Chapter 18 NCAC 07J

18 ncac 07j .0404 certification of standing A technology provider applicant shall certify in its application that it: (1) is currently registered to do business in North Carolina or has a certificate of authority to do business in North Carolina; and (2) is in current-active stat…

18 ncac 07j .0405 notary services in other jurisdictions A technology provider applicant's application shall provide the following information for each state, federally recognized tribe, or nation in which it has offered the same or similar services within the previous 10 years: …

18 ncac 07j .0406 compliance contact A technology provider applicant shall name a compliance contact on its application who shall: (1) be an employee; (2) be a key individual; (3) successfully complete the Department's electronic notary public course; and (4) successfully complet…

18 ncac 07j .0407 compliance contact duties A technology provider's compliance contact shall, for the duration of the provider's authorization: (1) have the duty to monitor the provider's compliance with: (a) Chapter 10B of the General Statutes; and (b) the rules in this Chapter;…

18 ncac 07j .0408 third-party vendors included in electronic notary solution A technology provider applicant shall list on its application any third-party vendors providing services to the technology provider in connection with the electronic notary solution for which it seeks au…

18 ncac 07j .0409 third-party vendor information A technology provider applicant shall provide the following information for each third-party vendor listed on its application: (1) the type of service that the vendor provides to the applicant; and (2) which, if any, of the third-p…

18 ncac 07j .0410 supporting vendors A technology provider applicant shall list on its application any supporting vendors providing the following services to the technology provider in connection with the electronic notary solution for which it seeks authorization: (1) cloud serv…

18 ncac 07j .0411 supporting vendor information A technology provider applicant shall specify the type of service provided by each supporting vendor listed on its application. History Note: Authority G.S. 10B-4; 10B-106; 10B-125(b); 10B-126; 10B-134.15; 10B-134.17; 10B-134.19; 10…

18 ncac 07j .0412 vendors with access to notarial transaction data A technology provider applicant shall disclose on its application the names of all vendors, business entities, and any of their affiliates that will have access to notarial transaction data when at rest. History N…

18 ncac 07j .0413 disclosure of certifications and compliance reports A technology provider applicant shall disclose on its application each independent third-party certification, SOC 2 Type 2 compliance report, or equivalent pertaining to the electronic notary solution for which…

18 ncac 07j .0414 disclosure of debarments A technology provider applicant shall disclose on its application if it or any of its key individuals is now or has ever been the subject of a debarment by a state, federally recognized tribe, or nation, and for each: (1) whether the deb…

18 ncac 07j .0415 disclosure of voluntary exclusions in lieu of debarment A technology provider applicant shall disclose on its application: (1) whether, within 10 years of its application, the applicant or any of its key individuals have agreed to voluntary exclusion in lieu of …

18 ncac 07J .0416 disclosure of civil legal actions A technology provider applicant shall disclose on its application all findings in civil legal actions, including arbitration: (1) made within 10 years of its application date; (2) that are against the applicant or any of its key…

18 ncac 07j .0417 content of civil legal action disclosures A technology provider's application disclosure pursuant to Rule .0416 of this Section shall include: (1) a description of each finding or admission; (2) a copy of the document containing the finding or admission; (3) a b…

18 ncac 07j .0418 disclosure of disciplinary actions A technology provider shall disclose on its application any disciplinary actions: (1) taken against it or any of its key individuals by any state, federally recognized tribe, or nation's government; and (2) concluded within 10 …

18 ncac 07j .0419 content of disciplinary action disclosures For each disciplinary action listed pursuant to Rule .0418 of this Section, a technology provider shall disclose: (1) the date of each disciplinary action; (2) the disciplinary action taken; (3) a copy of each disciplin…

18 ncac 07j .0420 disclosure of bankruptcy A technology provider applicant shall disclose on its application whether the applicant is in, or has previously exited within the past 10 years, bankruptcy proceedings pursuant to the laws of the United States or other nation. History N…

