Penneo meets the requirements of all major global standards relating to e-signature, data privacy, and customer due diligence. We continuously monitor the legal landscape to ensure our services comply with the latest national, EU, and international regulations.
Global Security Standards
Penneo guarantees the most advanced protection to customers and their data. To show our formal commitment to security and compliance, our system continually undergoes third-party audits and assessments. Our solution is built on globally recognized industry standards.
eIDAS Regulation: Digital Signatures & Digital Identities
What is eIDAS?
eIDAS stands for electronic identification, authentication, and trust services. The eIDAS Regulation - Regulation (EU) No 910/2014 of the European Parliament and of the Council - took effect in July 2016, establishing a consistent legal landscape to enable secure and seamless electronic interactions between businesses, citizens, and public authorities. eIDAS created standards for which e-signatures and e-identity authentication mechanisms have the same legal standing as the traditional manual transactions.
Is Penneo compliant with eIDAS?
Penneo meets all the most demanding eIDAS standards:
Digital signatures created through Penneo meet the technical requirements defined by the eIDAS for advanced e-signatures (Art. 26). Therefore, they are just as valid and legally binding as the traditional ones placed with ink on paper. Both the signatory and the recipient can thus have more convenience, trust, and security.
Penneo uniquely identifies signers by using Digital IDs issued by Trusted Service Providers (TSPs) or Certificate Authorities (CAs) that are included in the EU Trusted List - this is how we ensure signers' authentication and provide certainty on users' identities.
Can I use Penneo to sign with my eID?
Penneo currently supports several eIDs, and we're constantly working on developing new integrations to other countries. Every time we roll out our digital signature system to a new country, we make sure to meet all the relevant rules laid down in local laws and legal standards.
Check out our signing methods page to see if you can use your national eID to sign digitally via Penneo.
GDPR: Your privacy is our first concern
What is GDPR?
The GDPR is the most recent and important EU Regulation on data privacy. It increased transparency by harmonizing data protection laws within the European Union and empowering EU citizens with greater control over their data. Enforced as of 2018, it applies to any business processing personal data of EU citizens, regardless of the company's location.
Is Penneo GDPR-compliant?
At Penneo, GDPR has been embedded in our operational systems, and it represents now just one of several ways of providing our customers with the safest digital experience. All the data Penneo holds is safely stored in data centers located in the EU (Germany and Ireland) and never transferred outside the EU. Our daily mission is to ensure all the most stringent data protection requirements are addressed. As a trustworthy data processor, Penneo guarantees its customers greater power, awareness, and control over the collection, processing, and storage of personal data.
How can Penneo help you meet the GDPR requirements?
In collecting and processing personal data through Penneo, users can be confident that they're handling sensitive information in compliance with the requirements established about consent, data subjects rights, lawful processing, storage within the EU, and so on.
Document and data management via Penneo is entirely GDPR-compliant. What's more, digital signatures are an essential tool to conveniently capture consent while conforming with the rules established for it (such as active opt-in requirement, comprehensive court-admissible audit trail; granular options for separated consents within the digital documents, etc.).
AML requirements: KYC and client onboarding
What is new in the 6th AML Directive?
The 6th AML Directive harmonized the list of predicate money laundering offenses across the EU; expanded the regulatory scope to punish those who have had an “enabling” role; extended the criminal liability to businesses; imposed harsher penalties; required Member-state and companies’ cooperation in identifying and prosecuting the offenders. The deadline for EU companies to adjust their internal procedures accordingly is June 3rd, 2021.
The new EU AML Directive is the sixth since 1991 but came into force less than a year after the previous one and confirmed its provisions. The 5th AML Directive extended the scope of obliged entities; required more meticulous CDD and EDD checks; regulated domestic PEPs; improved the central registrars of beneficial ownership to facilitate the identification of UBOs; extended AML checks to majority-owned subsidiaries outside the EU.
What does this mean for the KYC process?
The tightening of client onboarding rules requires obliged entities to perform more thorough customer background screenings, leading to a more considerable amount of personal data being collected.
Companies are now forced to handle, process, and be responsible for a larger quantity of customers' sensitive information. Therefore, they have to implement compliant and efficient processes to ensure the security and privacy of such data.
The need for businesses operating in the EU to reinforce their KYC process is now even more important as, for the first time ever, firms can be held accountable for money laundering due to lack of supervision, control, and compliance.
Can I comply with AML laws by using Penneo?
AML laws explicitly promote the use of electronic signature and digital identification means as standardized by eIDAS EU Regulation (910/2014) to verify customers’ identity. Therefore, businesses are allowed (and encouraged) to employ electronic identity verification or eKYC to identify customers remotely. The KYC process performed via Penneo increases the reliability and quality of the data collected, reinforces its security, and complies with the rules set forth under the latest Anti-Money Laundering Directive.
Global Security Standards
Penneo is protected and surrounded by the highest level of security - from the creation of digital signatures to the time the signed documents are archived and beyond. We acknowledge that sensitive information and business-critical data need to be managed with high care and confidentiality. From authentication to encryption, assuring that security is impeccable is our daily effort.
