Is Penneo compliant with legal, privacy and security requirements for e-signature?
Penneo validates its services trustworthiness with an ongoing commitment to make your digital experience safe and secure. That's why being compliant with legal, privacy and security requirements is our top priority.
Is Penneo compliant with the most stringent e-signature and data privacy laws?
Penneo meets the requirements of all major e-signature and data privacy global standards and regulations. We continuously monitor the legal landscape to be sure our services comply with the latest national, EU and international news.
GDPR Penneo's daily mission is to ensure all the requirements set forth in the GDPR are met and help you conforming with your compliance obligations.
eIDAS Penneo digital services are compliant with all the most demanding eIDAS technical standards for electronic signatures. Therefore, our digital signatures are as legally binding and valid as traditional signatures placed with ink on paper.
US e-Sign Act & UETA Act Meeting and exceeding standards worldwide is our most important objective. To this end, Penneo ensures all compliance requirements are met well.
Security Policies & Practices
What is Penneo's approach to national and international security standards?
Penneo cares about showing its formal commitment to security and compliance. To do so, our system continually undergoes third-party audits and assessments. Through this significant investment Penneo ensures the most advanced protection to its customers and their data and creates our operational security. To reach high level results, Penneo integrates this approach with the principles and technologies used in order to provide our customers with the best outcome. Ensuring the technical safety of the signature, Penneo e-signature is a proof of trustworthiness in terms of Authenticity, Data Integrity and Non-repudiation.
Why security matters: Compliance as a business benefit
Being compliant is mandatory, but for us it is also a competitive differentiator. Penneo can help you make the entire compliance process much more effective and efficient for your company.
How does Penneo comply with global security standards?
Our globally recognized Certifications demonstrate Penneo's compliance with the following regulatory and industry standards:
ISAE 3000: We use KPMG as our Independent System Auditor which provides us with a yearly assurance report attesting that our security measures and control environment are actually in place and operate continuously.
SOC 2 – Trust Service Criteria: Penneo securely manages your data while complying with principles of Security, Availability, Processing integrity, Confidentiality and Privacy.
ISO/IEC 27001 (2013): Penneo frames its information security processes in line with internationally recognized best practices and standards.
PAdES standard: Penneo is built on the best-defined standard for the implementation of digitally signed documents through cryptographically secured e-signatures.
Data Center Security: Penneo ensures compliance with global data privacy legislation by hosting its IT-systems and websites in AWS (Amazon Web Services).
Industry standards: Penneo platform replies to your needs by delivering customer-focused operational programs.
Learn more under Certifications.
Compliance made user friendly
It's imperative that we comply with the industry standards that matter most. Penneo platform replies to the needs of your industry through the delivery of customer-focused operational programs that can help you comply with your specific regulatory requirements.
Our eSignature service capabilities support customer compliance from two main perspectives. On one hand, Penneo's certificates demonstrate how we meet performance obligations to our customers, relevant to a given regulation. On the other, Penneo's digital services are highly flexible and customizable. This configurability allows us to personalize our solutions to meet specialized requirements in areas such as finance and accounting, property management, legal services, human resources, general administration and more.
How Penneo can help
Please visit Penneo's Customers section to learn more about how we help customers meet their compliance needs for industries and departments.
Customers should be clearly aware of their specific compliance requirements. Our specialized resources in legal, product, and customer operations can review Penneo's service capabilities and adapt them to your needs. Please contact Sales for more information.
See our Legality and Privacy Sections to learn more about best practices relevant to compliance.
Read our recommendations to secure your IT environment in the Security section.
Visit Penneo's Product Features pages to see more detail on the authentication capabilities of the Penneo eSignature service.
Click here to see our business case studies and customer reviews.
The GDPR is the most recent and important EU Regulation on data protection and privacy. Increasing control and transparency, the General Data Protection Regulation aims primarily
- to protect and empower all EU citizens data privacy, giving them control over what companies are allowed to do with the personal data that has been collected
- to simplify and modernize the regulatory environment for international business by unifying and harmonizing data privacy laws within the EU.
Enforced as of May 25, 2018, the GDPR applies to any company processing and holding personal data of subjects residing in the EU, regardless of location.
