1. Does Signzy Extraction API work without network connectivity?

    The Signzy SaaS offering requires internet connectivity at the client's end to make the API a hit on Signzy Servers. For No Internet Scenarios, clients can also choose to leverage Signzy’s offline SDK for extraction of OVD.



2. Image formats supported as input:

    Signzy APIs support input fields such as Text strings and Images. Signzy AI APIs (i.e Extraction, ID classification, text match, etc.) support below mentioned formats as input:

  1. JPG

  2. PNG

  3. PDF

  4. TIFF




3. Is the AI API result dependent on the image input image orientation?

        Signzy’s AI APIs work effectively for both horizontal and vertical orientation of the images.

 

4. What APIs can be deployed in offline SDK mode? 

        Any APIs that do not require online verification of connecting to 3rd party Databases can be deployed over an offline SDK model e.g. Extraction APIs, Classification APIs, Image Quality APIs. As of now Signzy Extraction APIs such as PAN, DL, Passport extraction available in SDK mode.


5. What is the difference between offline and Online SDK? Why should a client prefer an online SDK over API?

        SDKs provide greater control for developers to choose what they want to pull and when. SDK includes the API but also provides code fragments to the client developers to build the flow easily. SDK provides greater control for the developer over UI. 

    Offline SDK solutions do not need to make a real time API call and hence can also work with no connectivity. However since the processing power of phones is very limited its recommended that client hits APIs only deployed on SIgnzy cloud which uses high performance CPUs and GPUs 



6. Does Signzy Extraction Service support the extraction of data in multiple languages?

    Signzy can train models to extract customer details in the language as desired by the customer. As of now we extract customer information written in English.


7. Which APIs are deployed on-premise?    

        APIs that do not require any 3rd party verification sources or government databases can be deployed over the client’s premises. Below mentioned APIs can be deployed over Client’s Premise

  1. Matcher APIs (Name, Date, Text, Address)

  2. Extraction / OCR APIs (Individual OVDs, Entity OVDs, Cancelled Cheques)

  3. ID Classification

  4. Image Quality

 

8. Are the applications based on secure coding guidelines (examples- OWASP guide, SANS CWE Top 25, CERP Secure Coding, etc). Prevent common coding vulnerabilities in software development processes.

        Signzy follows OWASP guidelines during the development process. Team follows the ISO 27001 process and controls which are reviewed at least annually.


9. For resources exposed by Web services, it's important to make sure any PUT, POST, and DELETE request is protected from Cross Site Request Forgery. Typically, one would use a token-based approach.

            Signzy uses the token based authorization within HTTP headers to prevent attacks like CSRF.


10. Is data for any API is encrypted or not, if yes what are the encryption algorithms/encryption techniques are used

            Signzy APIs do not encrypt data by default. But all communications happen via a secured SSL channel.


 11. Does Signzy support multi-factor authentication mechanisms?    

                No Signzy does not support multi factor authentication mechanism


12. How does Signzy ensure that the Session identifiers are validated at the time of every request by the server to verify that the requesting user is an authenticated user.

            Signzy uses RESTful APIs where each request contains all the state information to process, and such session tokens aren't stored persistently on the client side.



13. Does Signzy maintain Security logs are available for login/logout success and failures for audit purposes?

            Yes, Signzy maintains Security logs are available for login/logout success and failures for audit purposes.

 

14. Is Customer sensitive data stored in Audit Logs?

            No customer-sensitive data will not be stored in audit logs.


15. Can OCR over indian OVDs extract customer data in vernacular languages

            As of now Signzy Extraction APIs (PAN, Aadhaar, Voter ID, PassPort) are only reading customer data in the English language. If required Signzy can train models to read and extract customer information from OVDs in different languages but that would be a custom request.


16. Does we disclose 3rd party vendors through which we have partnered for various APIs

            Sales does not reveal the name of the partners or 3rd party vendors through which any of the APIs that we are talking to any of the customers. If a situation where any customer is adamant regarding the name of the 3rd party vendors then client communication would be a Sales call.


17. Which APIs are available in SDK mode?

Currently we have SDKs available for Pan, Aadhaar Card and Passport extraction APIs only.


18. How frequently the data in internal Signzy Db updated such as NDD data or MCA data

            Internal database updation happens at varied frequency, depending upon the frequency at which data is updated at the sources. For NDD, internal DBs are synced/updated every 6 months and for MCA internal DBs are synced/updated every month.


19. The number of records available in each database?

            The overall number of records in the databases is not static and keeps on changing as databases are updated by the respective Govt agencies in their lists. Overall , the number of records in these databases would be close to 4.5-5 lakh records.


20. What is the frequency of updates for each database? 

            The frequency of data update varies from database to database, we ensure every quarter these databases are updated, however the database can be updated if required as per the needs of the clients.


21. Scenario: Client has an existing database of xx Lakhs customers since xx years. They have stored their address proof in PDF format. 

        Requirement :-


    1. They want to identify the type of the ID. 

Available Solution : ID Classification API  

2. Extract ID No. and other information

Available Solution : Extraction API

3. Masked Aadhar 

Available Solution : Mask UID API etc


Concern :

  1.  Can this be done for past data i.e data from 2016 to 2020?

Yes, it can be done

  1.  How will they do it for a database of xx Lakhs?

Can automate this whole process. The API technically will still work in the same way doing cases one by one.

  1.  Is it possible to upload individual files/pdf/images through batch mode?

Possible, but we would expect Public URLs or Signzy URLs in the batch mode file to accomplish this. Another way round is to run a simple script to upload all these images from any folder and create public URLs for these.

  1.  Can Signzy do it using SFTP for the client? - 

Yes, it can be done. But it will be a custom request. It would be better if they can create public URLs or Signzy URLs so that this can be accomplished using less effort from our side.

 


22. Access to fetch at 'https://preproduction.signzy.tech/api/v2/patrons/login' from origin 'http://localhost:3000' has   been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. 

If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled. 

The behavior client-facing here is the result of a protection mechanism set by default by most of the   browsers to comply with its same-origin policy against a class of vulnerability cross-origin resource sharing.

Though this is something that could be a problem in web-hosted pieces of stuff only and could not be exploited in a local host environment We will go ahead and whitelist the http://localhost:3000 in the CORS configuration of the servers which should resolve the issue client-facing.

 

https://docs.google.com/document/d/1sSUwB6kPDp8Ip39EbhzHym29ipd56BVJ98zJaNEZ1Pc/edit?usp=sharing -- technical explanation provided to client

Jira:  https://signzy.atlassian.net/browse/INFRATEAM-2103

 

There is a bigger security risk here actually. If they are making login requests from the front-end then they are saving the credentials on a front-end file. If an attacker reads it and makes requests then they'll be liable to pay. This is a big security risk.




23. What happens if the user uploads an OVD-front side picture in both front and back?
        In this scenario the API response will have half of the information and generally this won’t give any output.



24. What happens if the user uploads an OVD-back side picture in front & vice-versa?


        We do not support such scenarios in our API and this is not the correct method to extract the data. Also this will give blank output.


25. What happens if I upload the front side of my OVD & back side of someone else's OVD?

            

            We do not support such scenarios in our API and this is not the correct method to extract the data. Also this will give a blank output. This is not the correct method here. Other competitors support this, we don't, which is our flaw. This is currently not supported and you're required to insert the images in correct order 



Notes :


  • Default API call limits for the Pre Production environment is 50 calls per API unless changed explicitly while account creation.

  • In the Pre Production environment from the Admin console we can extend the rate limit of API calls.

  • In the Production environment there are no limits for API calls.