Trustcenter FAQ

All the questions you are looking answers from!

Privacy and GDPR


Digital signature

What is an electronic signature?

The expression electronic signature refers to data in electronic form which is attached to or logically associated with other data in electronic form. In its most basic form, the e-signature can be as simple as a name entered in an electronic document and which is used by the signatory to sign. The generic term e-signature is often used in a broad sense referring to any electronic process that indicates acceptance of an agreement or a record and embracing all types of methods used to sign electronic documents, including the digital signatures. However, these are two distinct concepts and they cannot be used interchangeably. As long as the e-signature adheres to the requirements of the specific regulation it was created under, it provides the same legal standing as a handwritten signature.

What's the difference between e-signature and digital signature?

The digital signatures are cryptographic implementations of electronic signatures, based on asymmetric or public key cryptography. This particular technique uses a certificate-based digital ID to authenticate signer identity and demonstrate proof of signing by binding each signature to the document with encryption. The digital signature is the signing method which ensures with most certainty the authentication of signers?identity as well as the integrity and non-repudiation of the e-signed document.

What is meant by advanced e-signature and qualified e-signature?

These two types of electronic signature are generically grouped under the expression digital signatures and the distinction between them can only be found in the EU eIDAS Regulation, where the ?advanced electronic signature?is defined as an e-signature which meets the following requirements:

  • it is uniquely linked to the signatory;
  • it is capable of identifying the signatory;
  • the signatory has sole control of the data used to create the electronic signature;
  • it is linked to the data signed therewith in such a way that any subsequent change in the data is detectable.

Such a signature will reach a higher probative value when enhanced to the level of a qualified electronic signature by adding a certificate that has been issued by a qualified trust service provider, attesting to the authenticity of the qualified signature. The Regulation defines the ?qualified electronic signature?as an advanced electronic signature that is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures. The upgraded advanced signature then carries the same legal value as a handwritten signature. However, this is only regulated in the European Union and similarly through ZertES in Switzerland, but a qualified electronic signature is not defined in the U.S.

What is a certificate for electronic signatures?

Certificate for electronic signature?means an electronic attestation which links electronic signature validation data to a natural person and confirms at least the name or the pseudonym of that person. A certificate for electronic signature is considered 'qualified' when it is issued by a qualified trust service provider and contain the following:

  • an indication that the certificate has been issued as a qualified certificate for electronic signature;
  • a set of data unambiguously representing the qualified trust service provider issuing the qualified certificates including at least, the Member State in which that provider is established and the natural person's name or the name and registration number of the legal person;
  • at least the name of the signatory, or a pseudonym; if a pseudonym is used, it shall be clearly indicated;
  • electronic signature validation data that corresponds to the electronic signature creation data;
  • details of the beginning and end of the certificate's period of validity;
  • the certificate identity code, which must be unique for the qualified trust service provider;
  • the advanced electronic signature or advanced electronic seal of the issuing qualified trust service provider;
  • the location where the certificate supporting the advanced electronic signature or advanced electronic seal referred to in point (g) is available free of charge;
  • the location of the services that can be used to inquire about the validity status of the qualified certificate;
  • where the electronic signature creation data related to the electronic signature validation data is located in a qualified electronic signature creation device, an appropriate indication of this, at least in a form suitable for automated processing.

What is a qualified signature creation device (QSCD)?

Electronic signature creation device?means configured software or hardware used to create an electronic signature. An electronic signature creation device is considered qualified if it meets the following requirements:

  • it ensures that the electronic signature creation data used for electronic signature creation can practically occur only once and cannot be derived while assuring the confidentiality of this data and its protection against forgery and use by others.
  • it must not alter the data to be signed or prevent such data from being presented to the signatory prior to signing.
  • only a qualified trust service provider can generate or manage electronic signature creation data on behalf of the signatory and duplicate the electronic signature creation data only for back-up purposes; however, when this happens,the security of the duplicated data sets must be at the same level as for the original data sets and the number of duplicated data sets shall not exceed the minimum needed to ensure continuity of the service.

How do digital signatures work?

Digital signatures involve a two-phases process: the creation of the digitally signed document by the signer with their private key and the verification of authenticity and integrity of the message by the recipient with the signer's public key. The process can me summarized in two steps:

  • The content of the document to be signed is processed by means of a hashing algorithm to create a digest-hash value (a unique sequence of numbers and letters) representing the document and the signer's private key is applied to this digest result to sign it on his behalf. The final output, the encrypted digest, is the digital signature of the document.
  • The digitally signed document is sent to the recipient who will need the sender's public key to verify its legitimacy in terms of integrity of the document and authenticity of the signature. The recipient applies the sender's public key to decrypt the digital signature and get the digest which is then compared with the hash value attached to the document. If the result is identical, it will verify that the signer's private key was used to sign and that the document has not been altered.