One of Penneo most important tasks is to ensure that all the requirements set forth in the GDPR supporting our services are met and help you conforming with your compliance obligations.
To find out if the GDPR applies to you and learn more about how it works, please visit our Privacy section.
eIDAS & STORK
The electronic Identification, Authentication and trust Services EU Regulation (n. 910/2014) took effect in July 2016, establishing a consistent legal landscape to enable and recognize secure and seamless electronic interactions between businesses, citizens and public authorities. Overseeing electronic identification and trust services in the European Union's internal market, the eIDAS regulates electronic signatures, electronic transactions, involved bodies and their embedding processes to provide a safe way for users to conduct business online.
eIDAS has created standards for which electronic signatures and identity authentication mechanisms enable electronic transactions with the same legal standing as transactions that are performed on paper. Penneo digital services are compliant with all the most demanding eIDAS technical standards for electronic signatures. Both the signatory and the recipient can thus have more convenience, trust and security. Instead of relying on traditional methods or appearing in person to submit documents with handwritten signatures, Penneo allows you to now perform transactions across borders, and they will be as legally binding and valid as traditional paper-based processes.
The eIDAS regulation aims to ensure that people and businesses can use their own national electronic identification schemes to access public services in other EU countries where eIDs are available. The STORK project proposes a solution to make it easy for citizens to access the concerned public service online wherever they are located, whether using a smart card or a virtual ID number.
The purpose of the STORK project (Secure idenTity acrOss boRders linKed) is to create a European eID Interoperability Platform that allows each citizen to establish newe-relations with foreign governmental institutions, just by presenting their national eID since their own government guarantees that the data in the eID-token is correct andtraceable to that citizen. Many European countries already have some eID infrastructure, but cross-border acceptance of these credentials is nearly absent. The project has studied legal requirements and established the organisational and IT bases for this cross-border acceptance of these existing eIDs in existing foreign eGovernment services.
Thanks to the STORK pan-European electronic-identity authentication system, citizens can use their national electronic identities in any Member State participating in STORK, where public institutions can connect their services to the European eID interoperability platform.
US e-Sign Act & UETA Act
In the United States, the validity and enforceability of electronic signatures is granted by the e-Sign Act (electronic Signatures in Global and National Commerce Act, a federal
law passed in 2000) and the UETA Act (Uniform Electronic Transactions Act, adopted in 1999).
These two main Regulations provide electronic signatures with the same legal status as traditional handwritten signatures in the U.S.
Both the e-Sign Act and the UETA Act
- establish that any signature required by law can be made digitally
- allow electronically executed agreements to be presented as evidence in court
- prevent denial of validity or enforceability of an electronically signed document solely because it is in an electronic form (ban of discrimination).
Meeting and exceeding standards worldwide is our most important objective. To this end, Penneo ensures all compliance requirements are met well.
Trust Service Providers and Digital IDs
The eIDAS EU Regulation laid down the requirements that must be met by the TSPs. The Trust Service Provider is a natural or a legal person who provides one or more trust
services, such us electronic signatures, seals or time stamps, delivery services, website authentication.
Penneo uniquely identifies signers by using Digital IDs issued by Certificate Authorities (CAs) or Qualified Trusted Service Providers (TSPs), whose qualified status is granted
by the supervisory body designated by a Member State to carry out eIDAS audits. These Conformity Assessment Bodies are accredited in the European Commission official
list and ensure that the TSPs meet the security requirements laid down in the Regulation.
Click here to learn more about the EU Trusted List of Trust Service Providers.
Penneo supports national digital certificate-based signatures with Danish NemID, Swedish BankID and Norwegian BankID, and complies with the Regulation requirements on
Advanced Electronic Signatures in Denmark and Sweden, and on Qualified Electronic Signatures in Norway. Denmark and Sweden, as member states of the EU, follow the eIDAS regulation regarding the legal effect of electronic signature. Norway follows the Act on implementation of the EU Regulation on electronic identification and trust services for electronic transactions in the internal
market (the Act on Electronic Trust Services), which implements the eIDAS in Norway. Read more about Norwegian Act on Electronic Trust Services here.
