Compliance with legal, privacy, and security requirements is our top priority
Penneo validates its services' trustworthiness with an ongoing commitment to making your digital experience safe and secure and helping you meet the specific requirements of your industry.
Why compliance matters
No company should ever risk failing to comply with security standards and regulations. Such a failure might lead to serious consequences - from civil costly fines to criminal proceedings, not to mention image and brand issues which often can be even worse for a business. Compliance frameworks can lead to the fear of having to face a long and exhausting process of adaptation and documentation. Across industries, general frustration arises whenever there is a new requirement or update. That is mainly because of the burden, time, cost, and distraction that such news brings. What is most often not taken into consideration is that investing in compliance programs not only decreases the risk of adverse legal action and financial penalties but also can be the start of an entirely new outlook on success.
Compliance as a business benefit
Although the legal driver is undeniably attention-getting, it should not be the only focus to emphasise when estimating the advantages of compliance. Abiding by laws and standards is imperative, but, from our perspective, it should also be seen as a competitive differentiator. Being compliant can be a strategic benefit for any company as it adds value to the business by improving operations and instilling a deeper culture of security within the organization. From building trust and establishing brand loyalty to improving public relations, proper compliance programs make a business more attractive to clients, potential partnerships, and contract opportunities.
Penneo meets the requirements of all major global standards relating to e-signature, data privacy, and customer due diligence. We continuously monitor the legal landscape to ensure our services comply with the latest national, EU, and international regulations.
eIDAS Regulation: Digital signature and Digital Identities
What is eIDAS?
Is Penneo compliant with eIDAS?
Can I use Penneo to sign with my eID?
GDPR: Your privacy is our first concern
What is GDPR?
Is Penneo GDPR-compliant?
How can Penneo help you meet the GDPR requirements?
5th AML Directive: KYC and client onboarding
What is new in the 5th AML Directive?
What does this mean for the KYC process?
Can I comply with AML laws by using Penneo?
Penneo guarantees the most advanced protection to customers and their data. To show our formal commitment to security and compliance, our system continually undergoes third-party audits and assessments. Our solution is built on globally recognized industry standards.
NIST cryptographic standards
How Penneo can help
Penneo caters to the needs of customers who are subject to the strictest regulatory compliance requirements. On the one hand, Penneo's third-party audits demonstrate how we meet performance obligations to our customers, relevant to a given regulation. On the other hand, Penneo's digital services are highly flexible and customizable for the specific regulations and standards of your industry. Our solutions can thus be personalized to meet specialized requirements in areas such as auditing and accounting, finance, property management, legal services, human resources, general administration and more.
Our compliance is your compliance
By relying on Penneo for processing your documents and online transactions, your firm will comply with AML, GDPR, eIDAS, and other relevant regulations. Besides, you will equip your business with an effective tool to strengthen your entire security system, improve corporate culture, and social responsibility. Penneo can help you make the entire compliance process much more effective and efficient for your company. We can assist you in combining security needs and business goals to create a healthy and safe atmosphere for your organization and produce successful results.
Compliance is an integral part of how we do business - that's why meeting and exceeding legal standards worldwide is our most important objective. We acknowledge that our customers operate in highly regulated environments, and we want to make them feel safe using Penneo for their daily business activities. To this end, Penneo ensures all compliance requirements are well-met and offers its customers a comprehensive solution to compliantly manage their business processes.
eIDAS Regulation: Digital signatures and Digital Identities
eIDAS stands for
electronic Identification, Authentication and trust Services EU Regulation (n. 910/2014). It took effect in July 2016, establishing a consistent legal landscape to enable secure and seamless electronic interactions between businesses, citizens, and public authorities. eIDAS created standards for which e-signatures and e-identity authentication mechanisms have the same legal standing as the traditional manual transactions. Visit our Legality section to learn more about eIDAS, Penneo's digital signatures and current eSignature laws around the world.
Penneo meets all the most demanding eIDAS standards:
Digital signatures created through Penneo meet the technical requirements defined by the eIDAS for advanced/qualified e-signatures (Art. 26). Therefore, they are just as valid and legally binding as the traditional ones placed with ink on paper. Both the signatory and the recipient can thus have more convenience, trust, and security.
