We answer all the frequently asked questions about digital signatures, GDPR-compliance, and security at Penneo

Find answers to all your questions. We've tried to answer all the questions that we're frequently asked. If you can't find what you are looking for, just contact us!



e-Signatures & Digital signatures

Penneo e-signatures meet the key legal requirements for digital signatures and provide users with any evidence they may need. The digital version of the documents signed via Penneo embeds technical evidence that certifies who signed the agreement, what was agreed on, and when this happened. Our files have very specific characteristics that are clear and visible in the digital version. Their presence provides assurance that the content and the signature have not been forged or compromised. Therefore, the final document is indisputable proof of authenticity of the signature and non-tempering of the content, and the parties involved cannot deny having signed it.

In case of a dispute, there is proof that the user has accepted a statement of declaration and consent, which includes an overview of the document itself, as well as the signer’s role; this statement is stored as part of the signature itself. Besides, each newly generated digital signature is time-stamped by a time-stamping authority so that the trusted time of signature generation can be identified and used as non-repudiation evidence. The signer cannot deny having signed since Penneo’s authentication method provides security on the signers’ identity. Using Digital IDs issued by Trusted Service Providers (TSPs) or Certificate Authorities (CAs), you have the electronic proof that undisputedly confirms the signatory identity and links the electronic signature validation data to that person. Moreover, once the digital signature has been submitted to a document, the entire package is signed by Penneo, guaranteeing its immutability; our secured audit trail makes it extremely easy to verify if the signed document has been modified since it was signed.

A certificate for electronic signatures means an electronic attestation that links electronic signature validation data to a natural person and confirms at least the name or the pseudonym of that person. A certificate for electronic signature is considered ‘qualified’ when it is issued by a qualified trust service provider and contains the following:

an indication that the certificate has been issued as a qualified certificate for electronic signature;

a set of data unambiguously representing the qualified trust service provider issuing the qualified certificates, including at least, the Member State in which that provider is established and the natural person’s name or the name and registration number of the legal person;

at least the name of the signatory, or a pseudonym; if a pseudonym is used, it shall be clearly indicated;

electronic signature validation data that corresponds to the electronic signature creation data;
details of the beginning and end of the certificate’s period of validity;

the certificate identity code, which must be unique for the qualified trust service provider;

the advanced electronic signature or advanced electronic seal of the issuing qualified trust service provider;

the location where the certificate supporting the advanced electronic signature or advanced electronic seal referred to in point (g) is available free of charge;

the location of the services that can be used to enquire about the validity status of the qualified certificate;

where the electronic signature creation data related to the electronic signature validation data is located in a qualified electronic signature creation device, an appropriate indication of this, at least in a form suitable for automated processing

Electronic signature creation device means configured software or hardware used to create an electronic signature. An electronic signature creation device is considered qualified if it meets the following requirements:

it ensures that the electronic signature creation data used for electronic signature creation can practically occur only once and cannot be derived while assuring the confidentiality of this data and its protection against forgery and use by others.

it must not alter the data to be signed or prevent such data from being presented to the signatory before signing.

Only a qualified trust service provider can generate or manage electronic signature creation data on behalf of the signatory and duplicate the electronic signature creation data only for back-up purposes; however, when this happens, the security of the duplicated datasets must be at the same level as for the original datasets, and the number of duplicated data sets shall not exceed the minimum needed to ensure continuity of the service.


Privacy & GDPR

The data protection officer is the person/employee appointed to ensure that the company processes personal data of its employees, customers, providers, or any other data subjects in compliance with the applicable data protection rules. The DPO is also responsible for handling potential queries or complaints related to data privacy rules and data protection rights.

Data processing should be performed based on the following principles:

Lawfulness, Fairness

The GDPR requires personal data to be processed lawfully, fairly, and in a transparent manner in relation to the data subject.


The responsibility and the burden of complying with the lawfulness of processing lie with the controller.


