On this page
- Why People Contact Us
- How to Reach Us
- Response Times
- What Is a QWAC and Why Does It Matter
- eIDAS and PSD2: What Canadian Organizations Need to Know
- Certificate Lifecycle: What Happens After You Contact Us
- Who We Work With
- Technical Prerequisites to Prepare Before Contacting Us
Have a question about qualified website authentication certificates, TLS compliance, or PSD2 requirements? This page explains how to reach the right team, what to prepare before contacting us, and what to expect from the process.

Why People Contact Us
Most inquiries fall into a few clear categories. Knowing which one fits your situation helps us respond faster and with more relevant information.
Common reasons to get in touch:
- You need a Qualified Website Authentication Certificate (QWAC) for PSD2 or open banking compliance
- Your organization is evaluating eIDAS-compliant certificates for cross-border EU/Canada operations
- You have a TLS certificate that is expiring or was revoked and need a replacement path
- You are a fintech or financial institution assessing digital identity obligations under Canadian or European regulation
- You need technical documentation, certificate policy details, or audit reports
- You are a developer integrating certificate-based authentication into an API or payment gateway
If your question does not fit these categories, reach out anyway. Certificate and compliance questions are rarely simple, and a short conversation often saves hours of independent research.
How to Reach Us
Use the contact form on this page for all general, technical, and compliance-related questions. Provide as much context as possible in the message field — the more specific your question, the more useful the first response will be.
What to include in your message:
| Field | What to Write |
|---|---|
| Organization type | Bank, fintech, SaaS provider, government, other |
| Certificate type needed | QWAC, TLS/SSL, eIDAS, other |
| Regulatory context | PSD2, open banking, Canadian OSFI guidelines, none |
| Timeline | How urgently you need the certificate or answer |
| Technical environment | Apache, Nginx, Azure, AWS, on-premise HSM, other |
Incomplete inquiries are answered, but may require a follow-up exchange before any actionable guidance can be provided.
Response Times
We do not promise 24-hour turnaround on every inquiry because some questions require input from compliance officers or technical architects. Here is what you can realistically expect:
| Inquiry Type | Typical Response Time |
|---|---|
| General product questions | 1 business day |
| Technical integration questions | 1–2 business days |
| Compliance or legal questions | 2–3 business days |
| Custom enterprise certificate requests | 3–5 business days |
| Urgent revocation or security incidents | Same day (mark as urgent) |
If you have a time-sensitive situation — for example, a QWAC that was revoked 24 hours before a regulatory audit — mark the subject line clearly as urgent. These are triaged separately.
What Is a QWAC and Why Does It Matter
Before contacting us, it helps to know what category of certificate you actually need. Many organizations come in asking for "an SSL certificate" when what they need is a Qualified Website Authentication Certificate with specific regulatory attributes.
A QWAC is a type of TLS certificate defined under the EU's eIDAS regulation (Regulation 910/2014). It carries legally validated organizational identity information inside the certificate itself, which standard DV or OV TLS certificates do not provide.
Key differences between certificate types:
| Certificate Type | Identity Validation | eIDAS Compliant | PSD2 Compatible | Use Case |
|---|---|---|---|---|
| DV (Domain Validated) | Domain only | No | No | Basic HTTPS |
| OV (Organization Validated) | Organization name | No | No | General business sites |
| EV (Extended Validation) | Legal entity | No | No | E-commerce, trust signals |
| QWAC | Legal entity + regulatory attributes | Yes | Yes | Open banking, PSD2, fintech APIs |
For Canadian fintechs operating in or connecting to EU markets, the regulatory obligation to use QWACs under PSD2 Article 34 applies to any third-party provider (TPP) accessing account data via open banking APIs. This is not optional — a standard OV or EV certificate will not satisfy a compliant ASPSP (bank) API gateway.
eIDAS and PSD2: What Canadian Organizations Need to Know
Canada does not currently have a direct equivalent to eIDAS, but Canadian financial institutions and payment service providers connecting to European banking infrastructure must comply with EU requirements on the EU side of the connection.