Penneo uniquely identifies signers by using Digital IDs issued by Trusted Service Providers (TSPs) or Certificate Authorities (CAs) that are included in the EU Trusted List - this is how we ensure signers' authentication and provide certainty on users' identities.
Penneo currently supports several eIDs, and we're constantly working on developing new integrations to other countries. Every time we roll out our digital signature system to a new country, we make sure to meet all the relevant rules laid down in local laws and legal standards.
Please check out our Signing methods page to see if you can use your national eID to sign digitally via Penneo.
GDPR: Your privacy is our first concern
The GDPR is the most recent and important EU Regulation on data privacy. It increased transparency by harmonizing data protection laws within the European Union and empowering EU citizens with greater control over their data. Enforced as of 2018, it applies to any business processing personal data of EU citizens, regardless of the company's location.
Visit our Privacy section to learn more about GDPR and how Penneo can help you in the compliance process.
At Penneo, GDPR has been embedded in our operational systems, and it represents now just one of several ways of providing our customers with the safest digital experience. All the data Penneo holds is safely stored in data centers located in the EU (Germany and Ireland) and never transferred outside the EU. Our daily mission is to ensure all the most stringent data protection requirements are addressed. As a trustworthy data processor, Penneo guarantees its customers greater power, awareness, and control over the collection, processing, and storage of personal data.
In collecting and processing personal data through Penneo, users can be confident that they're handling sensitive information in compliance with the requirements established about consent, data subjects rights, lawful processing, storage within the EU, and so on.
Document and data management via Penneo is entirely GDPR-compliant. What's more, digital signatures are an essential tool to conveniently capture consent while conforming with the rules established for it (such as active opt-in requirement, comprehensive court-admissible audit trail; granular options for separated consents within the digital documents, etc.).
5th AML Directive: KYC and client onboarding
Entering into force in 2020, the 5th Anti-Money Laundering EU Directive (n. 2018/843) extended the former legislation’s scope and confirmed its provisions (such as the institution of a central registry for beneficial owners and the enforcement of a risk-based approach with different rules and procedures for low and high-risk customers - i.e. simplified and enhanced due diligence frameworks). Moreover, the Directive takes into account the new means of identification as set out in the eIDAS regulation, particularly in regard to notified electronic identification schemes and ways of ensuring cross-border legal recognition.
With the continuous tightening of the rules related to client onboarding procedures, the obliged entities are now required to perform more and more thorough customer background screenings. This, in turn, has led to a more considerable amount of personal data to be collected. As a result, companies are now forced to handle, process, and be responsible for a larger quantity of customers' sensitive information - establishing therefore the need for compliant and automated processes to ensure the security and privacy of such data.
The Directive explicitly promoted the use of electronic signature and digital identification means as standardized by the eIDAS Regulation (910/2014) to carry out the verification of customers' identities. Therefore, businesses are allowed (and encouraged) to employ electronic identity verification or e-KYC to verify customers remotely. The KYC process performed by Penneo increases the reliability and quality of the data collected, reinforces its security, and complies with all the rules set forth under the latest Anti-Money Laundering Directive.
Global Security Standards
Penneo is protected and surrounded by the highest level of security - from the creation of digital signatures to the time the signed documents are archived and beyond. We acknowledge that sensitive information and business-critical data need to be managed with high care and confidentiality. From authentication to encryption, assuring that security is impeccable is our daily effort.
As we care about demonstrating our pledge to live up to customers' requirements and expectations, we significantly invest in maintaining attestations that corroborate and document our ongoing efforts. As a result, we can be certain that we are not only taking the right activities internally to secure a compliant environment, but official third-party reports demonstrate that everything provided at Penneo abides by the highest industry security standards.
The International Standard on Assurance Engagements (ISAE) 3000 is a security standard over non-financial information approved by the International Auditing and Assurance Standards Board (IAASB) of the IFAC.
Penneo's trustworthy security framework lets us fulfil our performance obligations to the companies that entrust us with their documents and data. Nonetheless, we want to provide our customers with certified documentation that attests how we deal with security, privacy, and fraud in compliance with international standards. Therefore, we engage an independent audit firm on an annual basis to perform an accurate assessment of the effective functioning of our security measures. Thanks to this periodical ISAE 3000 audit, we are issued an authoritative proof about the safety of our internal processes, and we have certainty that the controls included are actually in place and operate effectively and continuously in accordance with the IAASB provisions.
