How secure is Penneo?
At Penneo, we place the security of digital documents as our absolute first priority
Robust security requirements
Digital signatures are the most advanced and secure type of electronic signature. You can use them to comply with the most demanding legal and regulatory requirements because they provide the highest level of assurance about each signer’s identity and the authenticity of the documents they sign.
The digital signature process at Penneo is designed around two main categories to support the robust security requirements: the technical safety of the signature and the operational safety at Penneo. The technical safety concerns the principles and technologies used to produce the digital signature solution, while the operational security concerns security in hosting, data processing and internal security procedures.
The Signature’s Technical Security
To be valid, a signature, digital or physical, must meet three basic requirements:
- Signer authentication
- Content integrity
This requirement stipulates that we have security for signer’s identity. Digital signature with Penneo requires a certificate-based digital ID, PIN plus a unique digital certificate to authenticate signer identity and demonstrate proof of signing. To further increase security, a unique PID (Personal Identifier) is also printed on the document, assuring that the signer’s certificate is cryptographically bound to the document.
Penneo uniquely identify signers by using Digital IDs issued by Trusted Service Providers (TSPs) or Certificate Authorities (CAs). In Norway and Sweden, BankID is the most widely used solution, and in Denmark, NemID is the most secure way of attaching a digital signature to a physical person.
Penneo is designed to keep your documents secure and prevent tampering of the document during and after the signing process. When a digital signature is inserted utilizing Penneo, a unique “watermark” ID is printed on the document, and, in addition, a “checksum” is created based on the document content including the watermark. Once the digital signature has been submitted to a document, the entire package is signed by Penneo. One could say that Penneo acts as a kind of notary on the signed document. Every step is captured in a secured audit trail and makes it extremely easy to verify if the signed document has been modified since it was signed. If the document changes after signing, the digital signature is invalidated.
Penneo helps you document intent and consent to secure that the signer intended to sign and consented to do business electronically. Penneo assures this in two ways: First, a digital signature can only be applied to a document through Penneo’s signature platform. This ensures that the user has been informed of the consequences of his actions and that the user has had the opportunity to read that document. For the other part, signers have to accept a statement of declaration and consent while signing the document. Additional to the declaration and consent, the statement contains an overview of the documents that are signed, as well as the signers’s role. This statement is stored as part of the signature itself and thus serves as further proof of the validity of the signature.
The operational safety at Penneo
Sensitive and business critical data need to be managed with high care and security. From authentication to encryption, everything provided at Penneo is following the highest security standards. Assuring that security is impeccable is a daily effort. At Penneo, the digital signature solution is created, protected and surrounded by the highest level of security - from the creation of the digital signature to the time the signed documents are archived and beyond.
Certifications & Encryption
Penneo is ISAE 3000 certified by KPMG. Sensitive and business critical data are managed with high security and care, and encrypted sensitive data and Personally Identifiable Information (PII) follows the cryptographic standards defined by NIST. In addition, specific attention has been paid to the document's long-term sustainability (LTV) so that the document's cryptographic evidence can be verified even after the platform that created the document has become inaccessible.
Penneo is built on PAdES, the best-defined standard for digitally signed documents. In the EU, the standards for digital signing of documents are governed primarily by the ETSI Institute (European Telecommunications Standards Institute, etsi.org), primarily through the PAdES standard. PAdES defines a specific structure of the cryptographic evidence in PDF documents, to assure LTV in addition to having the signer’s certificate cryptographically bound to the document using an approved digital ID as required by the eIDAS Regulation electronic IDentification (Authentication and Trust Services).
Validity of the signature
In order to ensure that the document never loses its legal validity, the technical proof of the signature is stored as a form of attachment in the completed PDF. This means that your signed document already contains everything you need to verify the validity of the signature. This can be done through Penneo's validator, but also through any other PAdES-compliant validation platform.