Cogito delivers a fully managed Soft Certificate Service designed for organisations requiring high-assurance digital identity, signing, and authentication. The service is operated entirely within Australia by security-cleared personnel, ensuring full sovereignty, trusted operations, and compliance with Australian Government standards.

Our soft certificates are issued under Cogito’s Gatekeeper-accredited PKI, enabling secure identity assurance for applications such as PEXA signing, government workflows, and enterprise authentication. The service includes complete lifecycle management supported by resilient infrastructure, strict governance, and robust security controls.

1. Comprehensive Certificate Lifecycle Management

Cogito manages the full lifecycle of each certificate, ensuring continuity, compliance, and security from issuance through retirement.

Issuance
Certificates are issued under Cogito’s Gatekeeper-accredited Certificate Authority following formal identity verification and organisation registration. Keys are generated securely within managed HSM-backed environments.

Renewal
Renewal is handled automatically or on request prior to expiry. Lifecycle policies ensure no interruption to signing or authentication services.

Revocation
Revocation requests are accepted through authenticated channels and processed promptly. Certificate Revocation Lists (CRLs) are updated in accordance with Gatekeeper and ISM requirements.

Key Management
Private keys are stored within FIPS 140-2 compliant, HSM-backed key stores. Cogito manages secure key generation, storage, and cryptographic material handling as part of its accredited PKI operations.

2. Operational Resilience

Cogito operates mature Business Continuity and Disaster Recovery capabilities that ensure service reliability and rapid recovery in the event of disruption.

Australian Hosting
All services are hosted in Australian Government–certified Tier 3 (or higher) data centres with redundant power, network, and environmental controls.

High Availability Architecture
Systems operate in a geo-diverse, redundant configuration to provide continuity in the event of site or infrastructure loss.

Data Protection & Replication
Continuous data replication across multiple data centres supports rapid failover and preserves certificate lifecycle integrity.

Backup Practices
Daily encrypted backups are maintained using Veeam and verified through monthly restore tests.

Service Availability
Cogito targets >99.95% uptime, with certificates typically issued or revoked within minutes to a few hours depending on validation requirements.

3. Security and Compliance

Cogito’s Soft Certificate Service is built on independently audited, government-aligned security frameworks.

Certifications and Assessments

• ISO/IEC 27001:2022 certified across PKI, managed services, and hosting operations
• IRAP assessed annually against the Australian Government Information Security Manual (ISM)
• Gatekeeper accredited, ensuring compliance with national standards for digital identity and signing
• DISP certified, supporting adherence to the Protective Security Policy Framework

Sovereign Operations
All hosting, data, and operational processes are conducted exclusively within Australia. No offshore storage, processing, or subcontracting occurs.

Assurance & Testing
Periodic third-party penetration tests and compliance audits are conducted, with executive summaries available under NDA for client assurance.

4. Subcontracting and Supply Chain Integrity

Cogito maintains full control over PKI operations to ensure trusted delivery and governance.

• No PKI operations, Certificate Authority functions, or lifecycle management processes are subcontracted.
• All critical services are performed by Cogito’s NV1/NV2 security-cleared personnel.
• Data centres used are Australian Government–certified and operated under Cogito’s direct control.
• Supplier governance includes formal vetting, DISP/IRAP compliance reviews, and continuous security monitoring via Cogito’s internal SIEM.

This tightly controlled supply chain ensures that cryptographic material, key lifecycle operations, and PKI functions remain secure, sovereign, and auditable.

5. Governance and Incident Management

Cogito maintains a structured, ISO-aligned governance model to manage risk, compliance, and incident response.

Governance Framework
The service is governed under Cogito’s ISO27001 ISMS, overseen by the ISMS Governance Board and DISP security officers.

Incident Response
Incidents are classified, escalated, and investigated in line with Cogito’s Cyber Security Incident Response Plan.
Clients are notified promptly if any event affects service integrity, availability, or confidentiality.

Post-Incident Reviews
Root Cause Analyses (RCAs) are conducted for all significant incidents, and remediation actions are tracked to completion under formal governance controls.

Reporting and Assurance
Cogito provides assurance reporting, security documentation, and participates in customer audits or due diligence processes as required.