Our ISAE 3000 audit covers all the five Trust Service Criteria (TSC) - Security, Availability, Processing Integrity, Confidentiality, and Privacy - defined in the SOC 2 Report by the American Institute of Certified Public Accountants (AICPA). The TSC - widely recognized as best-practices for managing customer data - are the principles on which Penneo’s security management framework is based.
ISO/IEC 27001 (2013) is an information security standard - published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC) - that formally specifies a suite of activities and requirements for regularly identifying, reducing, monitoring, and reviewing information risks. Penneo's IT-governance is consistently aligned with this internationally-recognized best-practices and operates effectively, thus creating a constantly effective risk management system, defined within the standard of the CIA triad:
confidentiality: we ensure that information is accessible only to those authorized to have access;
integrity: we safeguard the accuracy and completeness of information and processing methods;
availability: we guarantee that authorized users have access to information and associated assets when required.
Involving people, processes and IT systems, ISO 27001’s flexible risk-driven approach allows to ensure the correct setup of the security arrangements to keep pace with evolving cyber-threats, vulnerabilities, and business impacts. We systematically assess whether our security controls continue to meet the organization's information security needs so that sensitive data remains secure. In the meantime, our adherence to these standards enables our compliance with art. 32 GDPR (that requires both organizational and technical strategies to mitigate security risks through a comprehensive program of awareness across the whole organization).
PAdES (Advanced Electronic Signatures for PDF documents) is the best-defined standard for the implementation of digitally signed documents through cryptographically secured electronic signatures in compliance with the eIDAS regulation.
The standard was published by the ETSI (European Telecommunications Standard Institute) and includes a series of adaptations and extensions to PDF to satisfy the requirements established by the EU legislation for creation, validation, and legal admissibility of electronic signatures anywhere in the EU.
Being framed on this eIDAS-compliant implementation of e-signatures, Penneo's digital signature meets the requirements set forth under art. 26 of eIDAS regulation for the advanced electronic signature that should be:
uniquely linked to the signatory, as it provides unique identifying information that links it to its signatory;
capable of identifying the signatory because the signatory has sole control of the data used to create the electronic signature;
capable of identifying any subsequent change in the data attached to the signature after signing - if it’s detected that the signed data has been changed, the signature is marked invalid;
provided with a certificate for electronic signature, electronic proof that confirms the identity of the signatory and links the electronic signature validation data to that person.
Such a signature can be used as a proof of trustworthiness in terms of Authenticity, Data Integrity, and Non-repudiation because it ensures the identity of the signers, non-alteration of the data, and intent of signing and be bound to the agreement.
Therefore, digital signatures created via Penneo carry legal effect, can be used as evidence in legal proceedings, are just as binding and enforceable as handwritten signatures, and must be recognized as qualified electronic signatures in all EU Member States.
At Penneo, encryption of sensitive data and Personally Identifiable Information (PII) follows the cryptographic standards defined by the National Institute of Standards and Technology (NIST). NIST’s Guide to Protecting the Confidentiality of Personally Identifiable Information uses a broad definition of PII in order to identify as many potential PII sources as possible and be able to protect this information. Accordingly, PII is any information about an individual that can be used to distinguish or trace an individual‘s identity, such as name, social security number, financial account or credit card number, date and place of birth; any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information; physical address, IP address, email address; personal characteristics - including photographic image, fingerprints, handwriting or other biometric data.
All data must be managed with high security and diligence. However, PII deserves even stronger protection due to the more severe harm that a potential breach would cause to both individuals and organizations. To appropriately protect the confidentiality of PII, we implemented several NIST privacy-specific measures, such as:
anonymization and de-identification;
minimization of use, collection, and retention of PII to what is strictly necessary to accomplish their business purpose and mission;
categorization of PII by the PII confidentiality impact level;
implementation of appropriate safeguards for PII based on the PII confidentiality impact level
development of an incident response plan to handle breaches involving PII.