Please describe your proposed solution

How do you perceive the problem you are solving?

Our solution addresses the critical need for enterprise-grade security, legal compliance, and operational integrity for Csign, our private document signing service built on Cardano. We are focusing on three key areas:

1. Code Security Audit: To identify and address potential vulnerabilities, ensuring the highest level of security for our users' sensitive documents.
2. Legal Retainer: To establish a strong legal foundation and ongoing support, crucial for navigating the complex regulatory landscape of enterprise-level operations.
3. SOC1 & SOC2 Certification: To demonstrate our commitment to security, availability, processing integrity, confidentiality, and privacy of customer data, which is essential for enterprise trust.

Csign will launch publicly this fall 2024 and while it will be functional for users and businesses, enterprise adoption requires a significant leap in security and compliance standards. We recognize that to attract large-scale, regulated industries to the Cardano ecosystem, we must meet stringent requirements for data protection, legal compliance, and operational transparency.

Our project will engage:

• External security auditors and penetration testers
• Legal professionals specializing in technology law
• Compliance consultants and auditors
• Our internal development and management teams
• Potentially, enterprise-level users in regulated industries

We will demonstrate impact through:

• Successful completion of security audits and implementation of recommendations
• Establishment of robust legal frameworks and response mechanisms
• Attainment of SOC1 and SOC2 certifications

Uniqueness and Importance to Cardano

Our solution is unique in its comprehensive approach to elevating a Cardano-based service to enterprise-grade standards. By achieving these benchmarks, Csign will become one of the first Cardano projects to be fully prepared for adoption by large, regulated industries. This is crucial for Cardano as it demonstrates the blockchain's capability to support enterprise-level applications, potentially opening doors for wider adoption in the business world. The primary beneficiaries will be enterprise users requiring high-security document signing services, but the broader Cardano ecosystem will also benefit from increased credibility and potential for institutional adoption. This project is important to Cardano as it bridges the gap between blockchain technology and traditional enterprise requirements, paving the way for more widespread, real-world use cases.

Please define the positive impact your project will have on the wider Cardano community

Csign will serve as a practical application of Cardano’s capabilities, showcasing its potential for secure document signing. By providing a reliable service, we aim to attract both individual users and businesses, thereby driving adoption and expanding the Cardano network.

By offering a blockchain-based solution for document signing, Csign will bolster Cardano's reputation in the enterprise sector. This enhanced credibility can lead to increased interest from institutional investors and foster partnerships with established companies, further legitimizing the platform.

The success of Csign can inspire other developers to create similar applications on Identus and Cardano, promoting ecosystem growth. This diversification can attract more developers and users, creating a positive feedback loop that benefits the entire community.

Leveraging Hyperledger Identus for identity solutions, Csign will contribute to the development of decentralized identity technologies on Cardano. This advancement will not only benefit our project but also enhance the overall capabilities of the blockchain ecosystem.

We will track user adoption by monitoring the number of individual and business users of Csign. User feedback through testimonials and satisfaction surveys will provide insights into our service's effectiveness.

We will actively seek partnerships with other projects in the Cardano ecosystem, promoting opportunities for integration with or enhancement of Csign’s technology to drive collective growth.

What is your capability to deliver your project with high levels of trust and accountability? How do you intend to validate if your approach is feasible?

Csign is functional and will launch in the fall of 2024. We’ve validated our approach from a technical perspective, worked closely with the Hyperledger Identus (Atala PRISM) team, and have been featured in public presentations both online and in person (https://x.com/csign_io/status/1826340524623888810).

We have been active in the Identus (Atala PRISM) developer and contributor community and thanks to a Fund 11 Catalyst grant, Jon Bauer and Roberto Carvajal are writing “Mastering Identus: A Developer’s Handbook”, which is a developer-centric technical reference for developing with Identus ( Atala PRISM ). Csign was built with early versions of Identus, before it was open sourced and we have helped the project by reporting bugs and contributing fixes and workarounds.

Beyond Atala PRISM, our team is made up of highly experienced digital product designers and engineers. We have created applications for the world’s most famous brands, and are excited to be working together on cutting edge digital identity product ideas.

What are the key milestones you need to achieve in order to complete your project successfully?