Danish NemID: NemID is a security solution for Danish companies, private citizens and authorities, commonly used by 5 million Danish individuals for login, online banking,
public and private websites and digitally signing. A digital signature made by NemID obliges to the recipient just as if the document had been signed manually. At the moment,
in Denmark there is only one Qualified Trust Service Provider, Nets DanID A/S, which developed NemID.
Swedish BankID: BankID is the leading electronic identification in Sweden. It has been developed by several large banks for use by individuals, authorities and companies.
The customer's identification is guaranteed by the bank issuing the BankID. Citizens can use their BankID for digital identification as well as signing transactions and
documents. According to Swedish law and within the European Union, BankID is an identification method that ensures Authentication of the signer; therefore, a digital
signature made with a BankID is legally binding. At the moment, in Sweden there is only one Qualified Trust Service Provider, TrustWeaver AB.
Norwegian BankID: Norway and the EU share a common regulatory framework for secure electronic transactions: both eIDAS and the Norwegian eSignature Act state that a
qualified electronic signature provides the same legal effect as a handwritten signature. Aiming to create a European digital market, the eIDAS required the European
countries to approve each other's solutions for electronic identification (eID), electronic signatures, etc. The electronic identification using BankID meets the official
requirements that apply to authentication and legally binding value of electronic signature. BankID is certified at the highest public authentication and
non-repudiation level for electronic IDs in Norway (level 4). It is actively used in Norway by all the banks and it is an essential means for companies that are looking for secure and simple online identification method. Several trust services providers are currently active in Norway according to the EU Trusted list.
Finnish Trust Network: The Finnish Trust Network is an identity solution that covers the entire Finnish population. It replaced the TUPAS eID as of 30 September 2019 at the
end of the transition period with EU eIDAS Regulation. The Finnish government has established the Finnish Trust Network (FTN) as a framework that allows a strong online
authentication service to carry out secure transactions and sign legally binding agreements.
Other European countries
Two fundamental provisions of the Regulation must be pointed out here: the eIDAS states that
- each Member State must establish, maintain and publish trusted lists of qualified trust service providers together with information related to the qualified trust
services provided by them (Art. 22).
- all organizations delivering public digital services in an EU member state must recognize electronic identification from all EU member states from September
Loosely speaking, by the end of 2018 all public services in the European Union are obliged to accept the eIDs of other member states which, in turn, must equip themselves
with lists of qualified trust service providers. This is how the European Union can proceed in the planned path towards the creation of an interoperable European platform for
electronic European ID.
Penneo's mission to become the strongest digital signature platform in the Nordic Region was only the starting point of our vision. Our solution is ready to be successfully
implemented in other countries and used by international companies that are looking for a secure and simple digital signature method. Every time we roll out our digital
signature solution to a new country, we make sure to meet all the relevant rules laid down in local laws and legal standards.
Through the eIDAS the EU has created a single digitized European market whose benefits all businesses should take advantage. On our side, we are eager to help your
company to achieve the digital transformation compliantly with regional and industry regulatory requirements. Are you ready? Contact us.
Visit our Legality section to learn more about current eSignature laws around the world.
Security Policies & Practices
Why security matters: Compliance as a business benefit
Compliance frameworks can lead to the fear of having to face a long and exhausting process of conformation and documentation. Instead, from our perspective, the right way to approach compliance is to consider it as a competitive differentiator. Being compliant can be a strategic advantage since it adds value to the business by improving our operations and instilling a deeper culture of security within the company.
No company should ever risk failing to comply with security standards. The failure to meet legal requirements could lead to several serious consequences from civil costly fines to criminal proceedings, not to mention image and brand issues which often could be worse or quite severe for a business. Comprehending the severe implications of compliance, Penneo has meticulously developed processes to make its services conform to the standards that govern your business and help you make the entire compliance process much more effective and efficient for your company.
Penneo's two-tier system to support the robust security requirements
Our digital signature process is designed around two main categories: the operational security at Penneo and the technical safety of the signature. The first approach concerns security in hosting, data processing and internal security procedures and it is assured by rigorous internal and third-party audit reports, while the technical safety of the signature concerns the principles and technologies used to produce our digital signature solution and to protect our product life cycle.