18 ncac 07j .0421 contents of bankruptcy disclosure A technology provider applicant that discloses a bankruptcy pursuant to Rule .0420 of this Section shall state: (1) the status of the matter; (2) the style of the case, including the case number; and (3) the court in which the b…

18 NCAC 07J .0422 WEBSITE INFORMATION The application of a technology provider applicant shall include: (1) the single URL link required by Rule .0607 of this Subchapter; and (2) the form required by 18 NCAC 07B .0422(6). History Note: Authority G.S. 10B-4; 10B-106; 10B-125(b); 1…

18 NCAC 07J .0423 IT SECURITY AUDIT SUMMARY The application of a technology provider applicant shall include: (1) how often the applicant conducts IT security audits; and (2) the IT security audit summary required by Rule .0621 of this Subchapter. History Note: Authority G.S. 10B…

SECTION .0500 – TECHNOLOGY DEMONSTRATION 18 ncac 07j .0501 solution availability required After submitting its application, a technology provider applicant shall make its electronic notary solution available to the Department for evaluation as specified in the rules in this Subch…

18 ncac 07j .0502 demonstration content A technology provider's demonstration of its electronic notary solution shall establish that the features, functionality, and instructional materials for users comply with the rules in this Subchapter. History Note: Authority G.S. 10B-4; 10…

18 ncac 07j .0503 demonstration to include use of solution in notarial transaction A technology provider's demonstration of its electronic notary solution shall include a step-by-step exhibition of how the electronic notary solution will be used for notarial transactions. History…

18 ncac 07j .0504 additional demonstrations Upon request by the Department, a technology provider applicant shall provide additional demonstrations of its electronic notary solution to establish: (1) resolution of issues identified in a prior demonstration; and (2) compliance wit…

18 ncac 07j .0505 waiver of demonstration requirement The Department may waive the requirement that a technology provider applicant provide the demonstration required by Rule .0501 of this Section based upon the factors in 18 NCAC 07B .0108. History Note: Authority G.S. 10B-4; 10…

SECTION .0600 – TECHNOLOGY PROVIDER STANDARDS 18 NCAC 07J .0601 SCOPE The rules in this Section apply to electronic notary solutions. History Note: Authority G.S. 10B-4; 10B-106; 10B-125(b); 10-126; 10B-134.15; 10B-134.17; 10B-134.19; 10B-134.21; 10B-134.23; Eff. January 1, 2007;…

18 ncac 07j .0602 notary account access A technology provider shall ensure that only the notary public, the technology provider, or a person authorized by law can access the notary's: (1) account information; (2) journals; (3) communication technology recordings; (4) session reco…

18 ncac 07j .0603 require notary multi-factor authentication A technology provider shall require multi-factor authentication before a notary public may access the notary's account. History Note: Authority G.S. 10B-4; 10B-106; 10B-125(b); 10B-126; 10B-134.15; 10B-134.17; 10B-134.1…

18 ncac 07j .0604 inactivity warning timing A technology provider's electronic notary solution shall issue a warning on screen to a notary public: (1) who is logged into the notary's account; and (2) has been inactive longer than 15 minutes. History Note: Authority G.S. 10B-4; 10…

18 ncac 07j .0605 provider action after warning No more than five minutes after the on screen warning in Rule .0604 of this Section, a technology provider's electronic notary solution shall: (1) determine whether there has been activity by the notary public in that five minutes; …

18 ncac 07j .0606 technology provider web page A technology provider shall create a publicly accessible web page or pages containing the information required by Rule .0607 of this Section. History Note: Authority G.S. 10B-4; 10B-106; 10B-125(b); 10B-126; 10B-134.15; 10B-134.17; 1…

18 ncac 07j .0607 single link and submission to department A technology provider shall ensure that the website page or pages required by Rule .0606 of this Section and website content required by Rule .0608 of this Section are accessible through a single link provided to the Depa…

18 ncac 07j .0608 website content A technology provider's website shall include the following content in the order set out in this Rule: (1) the provider's name; (2) the provider's contact information, including: (a) a general telephone number; (b) a sales number, if different; a…

18 ncac 07j .0609 updating single link url A technology provider shall notify the Department within five business days of a change in the URL of the information required by Rule .0606 of this Section. History Note: Authority G.S. 10B-4; 10B-106; 10B-125(b); 10B-126; 10B-134.15; 1…

18 ncac 07j .0610 encryption of data A technology provider shall securely encrypt data while it is at rest and in transit. History Note: Authority G.S. 10B-4; 10B-106; 10B-125(b); 10B-126; 10B-134.15; 10B-134.17; 10B-134.19; 10B-134.21; 10B-134.23; Eff. July 1, 2025.