Milestone 1: Milestone 1: Initial Security Assessment and Legal Setup (1 Month)

Basic vulnerability scanning: $5,000

Pre-audit activities: $500

Initial legal retainer fee: $10,000

Total: $15,500

Milestone 2: Milestone 2: In-Depth Code Review and Legal Services (2 Months)

In-depth manual code review: $15,000

Legal services for 2 months: $5,000

Total: $20,000

Milestone 3: Milestone 3: SOC Preparation and Legal Services (2 Months)

Readiness Assessment: $10,000

Risk Assessment: $2,000

Policy Documentation Assistance: $8,000

Legal services for 2 months: $5,000

Interviews for Penetration Testing

Total: $25,000

Milestone 4: Milestone 4: Security Implementation and Legal Services (2 Months)

Remediation & security awareness training: $2,000

Security and Monitoring Tools: $8,000

Penetration Testing: $18,000

Legal services for 2 months: $5,000

Total: $33,000

Milestone 5: Milestone 5: SOC Audit Execution (2 Months)

SOC 2 Type 1 Audit: $20,000

SOC 1 Type 1 Audit: $15,000

Compliance Management Software: $5,000

Legal Review of Agreements: $5,000

Total: $45,000

Final Milestone: Milestone 6: Project Completion and Ongoing Support (2 Months)

Project Lead/Dedicated Employee (4 months): $50,000

External Consultants: $15,000

Staff Training and Security Awareness: $2,000

Initial Annual Maintenance: $2,000

Additional expenses (including productivity loss): $2,500

Total: $71,500

Who is in the project team and what are their roles?

Matthew Merino - CEO

x: https://x.com/matthewbmerino

linkedin: <https://www.linkedin.com/in/matthewbmerino/>

Jon Bauer - Product Lead

x: https://x.com/coveloper

linkedin: https://www.linkedin.com/in/jonbauer/

Roberto Carvajal - Lead Engineer

x: https://x.com/netkrash

linkedin: <https://www.linkedin.com/in/robertocarvajal/>

Mal Som - Product Design

x: https://x.com/errthangisalive

linkedin:

We have worked together on Csign for well over a year and have been present at both Rare Bloom 2023 in Denver and Rare Evo 2024 in Las Vegas.

Matthew graduated from New York University’s Stern School of Business in 2020, where he earned a double major in Finance and Data Science. In addition to co-founding and investing in Csign, he actively manages his investment portfolio.

Jon is an iOS developer that has been building software products since 1995, from the early days of the web, through the e-commerce revolution, and to modern day mobile and large-scale platform deployments. Jon has worked on number one app store titles like Pandora Music, and built applications for major brands such as Visa, Gatorade, and the Grammys.

Roberto is a full stack developer with a background in security and encryption. He has crafted advanced SSI applications and is currently co-authoring a definitive resource for identity software developers with Jon, titled, “Mastering Identus: A Developer’s Handbook”.

Mal has lead the design efforts for major companies like Zalando, Edmunds, and BlockFi.

Please provide a cost breakdown of the proposed work and resources

Code Security Audit - $25,000

• Basic vulnerability scanning: $5,000
• In-depth manual code review: $15,000
• Pre-audit activities: $500
• Remediation &amp; security awareness training: $2,000
• Additional expenses: $2,500

Legal Retainer - $25,000

• Initial retainer fee: $10,000
• Estimated monthly legal services (6 months): $2500 per month
• Total for 6 months of legal services: $15,000

SOC1 &amp; SOC2 Budget Breakdown - $160,000

Audit Costs

• SOC 2 Type 1 Audit: $20,000
• SOC 1 Type 1 Audit: $15,000

Preparation and Readiness

• Readiness Assessment: $10,000
• Risk Assessment: $2,000
• Policy Documentation Assistance: $8,000

Staff and Consultants

• Project Lead/Dedicated Employee: $50,000 (4 months)
• External Consultants: $15,000 (limited engagement)

Security Tools and Infrastructure

• Compliance Management Software: $5,000
• Security and Monitoring Tools: $8,000

Legal and Administrative

• Legal Review of Agreements: $5,000
• Staff Training and Security Awareness: $2,000

Additional Costs

• Penetration Testing: $18,000
• Productivity Loss: Factor in 10% productivity loss for involved staff

Ongoing Maintenance

• Initial Annual Maintenance: $2,000 (budgeted for first few months post-certification)

Csign is built on Hyperledger Identus, an open-source Self-Sovereign Identity (SSI) framework that is part of the Hyperledger suite of blockchain and identity projects. Hyperledger Identus, formerly known as Atala PRISM, provides components to develop decentralized identity solutions adhering to widely recognized SSI standards.

Csign has been working with Identus since its version 2 beta and has become an active participant in its developer and contributor community.

How does the cost of the project represent value for money for the Cardano ecosystem?

Hyperledger Identus infrastructure is too complex and expensive for companies to run in-house.

Unlike traditional “web2” applications, Self-Sovereign Identity applications require multiple servers and services interacting as Issuers, Holders and Verifiers, as well as dedicated servers for Horizontally scaled Mediators which negotiate secure messages between peers.

By abstracting the complexity away into Csign and Csign API, the Cardano community will be able to leverage the power and privacy of SSI at a much lower cost, on a per agreement or subscription cost. We hope making this technology accessible to everyone will add tremendous value to a variety of Cardano-based applications. We believe in the future of the Cardano Ecosystem and we want to partner with you all! Thank you for your consideration!