The operational security at Penneo
Penneo acknowledges that sensitive and business critical data need to be managed with high care, security and confidentiality.
At Penneo, the digital signature solution is created, protected and surrounded by the highest level of security — from the creation of the digital signature to the time the signed documents are archived and beyond. From authentication to encryption, assuring that security is impeccable is a daily effort.
Our third-party attestations allow us to make sure that our company is not only taking the right activities internally in order to secure this environment but official Certifications demonstrate that everything provided at Penneo comply with the highest industry security standards.
- receiving an assurance report in compliance with the International Standard on Assurance Engagements (ISAE) 3000
- based on the Trust Service Criteria — Security, Availability, Processing integrity, Confidentiality and Privacy
- framed on the international information security standard ISO/IEC 27001
- built on PAdES standard in compliance with the eIDAS Regulation
- hosting its IT-systems and websites in AWS (Amazon Web Services)
The technical safety of the signature
The formal rigorous approach allows us to show that our services comply with industry standards. However, Penneo always strives to deliver the best result and make our customers and their data as safe as possible.
So the operational security is combined with our dual strategy that consists of a preventive planning and a reactive response. On the forward-looking perspective, Penneo wants to be proactive making breaches hard to create through our in-depth defense. While from the responsive position, our teams make sure that we are able to identify the possible problems, trying to be watchful and attentive against the potential ways to exploit the system in order to react immediately and efficiently.
The technical safety of Penneo digital solutions is expressed in the principles and technologies used in order to provide our customers with the best outcome. This is the way that Penneo integrates security into how we build code. Our electronic signatures are technically implemented according to PAdES standards. Therefore, they have the status of advanced electronic signatures and they are as legally binding and valid as traditional handwritten signatures placed with ink on paper, but more secure from an authentication perspective, since the person behind most probably is the 'right' person and will either way be covered by the 'Non-repudiation' trust principle.
To be valid, a signature, digital or physical, must meet three basic requirements which consist in the three core security services:
Signer authentication, Content integrity, Non-repudiation.
Penneo e-signature can be used as a proof of trustworthiness in terms of Authenticity, Data Integrity and Non-repudiation of communications conducted over the Internet because it allows to believe that the message was created by a known sender (identity of the signer), and that the message was not altered in transit (both integrity of data and intent of signing are ensured as well).
This requirement stipulates that we have security for signer's identity and we can verify who is actually the author of the signature. The e-signature must be uniquely linked to the signatory and provide unique identifying information that links it to its signatory.
Penneo uniquely identifies signers by using Digital IDs issued by Trusted Service Providers (TSPs) or Certificate Authorities (CAs).
Digital signature with Penneo requires a certificate-based digital ID, PIN plus a unique digital certificate to authenticate signer identity and demonstrate proof of signing. This electronic proof irrefutably confirms the identity of the signatory and links the electronic signature validation data to that person. To further increase security, a unique PID (Personal Identifier) is also printed on the document, assuring that the signer's certificate is cryptographically bound to the document.
Penneo is designed to keep your documents secure and prevent tampering of the document during and after the signing process.
When a digital signature is inserted utilizing Penneo, a unique "watermark" ID is printed on the document and, in addition, a "checksum" is created based on the document content including the watermark. Once the digital signature has been submitted to a document, the entire package is signed by Penneo.
One could say that Penneo acts as a kind of notary on the signed document, guaranteeing its immutability. Every step is captured in a secured audit trail and makes it extremely easy to verify if the signed document has been modified since it was signed. This capability of identifying any subsequent change in the data attached to the signature after signing allows to react in the event of detection of changes in the signed data. If the document changes after signing, the digital signature is invalidated.
Penneo helps you document intent and consent to secure that the signer intended to sign and consented to do business electronically. Penneo assures this in two ways. First, a digital signature can only be applied to a document through Penneo's signature platform. This ensures that the user has been informed of the consequences of his actions and that the user has had the opportunity to read that document. For the other part, signers have to accept a statement of declaration and consent while signing the document. Additional to the declaration and consent, the statement contains an overview of the documents that are signed, as well as the signers' role. This statement is stored as part of the signature itself and thus serves as further proof of the validity of the signature. Document flow and retention of filed documents are just some of the most relevant features with which Penneo ensures the technical safety and non-repudiation of digitally signed documents. Document flow and retention of filed documents are just some of the most relevant features with which Penneo ensures the technical safety and non-repudiation of digitally signed documents.
