Publication & Communication

1. Purpose and Scope

1.1 Purpose

This document defines the communication channels, publication obligations, and update time-intervals that the ddsign Electronic Certification Service Provider (E-CSP), operated by Centric Limited, uses to reach its User Community. It demonstrates that:

1. The modes of communication selected by the E-CSP are reasonable and sufficient to reach a majority of the User Community, including Subscribers, Relying Parties, and the general public.
2. All updates to published information are performed within the time-intervals established and committed to by the E-CSP.

1.2 Scope

This policy covers all communications from the ddsign E-CSP to the User Community, including:

• Publication of governance documents (CPS, CP, PKI Disclosure Statement, Subscriber Agreement, Relying Party Agreement, and related policies).
• Publication of certificate status information (Certificate Revocation Lists and OCSP responses).
• Notification of material changes to policies, practices, or service terms.
• Security incident and compromise notifications.
• Service availability and maintenance notifications.
• Regulatory and compliance disclosures.

1.3 Definitions

2. Communication Channels

The ddsign E-CSP employs multiple, complementary communication channels to ensure that information reaches the broadest possible segment of the User Community. No single channel is relied upon exclusively; the combination provides redundancy and maximises reach.

2.1 Channel Inventory

2.2 Reasonableness Assessment

The combination of channels is designed to reach a majority of the User Community:

• Public website: Reaches all internet users without prerequisite. Governance documents are indexed by search engines, extending discoverability.
• PKI repository: Reaches relying party applications automatically. Every certificate validation triggers a CRL or OCSP lookup, reaching 100% of active relying party transactions.
• Email: Reaches 100% of registered Subscribers at their verified address. Delivery success rates are monitored; bounced addresses trigger alternative-channel follow-up.
• In-app notifications: Secondary path for users whose email may be delayed or filtered.
• SMS: Independent of internet connectivity for critical alerts.
• CRM (sand-social.com): Ensures every inbound Subscriber communication via support@ddsign.ae is documented, tracked, and responded to within committed timeframes.

Together, these channels cover pull-based access (website, repository) for the general public and relying parties, and push-based delivery (email, in-app, SMS) for registered Subscribers. This layered approach ensures that no single point of failure can prevent the User Community from receiving essential communications.

3. Publication Obligations and Time-Intervals

The following tables define the information the E-CSP is obligated to publish, the channels used, the committed time-intervals, and the governing reference.

3.1 Governance Document Publications

3.2 Certificate Status Publications

3.3 Notifications to Subscribers

4. Advance Notice for Material Changes

4.1 What Constitutes a Material Change

A change is considered material if it:

• Alters the obligations or rights of Subscribers or Relying Parties.
• Changes the identity proofing or verification requirements.
• Modifies the certificate profile, key usage, or validity period.
• Introduces, removes, or changes fees.
• Changes the data processing purposes, categories, or third-party disclosures.
• Alters the revocation grounds or procedures.
• Changes the governing law or dispute resolution mechanism.

4.2 Notice Period and Procedure

For material changes, the E-CSP shall:

1. Publish the proposed new version on the website, clearly marked as forthcoming with the effective date.
2. Send a notification to all registered Subscribers via email and in-app notification, summarising the change and linking to the full text.
3. Allow a minimum of thirty (30) days between notification and the effective date.
4. Provide a mechanism for Subscribers to raise objections or questions during the notice period.

4.3 Non-Material Changes

Non-material changes (typographical corrections, formatting, clarification without altering effect) may be published immediately without advance notice, but shall be reflected in the version history of the affected document.

5. Publication Infrastructure

5.1 Website and PKI Repository Availability

• Uptime target: 99.5% availability per calendar month, measured at the network edge.
• Redundancy: Hosted on infrastructure with automated failover. CRL and OCSP endpoints served from multiple points.
• TLS protection: All endpoints served over TLS 1.2 or higher.
• Monitoring: Automated uptime monitoring with alerting. Downtime exceeding 30 minutes triggers incident response and status page update.

5.2 CRM and Subscriber Correspondence Tracking

All inbound and outbound Subscriber communications are documented and tracked through the sand-social.com CRM platform:

• Inbound channel: All emails from Subscribers sent to support@ddsign.ae are automatically ingested into the CRM, creating a ticketed record with timestamp, sender, and full message content.
• Interaction history: Every interaction with a Subscriber -- including email exchanges, support requests, certificate lifecycle events, and status updates -- is logged against the Subscriber's CRM record, providing a complete communication history.
• Audit trail: The CRM maintains an immutable log of all communications, providing verifiable evidence that Subscriber queries were received and responded to within committed timeframes.
• Response-time monitoring: The CRM tracks time-to-first-response and time-to-resolution for each interaction, enabling compliance demonstration.

5.3 Email Notification Infrastructure

• Sender authentication: SPF, DKIM, and DMARC records configured for the ddsign.app sending domain.
• Bounce handling: Hard bounces flagged within 24 hours. Alternative channel (in-app or SMS) used if email delivery fails.
• Delivery logging: All outbound notifications logged with timestamp, recipient, subject, and delivery status.

5.4 Version Control of Published Documents

• Every published document includes a version number and effective date.
• A version history table within each document shows all prior versions and change summaries.
• Prior versions are archived and remain accessible for the retention period defined in the CPS.

6. Compliance Monitoring

6.1 Automated Monitoring

• CRL freshness: Automated checks verify the CRL is re-issued within the 24-hour cycle. Alert raised if nextUpdate is within 2 hours of expiry without renewal.
• OCSP responder: Synthetic queries issued at regular intervals to confirm operational status.
• Website availability: External uptime monitoring confirms endpoints are reachable and serving expected content.

6.2 Manual Reviews

• Quarterly review: The Policy Authority reviews publication logs to confirm governance documents were published within the 24-hour commitment.
• Notification audit: Quarterly sample of outbound notifications reviewed for delivery success and timeliness.
• Annual audit: The E-CSP compliance audit verifies publication timeliness and communication channel effectiveness.

6.3 Evidence Retention

The following evidence is retained for audit purposes:

• Publication log: date, time, document published, channel, responsible officer.
• Notification log: date, time, recipient (or count), channel, subject, delivery status.
• CRL issuance log: issuance timestamp, serial number, nextUpdate value.
• OCSP responder logs: query timestamp, certificate queried, response status.
• Website deployment log: deployment timestamp, content changed, deploying officer.
• CRM interaction logs: full correspondence trail per Subscriber, response times.

All logs are retained for a minimum of seven (7) years in accordance with the CPS and the Kenya Information and Communications Act.

7. Roles and Responsibilities

8. Cross-References

This document should be read in conjunction with: