User Authentication

All Circit accounts are protected with a strong password enforced and two-factor authentication (2FA).

2FA can be implemented and configured to remain within the existing environment of your organisation, protected by current sign-on credentials.


To ensure the confidentiality and integrity of your files, all content is encrypted in transit and at rest with world-class encryption and key management techniques.

Multiple layers of encryption are used to support customers’ needs for reliability, security and control over their sensitive content.

Circit has partnered with Microsoft Azure to provide on-demand management of keys through the Azure Key Vault service which uses Hardware Security Modules (HSM’s) to safeguard cryptographic keys. The HSM’s are FIPS 140-2 Level 2 validated, a NIST security certification.

Content is encrypted with a one-time AES-256 symmetric key. This key is then encrypted using an asymmetric 2048 bit RSA. Circit itself never has access to the key, it simply invokes a mechanism that is provided by the Key Vault. Options are available where a customer would prefer to manage their own encryption keys.

Unchangeable audit log. All key usage is recorded in an audit log and Circit can never change that record of truth. All connections to Circit are secure and encrypted using SSL (Secure Sockets Layer). This is the same level of encryption used by leading banks and government agencies.

Audit Trail

Circit creates a comprehensive and immutable audit trail between all parties that includes a timestamp, IP address and end-user information.

Key elements of the audit trail are appended to all executed signature requests and include an identifier that can be used as a proof to lookup the corresponding transaction log if required.

These records include a cryptographic hash of any PDF document which can determine whether or not it has been modified or tampered with.

Physical Data Infrastructure

Services provided by Circit are hosted in a state-of-the-art SAS70 Type II, SSAE 16 facility that has achieved ISO 27001 certification.

Physical access is strictly controlled by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means.

Authorized staff must pass two-factor authentication no fewer than three times to access data centre floors. Circit uses multiple data centres with reliable power sources and backup systems with 99.9% SLAs and redundancy. Physical servers are located in Dublin, Ireland and failover servers are located in the Netherlands.
Communication in context. Circit’s secure messaging channel allows communication with both your client and their bank, providing direct contextual relevance to a particular request.
Raise and resolve exceptions. Queries raised by either party can be resolved as they arise, comments remain within the audit trail and turnaround time compared to a paper process is improved by close to 99%.