Our main goal is to protect our customers and their data
Our two-pronged approach leads to high level results in terms of security and data protection. As part of the demonstration of our commitment, Penneo also wants to make sure you have access to all the information you might need to protect your environments. Therefore, in our guidelines customers can find advice on
- how to reduce risk and ensure protection from online security threats
- what are the recommended system and application access best practices
- how to recognize and report suspicious activities
Why should you communicate on your website about security?
Penneo encourages its customers to communicate about the efforts they are making in terms of security. Teaming up with companies working on high security standards reinforces a trustworthy responsibility as a business. Learn more
Why security matters: Compliance as a business benefit
From authentication to encryption, everything provided at Penneo is following the highest security standards. In order to demonstrate our commitment to protecting customer data, Penneo significantly invested in maintaining Certifications to meet the most stringent security and compliance needs.
Article 32 of the EU GDPR, "Security of processing", requires organizations to implement technical and organizational measures that ensure a level of data security appropriate for the level of risk presented by processing personal data. To this end, data security measures should, at a minimum:
- allow pseudonymisation and encryption of personal data;
- maintain ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- ensure the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- involve a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
In order to establish which additional technical measures best ensure data security, a proper evaluation must take into account four criteria:
- the state of the art, i.e. the latest and most advanced data security and privacy enhancement tools available;
- the nature, scope, context, and purposes of the data processing;
- the likelihood and severity of risks to the rights and freedoms of natural person when processing personal data, considering in particular the risks presented by accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processes;
- the cost of implementation relative to the risk profile.
Additionally, Article 32 requires to take steps to ensure that any natural person acting under their authority who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by European Union or Member State law.
Complying with Article 32 GDPR requires both organizational and technical strategies and can be demonstrated by adherence to an approved code of conduct or an approved certification. We adopt appropriate procedures and processes to protect the personal data Penneo holds by putting a trustworthy security framework in place. Our Certifications, internal audits, security practices and privacy policies, successfully meet all the above requirements.
Our third-party attestations show how Penneo is fulfilling its performance obligations to its customers, being compliant with the following regulatory and industry standards:
Penneo receives a yearly security report ISAE 3000
For our customers it's relevant how Penneo deals with security, privacy and fraud. Understanding the increasing demand over assurance and transparency, Penneo wants to ensure its customers that the data stored in our data centers is backed up properly and unauthorized access to critical data is not possible.
The International Standard on Assurance Engagements (ISAE) 3000 is the assurance standard over non-financial information. The standard consists of guidelines for the ethical behavior, quality management and performance of an ISAE 3000 engagement. The ISAE is applied for audits of internal control, outsourcing audits, sustainability and compliance with laws and regulations.
The ISAE 3000 was developed and approved by the International Auditing and Assurance Standards Board (IAASB), whose objective is to serve the public interest by setting high-quality auditing, assurance, and other related standards and by facilitating the convergence of international and national auditing and assurance standards, thereby enhancing the quality and consistency of practice throughout the world.
As a consequence of the rising IT outsourcing, the demand for security and control over security risks is increasing. The advantage of ISAE 3000 is that the internal processes are better aligned to our IT and security risks and better formalized. The audit covers all the five Trust Service Criteria (formerly Principles) - security, availability, processing integrity, confidentiality and privacy. These principles form the basis of Penneo's risk management framework.
The ISAE 3000 report, that we receive on an annual basis, contains information on the internal processes and controls and provide assurance that the controls included are actually in place and operate effectively. The effective operation of security measures has been audited by a professional audit firm (KPMG) who accurately verified and states that the security measures exist and operate effectively in accordance with the ISAE 3000 standard.
Penneo is based on ISO 27001
Penneo's fundamental IT-security and IT-governance are based on ISO/IEC 27001 (2013), an internationally-recognized information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), titled "Information technology — Security techniques — Information security management systems — Requirements".