The processed data should be accurate and, where necessary, kept up to date, while ensuring the erasure and rectification without delay of inaccurate information.

Storage Limitation

Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

Data Minimization

Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; the personal data should be adequate, relevant, and limited to what is necessary for the purposes for which they are processed.

Integrity and Confidentiality

Personal data must be processed in a manner that appropriately ensures their security, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, using appropriate technical or organizational measures.


Transparency is a central principle in the GDPR, as it promotes the objective of strengthening individuals' rights by ensuring the effectiveness of all the other principles. The transparency obligations begin at the data collection stage and apply "throughout the life cycle of processing". The principle of transparency requires that any information addressed to the public or the data subject be communicated:

in a concise, transparent, intelligible, and easily accessible form;

using clear, plain, and unambiguous language and, where appropriate, visualization and standardized icons;

in writing, or by other means, including, where appropriate, electronic means such as a website.

Ensuring the effective access and comprehension of the information provided to data subjects is as important as the content of the information itself. In other words, it's not just what you say, but how you say it, that matters.

Processing personal data is generally prohibited unless expressly allowed by law or by the data subject. There are six legal bases for processing personal data in compliance with the General Data Protection Regulation; the data processing is lawful only if and to the extent that it is justified by at least one of the following:


The data subject has given consent to the processing of personal data for one or more well-defined purposes.

Vital interests

Processing is necessary to protect the vital interests of the data subject or another natural person.


Processing represents a contractual obligation because it is required for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject before entering into a contract.

Public interest

Processing is essential for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller.

Legal obligations

Processing is needed to satisfy a legal obligation to which the controller is subject.

Legitimate interest

Processing is demanded for the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data.

According to the accountability principle, data processing liability and the burden of ensuring its lawfulness lie with the controller.

GDPR ensures and guarantees to data subjects a series of fundamental rights in relation to their personal data and its processing. The exercise of data subjects' rights must be facilitated, and their effectiveness must be ensured. When a data subject exercises one of their rights, the data controller cannot refuse to act on the request and must provide information on actions taken on the request to the data subject without undue delay and in any event within one month of receipt request. If the controller does not take action on the request of the data subject, the controller must inform them without delay of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy. The data subjects’ rights are:

Right to be informed

Various types of information must be provided to data subjects: they range from how to contact the data controller, to information concerning the purposes of the processing and proof of its lawfulness, the period for which the personal data will be processed and stored, the possibility of withdrawing consent and complaining to a supervisory authority. The data subject should also be fully aware of their rights and be able to exercise those rights; to this end, they can ask for clarification and exercise their right to assistance. Appropriate measures should be taken to provide such in-depth information in a transparent way, free of charge, and in a timely manner. Derogations apply in the event that the data subject already has the information, or in case of impossibility, disproportionate effort or obtaining or disclosing personal data is expressly laid down in law. Additionally, data subjects must be informed if data has leaked and disclosed to unauthorized recipients or made temporarily unavailable or altered. This right consists of receiving proper notification in the case of a data breach that happened either accidentally or unlawfully and poses a risk to individual rights and freedoms.

Right of access

The data subject must be able to exercise their right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed.

Where that is the case, the data subject has the right to access the personal data, receive a copy of the personal data undergoing processing free of charge and in an accessible format, and be provided with the information to which he or she is entitled.

Right to data portability

It involves the data subject’s right to receive the personal data concerning them, in a structured, commonly used and machine-readable format (to obtain an intelligible overview of their information) and to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. In exercising their right to data portability, the data subject can also request to have the personal data transmitted directly from one controller to another, where technically feasible.

Right to rectification

If an individual believes that their personal data is incorrect, incomplete, or inaccurate, they can exercise the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning the data subject.

Right to restriction of processing

It is about the right to obtain from the controller restriction of processing where:

the data subject has objected to processing or if the data subject contests the accuracy of the personal data or the lawfulness of processing;

the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims.