Practical implications:
- A Canadian fintech registered as a TPP under PSD2 must present a valid QWAC to access EU bank APIs
- The QWAC must be issued by a Qualified Trust Service Provider (QTSP) listed on an EU Member State's Trusted List
- Certificate attributes must include the PSP authorization number and the National Competent Authority identifier
- Certificates have a maximum validity period — currently capped and subject to CA/Browser Forum and eIDAS 2.0 updates rolling out through 2026
Under eIDAS 2.0, which began broader implementation across EU member states in 2025 and continues into 2026, requirements for QWAC issuance and audit have become more stringent. If your organization holds a QWAC issued before 2024, it is worth verifying that the certificate attributes still comply with updated technical standards (ETSI EN 319 411-2, ETSI EN 319 412-5).
Certificate Lifecycle: What Happens After You Contact Us
Understanding the process ahead of time prevents delays. Certificate issuance is not instant — it involves identity verification steps that cannot be shortcut.
Typical QWAC issuance process:
- Initial inquiry and scoping call
- Organization identity verification (legal entity documents, register extracts)
- Regulatory authorization verification (PSD2 license number, NCA confirmation)
- Technical requirements review (key size, SAN configuration, HSM requirements)
- Certificate Signing Request (CSR) submission
- Issuance and delivery
- Installation support (optional)
- Ongoing renewal planning
Steps 2 and 3 are where most delays occur. Having your authorization documentation ready — particularly your PSD2 license number from your national regulator — cuts the timeline significantly.
Estimated timelines by scenario:
| Scenario | Estimated Time to Issuance |
|---|---|
| Standard QWAC, full documentation ready | 5–10 business days |
| QWAC with missing regulatory docs | 15–25 business days |
| TLS/OV certificate | 1–3 business days |
| Emergency replacement (revoked cert) | 1–2 business days (expedited process) |
Who We Work With
Our clients range from established Canadian Schedule I banks exploring open banking infrastructure to early-stage fintechs preparing for their first PSD2 authorization. We also work with:
- Payment processors integrating with EU acquirers
- Identity verification providers building eIDAS-compliant flows
- Legal and compliance teams advising financial institutions on digital identity obligations
- Software vendors embedding certificate management into financial platforms
- Government-adjacent organizations handling sensitive digital transactions
If you are unsure whether your use case fits, the answer is almost always: yes, reach out. A short exchange clarifies things faster than trying to self-diagnose from regulatory documents.
Technical Prerequisites to Prepare Before Contacting Us
If your question is technical rather than commercial, prepare the following before sending your message. It will make the response more precise.
For TLS/QWAC installation questions:
- Server software and version (Apache 2.4, Nginx 1.25, IIS 10, etc.)
- Operating system
- Whether you use an HSM (hardware security module) and which model
- Current certificate's expiry date and CA name
- Error messages or browser warnings you are seeing (exact text)
For compliance questions:
- Your organization's jurisdiction of registration
- Whether you hold a PSD2 license, and from which NCA
- Which EU member states' bank APIs you are connecting to
- The specific regulatory requirement you are trying to meet (cite the article if possible)
Providing this upfront reduces back-and-forth and gets you to a usable answer faster.
Start a conversation
Tell us what needs to work.
Share the certificate type, the regulated service and the technical environment. A short brief is enough to start.
Frequently asked questions
Practical answers
What is the difference between a QWAC and a standard SSL certificate?
A standard SSL/TLS certificate (including DV, OV, and EV types) authenticates a domain and sometimes an organization, but it does not carry the legally recognized identity attributes required by eIDAS or PSD2. A QWAC is issued by a Qualified Trust Service Provider under strict EU audit requirements and contains specific regulatory fields — including PSP authorization numbers — that make it legally valid for open banking API access in the EU.
Do Canadian companies need a QWAC if they are not operating in Europe?
If your systems exclusively operate within Canada and do not connect to EU-regulated banking APIs, you do not need a QWAC for EU compliance purposes. However, as Canada's open banking framework matures through 2026 and beyond, similar certificate standards may be adopted domestically.
How long does a QWAC remain valid, and what happens when it expires?
Under current CA/Browser Forum rules and eIDAS technical standards, QWAC validity periods have been progressively shortened. As of 2026, maximum validity is governed by both eIDAS 2.0 implementing acts and CA/B Forum Baseline Requirements, which trend toward shorter cycles (currently 397 days for publicly trusted TLS, with QWAC-specific rules layered on top).
Can you help with certificate revocation if there has been a security incident?
Yes. If a private key has been compromised, a certificate was issued incorrectly, or you are responding to a security incident requiring immediate revocation, contact us and mark the inquiry as urgent.