This means that Penneo manages its information security processes in line with international best practice on assets such as financial information, intellectual property, employee details or information entrusted by third parties.
ISO/IEC 27001 formally specifies an Information Security Management System (ISMS), a suite of activities and requirements for regularly identifying, reducing, monitoring and reviewing information risks.
Complying with Article 32 GDPR requires both organizational and technical strategies to mitigate those risks; in other words, it implies a comprehensive information security programme that also considers people and processes, by promoting a culture and awareness of information security entrenched across the business. Providing adequate protection requires a commitment to information security across the whole organization. Involving people, processes and IT systems, ISO 27001's flexible risk-driven approach allows to ensure the correct setup of the security arrangements to keep pace with evolving data security threats, vulnerabilities and business impacts. It requires the adoption of an overarching management framework to systematically ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis, so that sensitive data remain secure.
Our information security controls have been consistently implemented and operate effectively, being aligned to the ISO/IEC 27001's best practice recommendations for a constantly effective management system, defined within the standard of the CIA triad:
- the preservation of Confidentiality, ensuring that information is accessible only to those authorized to have access;
- Integrity, safeguarding the accuracy and completeness of information and processing methods;
- Availability, ensuring that authorized users have access to information and associated assets when required.
SOC 2 – Trust Service Criteria
Penneo securely manages your data to protect your interests and privacy. Reporting on Controls at a Service Organization (SOC Report 2) is a revision procedure without impact on financial information audited in accordance with the ISAE 3000 standard that ensures transparency on security procedures. Developed by the American Institute of Certified Public Accountants (AICPA), SOC 2 defines criteria for managing customer data based on five "Trust Service Principle (TSP)", recently redefined as "Trust Service Criteria (TSC)"- Security, Availability, Processing integrity, Confidentiality and Privacy.
Also known as common criteria, the security principle is the only TSC that is required in a SOC 2, while the other four criteria can be added at the discretion of management. The security principle refers to protection of system resources against unauthorized access and other risks that could impact the service organization's ability to provide the services promised to clients. This criterion is included to demonstrate security with respects to the protection of clients' information during the collection or creation of the data, and during the use, processing, transmission and storage of the data.The security TSC is also broken down into common criteria sections: Control Environment, Communication and Information, Risk Assessment, Monitoring Activities, Control Activities, Logical and Physical Access Controls, System Operations, Change Management, Risk Mitigation.The importance of this criterion also lies in the circumstance that the widely recognized COSO principles are integrated with it. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative dedicated to the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence. Since both COSO Framework and the trust services criteria are used to evaluate internal control, the 17 COSO principles have been integrated within the first five categories of the Security TSC.
- The Control Environment section covers the service organization's commitment to integrity and ethical values, independence by the board, management and board oversight, and the hiring, maintaining and ongoing monitoring of quality employees at the service organization.
- The Communication and Information section includes the communication of relevant information (lines of authority, boundaries of the system, relevant changes, etc.) to internal personnel as well as clients of the service organization.
- The Risk Assessment section is included to demonstrate that the service organization is assessing risks possibly impacting their operations and putting plans in place to mitigate these risks.
- The Monitoring Activities section covers the ongoing evaluation of the system at the service organization and the notification to relevant personnel in the event that there is a breakdown in the system.
- The Control Activities section tests that the service organization has controls in place for the mitigation of risk and also that the controls in place are monitored on an ongoing basis.
The availability principle refers to the accessibility of the system, products or services as stipulated by contract. This principle does not address system functionality and usability but does involve security-related criteria that may affect availability. Monitoring network performance and availability, site failover and security incident handling are critical in this context.
- Processing integrity
The processing integrity principle demonstrates that system processing is achieving its purpose by occurring accurately and timely. To this end, data processing must be complete, valid, accurate, timely and authorized.
The confidentiality principle is included to demonstrate that data classified as confidential is protected. Encrypting is the main control for ensuring confidentiality during transmission and safeguarding information processed or stored on computer systems.
The privacy principle refers to the system's collection, use, retention, disclosure and disposal of personal information (PII). This TSC is included to show that this personal information is protected and handled appropriately.
Penneo is built on PAdES standard
To ensure that electronic signatures can be created and validated anywhere in Europe, the eIDAS Regulation (through Implementing Decision 2015/1506/EU) has defined baseline profiles.