The eIDAS Regulation establishes the principle that an electronic signature cannot be denied legal effect on the grounds that it is in an electronic form or that it does not meet the requirements of the qualified electronic signature.It is for national law to define the legal effect of simple electronic signatures, except for the requirements provided for in the Regulation according to which a qualified electronic signature must have the equivalent legal effect of a handwritten signature. Equalizing the value of digital and manuscript signatures, the Regulation not only does admit electronically signed documents as evidence in legal proceedings: it reiterates the ban on discrimination of documents inelectronic form in order to ensure that an electronic transaction will not be rejected solely on the grounds that it is in electronic form.

Is Penneo compliant with e-signature laws? What types of e-signature methods does Penneo offer?

Penneo meets the requirements of all major e-signature legislations around the world. In the EU, our digital signatures are compliant with all the most demanding eIDAS technical standards. Thus, our digital signatures are as legally binding and valid as traditional handwritten signatures and can be used as a proof of trustworthiness in terms of Authenticity, Data Integrity and Non-repudiation of the e-signed documents.

Why can a document signed with Penneo be considered legally binding? What evidence can users show later?

Penneo e-signatures meet the key legal requirements for digital signature and provide users with any evidence they may need.

Incase of a dispute, there is proof that the user has accepted a statement of declaration and consent which include an overview of the document itself, as well as the signer's role; this statement is stored as part of the signature itself. In addition, each newly generated digital signature is time-stamped by a time-stamping authority so that the trusted time of signature generation can be identified and used as non-repudiation evidence.

The signer cannot deny having signed since Penneo's authentication method provides security on the signers?identity.By using Digital IDs issued by Trusted Service Providers (TSPs) or Certificate Authorities (CAs), you have the electronic proof that undisputedly confirms the identity of the signatory and links the electronic signature validation data to that person.

Moreover, once the digital signature has been submitted to a document, the entire package is signed by Penneo, guaranteeing its immutability; our secured audit trail makes it extremely easy to verify if the signed document has been modified since it was signed.

How does Penneo manage digital identification and authentication?

Penneo uniquely identifies signers by using Digital IDs issued by Certificate Authorities (CAs) or Qualified Trusted Service Providers (TSPs), whose qualified status is granted by the supervisory body designated by a Member State to carry out eIDAS audits. These Conformity Assessment Bodies are accredited in the European Commission official list and ensure that the TSPs meet the security requirements laid down in the Regulation. Every time we roll out our digital signature solution to a new country, we make sure we are compliant with local laws, legal standards and regulatory requirements.

Is Penneo's KYC process compliant with Anti-Money Laundering Regulations?

At Penneo, we acknowledge that the security of electronic identification schemes is not only essential in the client-business relationship life cycle, it's also the key to trustworthy cross-border mutual recognition of electronic interactions. We understand the general need all companies have to verify the identity of their clients, either before or during the time that they start doing business with them, to be sure that customers are who they say they are and to identify suspicious elements earlier on. Penneo created a solid authentication solution based on the identity validation through eID. Our Know-Your-Customer process lets your customers handle everything using their national digital IDs directly from their computer or smartphone and still comply with Anti-Money Laundering regulations.


Privacy and GDPR

Does Penneo comply with data privacy laws?

Our software and procedures meet the most stringent legislative requirements for data protection, including the EU General Data Privacy Regulation. Our signature solution complies with GDPR high standard for consent, lawful processing of personal data and DPAs. As a trustworthy data processor, Penneo ensures its customers greater power, awareness and control over the collection, processing and storage of personal data.

What is the GDPR?

GDPR is the acronym used to indicate the EU General Data Protection Regulation, the most recent and important Regulation on data protection and privacy in the European Union. Leading to more standardized data management and protection, the Regulation enhanced customers?privacy while providing companies in the EU market with a clear and uniform legal environment to conduct business. Stronger conditions for consent, greater obligations for data processors and data controllers and more dissuasive penalties represent the main key points of the GDPR.

When did it come into effect?

The General Data Protection Regulation is enforceable since May 2018. Being a Regulation and not a directive, the GDPR became directly legal binding since its entry into force, without requiring EU Member States to transpose it into national laws.

What does the GDPR protect and regulate?

The Regulation protects fundamental rights and freedoms of individuals relating to the protection of their personal data. To this end, the GDPR lays down rules with regard to the processing of personal data.

What is meant by "processing" of personal data?

The expression ?data processing?refers to any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.The GDPR requires personal data be processed lawfully, fairly and in a transparent manner in relation to the data subject.

What is meant by "personal data"?

Personal data means any information relating to a natural living person ('data subject') who is identified or identifiable, directly or indirectly, by reference to means of identification such as a name, a photo, an identification number, location data or an online identifier (like email or computer's IP address, activities on social networks, bank details, and so on). Personal data can also be acquired from information relating to physical,physiological, genetic, mental, economic, cultural or social identity of that natural person and may relate to both public and professional life as well as to private and intimate matters.

Who are the subjects involved in the data processing?

The three main stakeholders are

  • data controller, that is the individual ? natural or legal person, public authority, agency or other body ? which determines the purposes and means of the processing of personal data; the data controller is also in charge of exercising control over the processing and carrying data protection responsibility for it.
  • data processor, that is the individual ? natural or legal person, public authority, agency or other body ? which processes personal data on behalf of the controller and following its instructions.
  • data subject, i.e. the natural person (not legal entities), individual, private citizen, whose personal data is processed by a controller or processor.

What is Penneo's role under GDPR?

In the context of providing our software and solutions to our customers, we concurrently handle and store their personal data; it's an essential and ineradicable part of supplying our services. So we are acting as data processor and we are bound to follow our data controllers?instructions, meaning our customers?wills about the purposes and the means of data processing. As a trustworthy data processor, Penneo ensures its customers greater power, awareness and control over the collection, processing and storage of personal data.

Is Penneo compliant with GDPR requirements?

Our software and procedures meet the most stringent GDPR requirements. Data protection, security and compliance are the core areas that inform our business. Focusing on earning and retaining clients?trust, our purpose it to make our current and future customers feel safe about how their data is used and protected. Being on top of those subjects, Penneo ensures transparency and preserves the trust in its products and services.

How does Penneo demonstrate its compliance with GDPR?

Transparency is a key value of our business. Penneo shows its dedication to security and compliance by continuously striving to improve its security strategy and investing in internationally recognized certifications. Our system periodically undergoes third-party audits and assessments to ensure the most advanced protection to our customers and their data. What's more, Penneo's IT-systems and websites are hosted on locations within the EU by the market-leading cloud infrastructure services Amazon Web Services, a highly secure global data center that maintains the highest levels of compliance.

Does Penneo comply with art. 32 GDPR?

Article 32 GDPR requires the implementation of technical and organizational measures that ensure a level of data security appropriate for the level of risk presented by processing personal data. We adopt appropriate procedures and processes to protect the personal data Penneo holds by putting a trustworthy security framework in place. Our Certifications, internal audits, security practices and privacy policies, successfully meet all the requirements laid down in art. 32. To be more specific, Penneo receives a yearly ISAE 3000 Report on an annual basis and we are committed to securely manage your data in compliance with the Trust Service Criteria described by SOC 2; our IT-governance is framed on ISO/IEC 27001 (2013) and Penneo's digital signatures are built on PAdES and follow the AES-256 cryptographic standards defined by NIST to protect PII. The technical and organizational strategies we implemented allow pseudonymization and encryption of personal data while maintaining ongoing confidentiality, integrity, availability and resilience of processing systems and services; out IT security ensures the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident and we regularly test, assess and evaluate the effectiveness of our technical and organizational measures as part of our risk-based security management framework.

What is a Data Processing Agreement?

The DPA (Data Processing Agreement) is a legally binding document signed between two key data processing actors under GDPR, the data controller and the data processor, in order to ensure that they both understand their obligations, responsibilities and liabilities. Whenever a data controller engages a third party for the purpose of data processing on their behalf, the GDPR requires a data processing agreement with specific terms which also enables the data controller to demonstrate their compliance with the GDPR.

The GDPR also establishes requirements for what must be included in these contracts, which should set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subject, and the obligations and rights of the controller.

Can Penneo offer GDPR terms in its contracts with customers?

At the same time as signing the contract for the provision of Penneo services, Penneo's customers sign the data processing agreement. Our DPA complies with GDPR requirements and obliges both us and our contractual counterpart to recognize and accepts GDPR rules and liabilities.

Who does GDPR apply to?

The Regulation applies if the data controller or the data processor or the data subject are based in the EU or in the EEA. Therefore, the GDPR applies to businesses that

  • are established in the EU, regardless of whether the processing takes place in the Union or not;
  • process personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law;
  • process personal data of data subject who are in the Union.

The Regulation does not specify whether the subject must reside or be a citizen of the EU, it merely imposes the application if the individual is in the EU. Therefore, the GDPR also applies to enterprises based outside the EU if they collect or process personal data of individuals located inside the EU: that's why we can say that it applies extraterritorially, because all companies processing and holding the personal data of subjects that are in the EU must comply with the GDPR, regardless of company location. Essentially, every business around the world is impacted.

Are there exceptions for small or medium-sized enterprises?

Small businesses and larger firms should consider themselves equal in the eyes of GDPR. To take account of the specific situation of micro, small and medium-sized enterprises, the Regulation includes a derogation for organizations with fewer than 250 employees with regard to record-keeping. Art. 30 GDPR establishes that this obligation does not apply to companies employing fewer than 250 persons unless the processing carried out is not occasional and it is likely to result in a risk to the rights and freedoms of data subjects or it includes special categories of particularly sensitive data.

Therefore, small business which don?t meet the exemption criteria must keep internal records. Moreover, companies that have less than 250 employees will need to comply with those same legal requirements if they deal with larger corporations, given the nature of joint liability established with GDPR.

What is meant by technological neutrality of GDPR?

Under the GDPR, it doesn't matter if a business processes and stores personal data using a complex IT system or via paper-based files, as long as it is based in the EU or offers goods or services to individuals in the EU it will be governed by the GDPR. That's why the GDPR is defined as technology neutral, meaning it protects personal data regardless of the technology used or how the personal data is stored.

Who is the Data Protection Officer (DPO) and does Penneo have one?

As required by the GDPR, Penneo has equipped itself with a DPO within the company.

The data protection officer is the person/employee appointed to ensure that the company processes personal data of its employees, customers, providers or any other data subjects in compliance with the applicable data protection rules. The DPO is also the person in charge of handling the possible queries or complaints related to data privacy rules and data protection rights.

What does the principle of transparency prescribe?

Transparency is a central principle in the GDPR and it promotes the objective of strengthening individuals?rights by ensuring the effectiveness of all the other principles. It requires that any information addressed to the public or to the data subject be communicated

  • in a concise, transparent, intelligible and easily accessible form;
  • using clear, plain and unambiguous language and, where appropriate, visualization and standardized icons;
  • provided in writing, or by other means, including, where appropriate, electronic means such as a website.

Which are the principles data processing should be based on?

Personal data should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; it must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (data minimization principle). The processed data should be accurate and, where necessary, kept up to date, while ensuring the erasure and rectification without delay of inaccurate information (accuracy principle). It must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (principle of storage limitation). Last but not least, personal data must be processed in a manner that appropriately ensures its security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (principles of integrity and confidentiality).

What does "Lawfulness of processing" means exactly?

Processing personal data is generally prohibited, unless it is expressly allowed by law or by the data subject. There are six legal bases for processing personal data in compliance with the General Data Protection Regulation; the data processing is lawful only if and to the extent that that it is justified by at least one of the following:

  • Consent
  • Contract
  • Legal obligations
  • Vital interests
  • Public interest
  • Legitimate interest

Who is responsible of complying with the "lawfulness of processing"?

According to the accountability principle, the responsibility for data processing, as well as the burden of ensure its lawfulness, lie with the controller.

According to the GDPR, "consent" of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

What kind of rights can an individual exercise?

  • Right to be informed
  • Right of access
  • Right to data portability
  • Right to rectification
  • Right to erasure ('right to be forgotten')
  • Right not to be profiled
  • Right to object to automated individual decision-making

When a data subject exercises one of their rights, the data controller cannot refuse to act on the request and must provide information on actions taken on the request to the data subject without undue delay and in any event within one month of receipt of the request. If the controller does not take action on the request of the data subject, the controller must inform them without delay of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

How do I submit requests to exercise my rights? How does the process work?

At Penneo, we are committed to facilitate the exercise of data subjects' rights and ensure their effectiveness. In order to activate the process of exercising a right, a data subject should submit a request (using the form on the website) and specify their willing to exercise one of their rights. Following this request, our Support Team would send to the applicant a form to fill in to indicate more information about the request made and allow Penneo to act promptly and effectively.

How does Penneo fulfil a request and how long does it take to respond?

Once we receive the completed form, our DPO proceeds to perform the necessary actions to satisfy the request. The GDPR establishes thatinformation on actions taken on the request to the data subject must be provided without undue delay and in any event within one month of receipt of the request. At Penneo the request is usually fulfilled within a week and the data subject is notified of the results of their request.