Where processing has been restricted, such personal data would only be processed with the data subject's consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or reasons of important public interest of the Union or a Member State.

Right to erasure (right to be forgotten)

The data subject has the right to obtain from the controller the erasure of personal data concerning them without undue delay.

they are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;

the data subject objects to the processing and there are no overriding legitimate grounds for the processing;

the personal data have been unlawfully processed.

Exceptions do exist: in fact, the erasure of individual’s personal data cannot be asked to the extent that processing is necessary:

for exercising the right of freedom of expression and information;

for compliance with a legal obligation which requires processing by Union or Member State law or for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller;

for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;

for the establishment, exercise, or defense of legal claims.

Right not to be profiled

Profiling occurs when personal aspects (characteristics such as age, sex, height) are evaluated to make predictions or classify a person in a category, even if no decision is taken (this often happens for actions like online recruiting or credit ratings).

Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing for such marketing, which includes profiling to the extent that it is related to such direct marketing. This right must be explicitly brought to the data subject's attention and presented clearly and separately from any other information.

Right to object to automated individual decision-making

Decision-making based solely on automated means happens when decisions are taken about a person by technological means and without any human involvement, even without involving profiling.

Data subjects have the right not to be subject to a decision based solely on automated means if the decision produces legal effects concerning them and impacting their rights or if the decision significantly similarly affects them because it influences their circumstances, behavior, or choices. This type of decision-making may exceptionally be allowed if the use of algorithms is allowed by law and suitable safeguards are provided, or there is no other way to achieve the same goal to enter or perform a contract, or explicit consent has been given.

When a data subject exercises one of their rights, the data controller cannot refuse to act on the request and must provide information on actions taken on the request to the data subject without undue delay and in any event within one month of receipt request. If the controller does not take action on the request of the data subject, the controller must inform them without delay of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.


Union or Member State law may restrict the scope of the obligations and rights provided for in GDPR when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard national or public security, defense and important economic or financial interest, or to prevent, detect or prosecute criminal offenses or to enforce civil law claims. Any legislative restrictive measure should contain specific provisions as to the purposes of the processing, the categories of personal data, the scope of the restrictions introduced, the risks to the rights and freedoms of data subjects, and their right to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.

Data protection by design requires that any action a company undertakes that involves processing personal data must be done with data protection and privacy in mind at every step. During internal projects, product development, software development, IT systems implementation, the controller must integrate the necessary safeguards into the processing in order to meet the GDPR requirements and protect the rights of data subjects. To do so, it’s necessary to put in place appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization. The actual application of this principle minimizes privacy risks and increases trust by placing data protection at the forefront of developing new goods or services, thus avoiding any possible data protection issues at an early stage and helping to raise awareness about data protection across all departments and levels of a company.

Data protection by default aims to ensure that companies always make the most privacy-friendly setting the default setting. This principle is applied once a product or service has been released to the public and requires the strictest privacy settings to be applied by default, without any manual input from the end-user: for example, if two privacy settings are possible and one of the settings prevents personal data from being accessed by others, this should be used as the default setting. Moreover, the controller must implement appropriate technical and organizational measures for ensuring that, by default, only personal data that are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, their storage period, and their accessibility.

A data processor can entrust all or part of the tasks assigned to it to another processor, called a sub-processor or a level 2 processor. Under the GDPR, the data controller must give its prior written authorization when its processor intends to engage a sub-processor. Even after having obtained the controller’s formal authorization, the processor remains fully liable to the controller for the performance of the subprocessor's obligations. The GDPR also establishes clauses that must be included in the contract between a processor and a sub-processor.

GDPR fines are flexible and proportionate to the infringement and apply to all types and sizes of businesses, from micro or small companies to multinational enterprises. Before deciding to impose a fine, there may be warnings, reprimands, suspension of data processing. After these preliminary measures have been taken, businesses that fail to comply with their GDPR obligations can incur administrative fines up to 10.000.000 € or up to 2% of the company’s total worldwide annual turnover, whichever is higher. When other more severe violations occur, the fines can reach 20.000.000 € or up to 4% of the company’s global annual turnover, whichever is greater. This more significant liability is faced in case of infringements related to the very core of the right to privacy and the GDPR, such as the basic principles for processing, the conditions for consent, the data subjects’ rights, and in the event of non-compliance with an order by the supervisory authority.

Under the GDPR, fines are administered by the data protection regulator in each EU country, which will determine whether an infringement has occurred and the severity of the penalty.

Ten criteria are used to determine whether a fine will be assessed and in what amount:

1. the nature, gravity, and duration of the infringement,

2. whether it was intentional or the result of negligence,

3. whether any actions have been taken to mitigate the damage,

4. the amount of technical and organizational preparation the firm had previously implemented to comply with the GDPR,

5. any relevant previous infringements,

6. the degree of cooperation with the supervisory authority to discover and remedy the infringement,

7. what categories of personal data are affected by the infringement,

8. whether the firm proactively reported the infringement to the supervisory authority,

9. whether the firm followed approved codes of conduct or was previously certified,

10. any other aggravating or mitigating factor applicable to the case's circumstances, including financial benefits, gains or losses avoided as a result of the infringement.


Penneo’s GDPR compliance


Article 32 GDPR requires the implementation of technical and organizational measures that ensure a level of data security appropriate for the level of risk presented by processing personal data.

We adopt appropriate procedures and processes to protect the personal data Penneo holds by putting a trustworthy security framework in place. Our Certifications, internal audits, security practices, and privacy policies successfully meet all the requirements laid down in art. 32.

To be more specific, Penneo receives an ISAE 3000 Report on an annual basis, and we are committed to securely manage your data in compliance with the Trust Service Criteria described by SOC 2; our IT-governance is framed on ISO/IEC 27001 (2013), and Penneo’s digital signatures are built on PAdES and follow the AES-256 cryptographic standards defined by NIST to protect PII.

We implemented the technical and organizational strategies that allow pseudonymization and encryption of personal data while maintaining ongoing confidentiality, integrity, availability, and resilience of processing systems and services. Our IT security ensures the ability to promptly restore the availability and access to personal data in the event of a physical or technical incident. We regularly test, assess, and evaluate the effectiveness of our technical and organizational measures as part of our risk-based security management framework.

At Penneo, we have heartily embedded these two new GDPR principles in our operational systems, embraced GDPR, and today our starting point for everything we do is to acknowledge our responsibility to protect our customers’ privacy. We have implemented appropriate technical and organizational measures to create the foundation for effective prevention and mitigation of vulnerabilities, breaches, and leaks while promoting a stronger awareness of information security and data protection within our organization. Penneo’s commitment to security takes shape starting from the early stages of product and software development. Our principles and technologies to provide our customers with the best outcome allow us to minimize risks, prevent threats, and ensure our product security. It’s up to the individual customer to configure the access level security, but Penneo always advises customers to use the strictest settings applicable to the specific use case. In the strictest case, all access to customer data is restricted using multi-factor authentication, and data is always transmitted relying on end-to-end encrypted channels.

At the same time as the contract's signature for Penneo services, Penneo’s customers sign the data processing agreement. Our DPA complies with GDPR requirements and obliges both us and our contractual counterpart to recognize and accept GDPR rules and liabilities.

At Penneo, we are committed to facilitate the exercise of data subjects’ rights and ensure their effectiveness. To activate the process of exercising a right, a data subject should submit a request and specify their willingness to exercise one of their rights. Following this request, our Support Team would send the applicant a form to fill in to indicate more information about the request made and allow Penneo to act promptly and effectively.