18 ncac 07j .0611 data stored domestically A technology provider shall: (1) store all data associated with the notarial transaction process in the United States while the data is at rest; and (2) certify compliance with Item (1) of this Rule: (a) on its initial and subsequent app…

18 ncac 07j .0612 data storage facility requirements A technology provider shall store all data associated with a notarial session in facilities that are: (1) climate-controlled; and (2) secure from unauthorized physical access. History Note: Authority G.S. 10B-4; 10B-106; 10B-12…

18 ncac 07j .0613 data center security A technology provider shall ensure that each data center it uses has physical security measures in place that include: (1) restricting physical system access to personnel authorized by the provider to access the data center's system; (2) mon…

18 NCAC 07J .0614 certification re data center security A technology provider shall certify its compliance with Rules .0612 and .0613 of this Section on its: (1) initial and subsequent applications; and (2) verification of compliance pursuant to Rule .0211 of this Subchapter, if …

18 ncac 07j .0615 maintenance of software and hardware A technology provider's hardware, software, and firmware for systems supporting the electronic notary solution shall: (1) not be classified as end-of-life by their manufacturers; (2) still be eligible for vendor security patc…

18 ncac 07j .0616 configuration management plan A technology provider shall maintain a configuration management plan for systems supporting the electronic notary solution that addresses: (1) maintenance of an accurate inventory of items including: (a) software; (b) hardware; and …

18 NCAC 07J .0617 identification and access control A technology provider shall implement personnel identification and access control measures for systems supporting the electronic notary solution that: (1) designate and authorize users; (2) assign access to its data and systems …

18 NCAC 07J .0618 identification and access control by third party vendors and supporting vendors A technology provider shall confirm that each of its third-party and supporting vendors maintain and implement identification and access control measures equivalent to or more string…

18 ncac 07j .0619 vulnerability detection and remediation A technology provider shall: (1) at least weekly execute or cause to be executed a third party security program which shall evaluate each system endpoint for indications of malware, known security risks, and other vulnerab…

18 ncac 07j .0620 it security audit A technology provider shall have a third-party audit of its IT security conducted at least once every three years: (1) sufficient to comply with Rule .0622 of this Section; and (2) by Certified Information Systems Auditors or the equivalent. Hi…

18 ncac 07j .0621 summary of it security audit A technology provider shall provide a summary to the Department of its most recent IT security audit, which shall not be more than three years old: (1) on its initial and subsequent applications; and (2) on its verification of compli…

18 NCAC 07J .0622 contents of it security audit summary (a) The IT audit summary provided to the Department pursuant to Rule .0620 of this Section shall include: (1) the date of the audit; (2) the third-party audit standards by which the audit was conducted; (3) the name, contact…

18 ncac 07j .0623 cybersecurity incident prevention A technology provider shall take steps to prevent cybersecurity incidents by: (1) logging and monitoring access to the system; and (2) detecting, tracking, and addressing security flaws. History Note: Authority G.S. 10B-4; 10B-1…

18 ncac 07j .0624 security plan A technology provider shall maintain a security plan specifying how it will comply with laws, rules, and the Department's protocols related to: (1) physical security; and (2) IT security. History Note: Authority G.S. 10B-4; 10B-106; 10B-125(b); 10B…

18 ncac 07j .0626 security incident response plan A technology provider shall maintain a security incident response plan that: (1) addresses the capabilities required by the rules in this Section; (2) includes annual testing; and (3) is revised annually, as needed. History Note: …