How secure is Penneo?

At Penneo, we place the security of digital documents as our absolute first priority

Robust security requirements

Digital signatures are the most advanced and secure type of electronic signature. You can use them to comply with the most demanding legal and regulatory requirements because they provide the highest level of assurance about each signer’s identity and the authenticity of the documents they sign.

The digital signature process at Penneo is designed around two main categories to support the robust security requirements: the technical safety of the signature and the operational safety at Penneo. The technical safety concerns the principles and technologies used to produce the digital signature solution, while the operational security concerns security in hosting, data processing and internal security procedures.

 

The Signature’s Technical Security

To be valid, a signature, digital or physical, must meet three basic requirements:

  1. Signer authentication
  2. Content integrity
  3. Non-repudiation

 

Signer authentication

This requirement stipulates that we have security for signer’s identity. Digital signature with Penneo requires a certificate-based digital ID, PIN plus a unique digital certificate to authenticate signer identity and demonstrate proof of signing. To further increase security, a unique PID (Personal Identifier) is also printed on the document, assuring that the signer’s certificate is cryptographically bound to the document.

Penneo uniquely identify signers by using Digital IDs issued by Trusted Service Providers (TSPs) or Certificate Authorities (CAs). In Norway and Sweden, BankID is the most widely used solution, and in Denmark, NemID is the most secure way of attaching a digital signature to a physical person.

Content integrity

Penneo is designed to keep your documents secure and prevent tampering of the document during and after the signing process. When a digital signature is inserted utilizing Penneo, a unique “watermark” ID is printed on the document, and, in addition, a “checksum” is created based on the document content including the watermark. Once the digital signature has been submitted to a document, the entire package is signed by Penneo. One could say that Penneo acts as a kind of notary on the signed document. Every step is captured in a secured audit trail and makes it extremely easy to verify if the signed document has been modified since it was signed. If the document changes after signing, the digital signature is invalidated.

Non-repudiation

Penneo helps you document intent and consent to secure that the signer intended to sign and consented to do business electronically. Penneo assures this in two ways: First, a digital signature can only be applied to a document through Penneo’s signature platform. This ensures that the user has been informed of the consequences of his actions and that the user has had the opportunity to read that document. For the other part, signers have to accept a statement of declaration and consent while signing the document. Additional to the declaration and consent,  the statement contains an overview of the documents that are signed, as well as the signers’s role. This statement is stored as part of the signature itself and thus serves as further proof of the validity of the signature.

 

The operational safety at Penneo

Sensitive and business critical data need to be managed with high care and security. From authentication to encryption, everything provided at Penneo is following the highest security standards. Assuring that security is impeccable is a daily effort. At Penneo, the digital signature solution is created, protected and surrounded by the highest level of security - from the creation of the digital signature to the time the signed documents are archived and beyond.

Certifications & Encryption

Penneo is ISAE 3000 certified by KPMG. Sensitive and business critical data are managed with high security and care, and encryption of sensitive data and Personally Identifiable Information (PII) follows the cryptographic standards defined by NIST. In addition, specific attention has been paid to the document's long-term sustainability (LTV) so that the document's cryptographic evidence can be verified even after the platform that created the document has become inaccessible.

PAdES standard

Penneo is built on PAdES, the best-defined standard for digitally signed documents. In the EU, the standards for digital signing of documents are governed primarily by the ETSI Institute (European Telecommunications Standards Institute, etsi.org), primarily through the PAdES standard. PAdES defines a specific structure of the cryptographic evidence in PDF documents, to assure LTV in addition to having the signer’s certificate cryptographically bound to the document using an approved digital ID as required by the eIDAS Regulation electronic IDentification (Authentication and Trust Services).

Validity of the signature

In order to ensure that the document never loses its legal validity, the technical proof of the signature is stored as a form of attachment in the completed PDF. This means that your signed document already contains everything you need to verify the validity of the signature. This can be done through Penneo's validator, but also through any other PAdES-compliant validation platform.

 

Why should you communicate on your website about security ?

At Penneo, we encourage our customers to communicate about the efforts they are making in terms of security. Teaming up with companies working on high security standards reinforces a trustworthy responsibility as a business.

Click here for more information and communication example on how using Penneo automatically adds high security standards to your business.