As we care about demonstrating our pledge to live up to customers' requirements and expectations, we significantly invest in maintaining attestations that corroborate and document our ongoing efforts. As a result, we can be certain that we are not only taking the right activities internally to secure a compliant environment, but official third-party reports demonstrate that everything provided at Penneo abides by the highest industry security standards.
Penneo receives a yearly ISAE 3000 report
The International Standard on Assurance Engagements (ISAE) 3000 is a security standard over non-financial information approved by the International Auditing and Assurance Standards Board (IAASB) of the IFAC.
Penneo's trustworthy security framework lets us fulfil our performance obligations to the companies that entrust us with their documents and data. Nonetheless, we want to provide our customers with certified documentation that attests how we deal with security, privacy, and fraud in compliance with international standards. Therefore, we engage an independent audit firm on an annual basis to perform an accurate assessment of the effective functioning of our security measures. Thanks to this periodical ISAE 3000 audit, we are issued an authoritative proof about the safety of our internal processes, and we have certainty that the controls included are actually in place and operate effectively and continuously in accordance with the IAASB provisions.
Our ISAE 3000 audit covers all the five Trust Service Criteria (TSC) - Security, Availability, Processing Integrity, Confidentiality, and Privacy - defined in the SOC 2 Report by the American Institute of Certified Public Accountants (AICPA). The TSC - widely recognized as best-practices for managing customer data - are the principles on which Penneo’s security management framework is based.
Penneo frames its information security processes in line with ISO 27001
ISO/IEC 27001 (2013) is an information security standard - published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC) - that formally specifies a suite of activities and requirements for regularly identifying, reducing, monitoring, and reviewing information risks. Penneo's IT-governance is consistently aligned with this internationally-recognized best-practices and operates effectively, thus creating a constantly effective risk management system, defined within the standard of the CIA triad:
confidentiality: we ensure that information is accessible only to those authorized to have access;
integrity: we safeguard the accuracy and completeness of information and processing methods;
availability: we guarantee that authorized users have access to information and associated assets when required.
Involving people, processes and IT systems, ISO 27001’s flexible risk-driven approach allows to ensure the correct setup of the security arrangements to keep pace with evolving cyber-threats, vulnerabilities, and business impacts. We systematically assess whether our security controls continue to meet the organization's information security needs so that sensitive data remains secure. In the meantime, our adherence to these standards enables our compliance with art. 32 GDPR (that requires both organizational and technical strategies to mitigate security risks through a comprehensive program of awareness across the whole organization).
Penneo's digital signatures are built on PAdES standard
PAdES (Advanced Electronic Signatures for PDF documents) is the best-defined standard for the implementation of digitally signed documents through cryptographically secured electronic signatures in compliance with the eIDAS regulation.
The standard was published by the ETSI (European Telecommunications Standard Institute) and includes a series of adaptations and extensions to PDF to satisfy the requirements established by the EU legislation for creation, validation, and legal admissibility of electronic signatures anywhere in the EU.
Being framed on this eIDAS-compliant implementation of e-signatures, Penneo's digital signature meets the requirements set forth under art. 26 of eIDAS regulation for the advanced electronic signature that should be:
uniquely linked to the signatory, as it provides unique identifying information that links it to its signatory;
capable of identifying the signatory because the signatory has sole control of the data used to create the electronic signature;
capable of identifying any subsequent change in the data attached to the signature after signing - if it’s detected that the signed data has been changed, the signature is marked invalid;
provided with a certificate for electronic signature, electronic proof that confirms the identity of the signatory and links the electronic signature validation data to that person.
Such a signature can be used as a proof of trustworthiness in terms of Authenticity, Data Integrity, and Non-repudiation because it ensures the identity of the signers, non-alteration of the data, and intent of signing and be bound to the agreement.
Therefore, digital signatures created via Penneo carry legal effect, can be used as evidence in legal proceedings, are just as binding and enforceable as handwritten signatures in all EU Member States.
Penneo follows the cryptographic standards defined by NIST to protect PII
At Penneo, encryption of sensitive data and Personally Identifiable Information (PII) follows the cryptographic standards defined by NIST (National Institute of Standards and Technology).
NIST’s Guide to Protecting the Confidentiality of Personally Identifiable Information uses a broad definition of PII in order to identify as many potential PII sources as possible and be able to protect this information. Accordingly, PII is any information about an individual that can be used to distinguish or trace an individual‘s identity, such as name, social security number, financial account or credit card number, date and place of birth; any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information; physical address, IP address, email address; personal characteristics - including photographic image, fingerprints, handwriting or other biometric data.
All data must be managed with high security and diligence. However, PII deserves even stronger protection due to the more severe harm that a potential breach would cause to both individuals and organizations. To appropriately protect the confidentiality of PII, we implemented several NIST privacy-specific measures, such as:
anonymization and de-identification;
minimization of use, collection, and retention of PII to what is strictly necessary to accomplish their business purpose and mission;
categorization of PII by the PII confidentiality impact level;
implementation of appropriate safeguards for PII based on the PII confidentiality impact level development of an incident response plan to handle breaches involving PII.