access is gated, time-limited, and reviewed
• Vendor and contractor access is bound by written confidentiality and data processing agreements

Application security

• Secure software development practices, code review, and dependency monitoring
• Regular vulnerability scanning and periodic third-party penetration testing
• Strict Content Security Policy, modern HTTP security headers, and CSRF protection on all state-changing endpoints
• Rate limiting and abuse detection on authentication, identity verification, and notarial endpoints
• Continuous patch management for dependencies and infrastructure

Infrastructure

• Hosted on hardened cloud infrastructure with isolated production environments
• Network segmentation, private subnets, and bastioned access for sensitive components
• Web application firewall and DDoS protection in front of public endpoints
• Backups are encrypted, periodically tested, and retained per regulatory requirements

Recordkeeping and the SC database

Every completed notarial act is recorded in the electronic notarial book and transmitted to the Supreme Court's central electronic notarial database, as required by A.M. No. 24-10-14-SC. Receiving parties — banks, registries, courts, and counterparties — can verify a NotarialOS-issued document against the central database and against the cryptographic seal on the certified PDF itself.

Privacy and data protection

NotarialOS is a Personal Information Controller under the Data Privacy Act. We have a designated Data Protection Officer, a registered data processing system, and operating procedures that align with NPC Circulars. Personal Information Processors who support the Service are bound by written data processing agreements. Full details, including data subject rights and the DPO's contact information, are in our Privacy Policy.

Enterprise customers can review our Data Processing Addendum, which sets out our obligations as a Personal Information Processor for customer-controlled data.

Incident response

We maintain a documented incident response plan covering detection, containment, eradication, recovery, and post-incident review. Security incidents involving personal data are evaluated against the breach notification thresholds set out in NPC Circular 16-03 and reported to the National Privacy Commission and to affected data subjects within the prescribed timelines where required.

Business continuity

The platform is designed for high availability with redundant infrastructure, automated failover, and tested backup procedures. Recovery time and recovery point objectives are reviewed regularly.

Responsible disclosure

If you believe you have found a security vulnerability in our Service, please report it to [email protected]. We commit to acknowledging valid reports promptly, investigating in good faith, and not pursuing legal action against researchers who act in accordance with this policy. Please do not access or modify data that does not belong to you, do not degrade the Service, and do not disclose the vulnerability publicly until we have had a reasonable opportunity to remediate.