Security Policy
This Security Policy explains how Digital CoC approaches the protection of operationally sensitive manufacturer information across eCoC preparation, validation, signing and delivery-stage coordination.
This page provides a public security governance statement for Digital CoC. It does not replace signed security appendices, service level agreements, customer-specific security documentation or contractual commitments.
1. Introduction
Digital CoC is designed to support manufacturer eCoC programs that may involve vehicle information, approval references, XML files, VECTO files, signing preparation, process records and uploaded documents. The purpose of this Security Policy is to describe the security principles and responsibility boundaries that guide the platform.
2. Security Principles
Digital CoC applies security practices intended to support confidentiality, integrity, availability, accountability, least privilege and process visibility. Security is considered throughout preparation processes, validation processes, signing processes and delivery-stage coordination rather than as a separate afterthought.
3. Information Types Protected
The platform may protect information needed for manufacturer-controlled eCoC operations. The exact information handled depends on the customer configuration, process scope and agreed integrations.
- Vehicle information and approval references
- XML files, VECTO files and eCoC-related records
- Process information, account information and user activity records
- Uploaded documents and operational preparation records
- Integration-related information from ERP systems, API connections or customer-approved sources
4. Access Management
Access management is based on controlled permissions, account security, role-based access and operational oversight. Customer administrators and authorized users remain responsible for granting appropriate access, protecting credentials and removing access when it is no longer required.
5. Security Controls
Digital CoC uses high-level security controls appropriate to the platform context. These may include authentication controls, access controls, monitoring, operational safeguards and secure development practices. This policy does not disclose detailed infrastructure architecture or sensitive implementation details.
6. Platform Operations
Platform operations are supported by security review practices, monitoring philosophy, operational oversight and incident awareness. Operational records and process activity are intended to support accountability and review where appropriate.
7. Third-Party Dependencies
Digital CoC may rely on cloud providers, infrastructure providers, eIDAS providers, integration partners, ERP systems, API connections or other third-party services depending on customer configuration. Digital CoC is responsible for its own services and agreed controls, not for independent third-party systems, decisions or outages.
8. Incident Management
Potential security incidents are handled through detection, assessment, response and communication procedures appropriate to the event. The timing, scope and format of communication may depend on the nature of the incident, legal requirements, contractual commitments and technical feasibility. This policy does not create guaranteed response times unless separately agreed in writing.
9. Customer Responsibilities
Customers remain responsible for account security, credential protection, internal user permissions, data accuracy and lawful use of the platform. Customers also remain responsible for approval acceptance, XML acceptance, EUCARIS acceptance, NAP acceptance and regulatory compliance.
10. Limitations
Digital CoC does not guarantee uninterrupted availability, absolute security, prevention of all incidents or prevention of all third-party attacks. Security measures are based on commercially reasonable efforts and are subject to the responsibility boundaries, exclusions and limitations defined in applicable agreements.
11. Continuous Improvement
Security practices, platform safeguards and process controls may evolve over time as processes, technology, customer requirements and risk conditions change. Changes may be introduced to improve protection, reliability, maintainability or operational clarity.
12. Contact Information
Security questions may be sent to info@digitalcoc.eu. Contractual notices, security questionnaires, audit requests or customer-specific security communications may require additional formal channels defined in the applicable agreement.
Questions about platform security?
Contact Digital CoC for security governance, access management or operational data-protection questions related to your organization.
Digital CoC