Once we receive the completed form, our DPO proceeds to perform the necessary actions to satisfy the request. The GDPR establishes that information on actions taken on the request to the data subject must be provided without undue delay and in any event within one month of receipt of the request. At Penneo, the request is usually fulfilled within a week, and the data subject is notified of the results of their request.

We have implemented a disposal and deletion policy for all customers' data. It involves both the deletion through the customer-facing interfaces in the production environment and the hard deletion (including all revisions of a document). The policy states that even though data is deleted through the customer-facing interfaces, it will only be flagged for deletion in the production environment, i.e., not hard deleted. Hard deletion of a document (including all revisions) can only be performed by at least two Penneo employees working together. Data flagged for deletion will be hard deleted within 60 days of being flagged. At Penneo, we are committed to facilitate the exercise of individuals’ rights and ensure their effectiveness. When a data subject submits a request (using the form on our website) and specifies their willingness to exercise one of their rights, our Support Team acquires more information to act promptly, and our DPO proceeds to perform the necessary actions to satisfy the request, that is usually fulfilled within a week.

To deliver a secure high-quality service, Penneo has a formal policy in place to manage third-party service providers. We acknowledge that it’s not just our security that we have to worry about. We also need to consider threats from third parties, partners, and the supply chain. Being aware of potential risks to our customers, we understand that choosing partners wisely can go a long way toward maintaining a secure supply chain. To deliver a secure and high-quality service, we make sure our sub-providers have robust IT security policies in place by looking for risk management benchmarks such as industry certifications and security audits.

Penneo only entrusts to subcontractors that guarantee high-level compliance. Replaceable high-risk or high-impact sub-providers must produce an annually updated ISAE 3402 assurance report or similar for risk management purposes. These assurance reports are reviewed and assessed biannually to determine whether any changes or deviations in the providers' controls can affect the risk profile of Penneo.


Penneo's security management framework

Penneo’s encryption system is built on AES 256, which provides the strongest encryption level. The result is a tremendously sophisticated form of encryption that is virtually impenetrable, even using brute-force methods.

What is most likely the best way to store encryption keys securely is by using a key hierarchy: it's basically a key expansion process in which the initial key is employed to come up with a series of new keys, called round keys. These round keys are generated over multiple rounds of modification, each of which makes it harder to break the encryption. As a result, the master key will be used to decrypt a number of encryption keys that, in turn, will be used to decrypt the actual data protected. A key hierarchy provides a powerful pattern for storing an application’s cryptographic keys as it uses different keys for different data while focusing your protection efforts on the master key.

An important aspect of a key hierarchy is that the master key can decrypt all the other keys, and therefore (indirectly) all of the data. To protect a master key while keeping it accessible and available when needed, Penneo uses the AWS CloudHSM service that stores the encryption keys in an HSM (Hardware Security Module), purpose-built hardware designed to protect sensitive data. The HSM provides physical and logical protection for cryptographic key material and meets the most stringent security standards, offering a high safety level for the key and the data it encrypts.

A key hierarchy provides three major benefits:

1. It allows the segmentation of the data that needs to be protected by encrypting different data using separate encryption keys instead of having all data encrypted using a single key. These separate data encryption keys and the data they protect can be managed independently. Consequently, if a user loses the data key, the data encrypted with other data keys remains protected, limiting the potential impact of losing a key to data protected with that key.

2. It allows us to minimize the amount of plaintext key material that needs to be protected since only the master key must be stored in plaintext; it’s undoubtedly easier to provide strong protection and restrict access to one key rather than many keys.

3. It reduces the processing load on the HSM by avoiding the performance of bulk encryption operations since the HSM only has to decrypt data keys; bulk encryption can be distributed to one or more application instances, while the most sensitive keys stay protected in the HSM.

Penneo values the contribution the customers themselves can make by reporting potential issues or worries. Consequently, we ask you to contact our Support Team by using our form whenever you recognize problems or suspicious activities (Submit a request).

Capterra logo
G2 logo

Find the package that fits your needs