Penneo is built on PAdES, the best-defined standard for the implementation of digitally signed documents through cryptographically secured electronic signatures in compliance to the eIDAS regulation.
PAdES (Advanced Electronic Signatures for PDF documents) is a legally binding standard published in July 2009 by the ETSI (European Telecommunications Standard Institute) in order to facilitate secure paperless transactions throughout Europe. The PAdES standards, ETSI Technical Specification (TS) 102 778, introduces a series of adaptations and extensions to PDF to satisfy the European legislation's requirements.
Validity of the Signature
An electronic signature technically implemented based on PAdES has the status of an advanced electronic signature. This means that it is an electronic signature which meets the requirements set forth under Article 26 of the EU eIDAS Regulation. An advanced electronic signature:
- is uniquely linked to the signatory, since it provides unique identifying information that links it to its signatory;
- is capable of identifying the signatory because the signatory has sole control of the data used to create the electronic signature;
- is capable of identifying any subsequent change in the data attached to the signature after signing; if it's detected that the signed data has been changed, the signature is marked invalid;
- is provided with a certificate for electronic signature, electronic proof that confirms the identity of the signatory and links the electronic signature validation data to that person.
Such a signature can be used as a proof of trustworthiness in terms of Authenticity, Data Integrity and Non-repudiation because it ensures identity of the signers, non-alteration of the data and intent of signing and be bound to the agreement.
Long Term Validation
The main benefit from PAdES is most likely a feature called LTV. The Long Term Validation is the ability of a signed document to stay valid long after signing, for many years or even decades. PAdES recognizes that digitally signed documents may be used or archived for a long time and acknowledges the risk that the document may become invalid before the expiration date comes.
In order to ensure that the document never loses its legal validity, the technical proof of the signature is stored as a form of attachment in the completed PDF. This means that your electronically signed documents already contain everything you need to verify the validity of the signature and can remain valid for long periods, even if underlying cryptographic algorithms are broken. This can be done through Penneo's validator as PAdES-compliant validation platform.
At Penneo, specific attention has been paid to the document's long-term sustainability (LTV) so that the document's cryptographic evidence can be verified even after the platform that created the document has become inaccessible. For PDF documents, the signature data is incorporated directly within the signed PDF document, much as an ink signature becomes an integral part of a paper document, allowing the complete self-contained PDF file to be copied, stored and distributed as a simple electronic file. At any time in the future, in spite of technological and other advances, it will be possible to validate the document to confirm that the signature was valid at the time it was signed thanks to the specific structure of the cryptographic evidence in PDF documents that assure LTV in addition to having the signer's certificate cryptographically bound to the document using an approved digital ID.
Penneo follows the cryptographic standards defined by NIST to protect PII
Business critical data and sensitive information must be managed with high security and care. At Penneo, encryption of sensitive data and Personally Identifiable Information (PII) follows the cryptographic standards defined by the National Institute of Standards and Technology (NIST). Breaches involving Personally Identifiable Information (PII) are hazardous to both individuals and organizations. To appropriately protect the confidentiality of these personal data, Penneo uses a risk-based approach. NIST's Guide to Protecting the Confidentiality of Personally Identifiable Information uses a broad definition of PII in order to identify as many potential PII sources as possible and be able to protect this information.
Data Center Security
Penneo's IT-systems and websites are hosted on locations within the EU (Frankfurt region, Germany and Dublin region, Ireland) by AWS (Amazon Web Services). At Penneo, we review AWS assurance reports SOC 1 and SOC 2 in order to make sure that they comply with our IT-security requirements. Hosting in Amazon Web Services let us ensure compliance with global data privacy legislation.
All AWS Services are GDPR-compliant. Amazon Web Services is also certified under the EU-US Privacy Shield and announced compliance with the CISPE Code of Conduct. Maintaining the highest levels of compliance for its infrastructure through several compliance reports from third-party auditors (ISO 27001, 27017, and 27018), AWS is committed to offering services and resources by regularly launching new features focused on security and compliance.
For more information about AWS compliance, please visit: https://aws.amazon.com/compliance/