How does Penneo perform a data deletion?

Our deletion policy for all customer data states that even though data is deleted through the customer facing interfaces, it will only be flagged for deletion in the production environment, i.e. not hard deleted. Hard deletion of a document (including all revisions) can only be performed by at least two employees working together. Data flagged for deletion will be hard deleted within 60 days of being flagged.

What is meant by "data protection by design"?

Data protection by design requires that any action a company undertakes that involves processing personal data must be done with data protection and privacy in mind at every step. During internal projects, product development, software development, IT systems implementation, the controller must integrate the necessary safeguards into the processing in order to meet the GDPR requirements and protect the rights of data subjects. To do so, it's necessary to put in place appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization. The actual application of this principle minimizes privacy risks and increases trust by placing data protection at the forefront of developing new goods or services, allowing to avoid any possible data protection issues at an early stage and helping to raise awareness about data protection across all departments and levels of a company.

What is meant by "data protection by default"?

Data protection by default aims to ensure that companies always make the most privacy-friendly setting the default setting. This principle is applied once a product or service has been released to the public and requires the strictest privacy settings to be applied by default, without any manual input from the end user: for example, if two privacy settings are possible and one of the settings prevents personal data from being accessed by others, this should be used as the default setting. Moreover, the controller must implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.

Does Penneo comply with the "data protection by design and by default" principles?

At Penneo, we have heartily embedded these two new GDPR principles in our operational systems, embraced GDPR and today our starting point for everything we do is to acknowledge our responsibility to protect our customers?privacy.We have implemented appropriate technical and organizational measures to create the foundation for effective prevention and mitigation of vulnerabilities, breaches and leaks, while promoting a stronger awareness of information security and data protection within our organization. Penneo's commitment to security takes shape starting from the early stages of product and software development. Our principles and technologies used in order to provide our customers with the best outcome allow us to minimize risks, prevent threats and ensure our product security. It's up to the individual customer to configure the access level security but Penneo always advises customers to use the strictest settings applicable for the specific use case. In the strictest case all access to customer data is restricted using multi-factor authentication and data is always transmitted relying on end-to-end encrypted channels.

What are the GDPR penalties?

GDPR fines are flexible and proportionate to the infringement and apply to all types and sizes of businesses, from micro or small companies to multi-national enterprises. Before deciding to impose a fine, there may be warnings, reprimands, suspension of data processing. After these preliminary measures have been taken, businesses that fail in complying with their GDPR obligations can incur administrative fines up to 10.000.000 € or up to 2% of the company's total worldwide annual turnover, whichever is higher. When other more severe violations occur, the fines can reach 20.000.000 € or up to 4% of the company's global annual turnover, whichever is greater. This more significant liability is faced in case of infringements related to the very core of the right to privacy and the GDPR, such as the basic principles for processing, the conditions for consent, the data subjects?rights, and in the event of on-compliance with an order by the supervisory authority.

Who imposes penalties? and on the basis of what criteria?

Under the GDPR, fines are administered by the data protection regulator in each EU country, which will determine whether an infringement has occurred and the severity of the penalty. Ten criteria are used to determine whether a fine will be assessed and in what amount:

  1. the nature, gravity and duration of the infringement,
  2. whether it was intentional or the result of negligence,
  3. whether any actions have been taken to mitigate the damage,
  4. the amount of technical and organizational preparation the firm had previously implemented to be in compliance with the GDPR,
  5. any relevant previous infringements,
  6. the degree of cooperation with the supervisory authority to discover and remedy the infringement,
  7. what categories of personal data are affected by the infringement,
  8. whether the firm proactively reported the infringement to the supervisory authority,
  9. whether the firm followed approved codes of conduct or was previously certified,
  10. any other aggravating or mitigating factor applicable to the circumstances of the case, including financial benefits gained or losses avoided as a result of the infringement.

What role do digital signatures play in the process of compliance?

The adjustment of privacy procedures in order to legally manage data subjects?consent is achievable by adopting digital processes. Digital signatures are an essential tool to conveniently capture consent while conforming with the rules established for it because they

  • provide information about who expressed the consent, how and when this happened, who obtained it and for what purposes;
  • comply with the active opt-in requirement;
  • provide a comprehensive court-admissible audit trail;
  • comply with the GDPR's unbundled requirement since they allow for granular options within the digital documents (so it's possible to capture
consent separately for different types of data processing) and allow to separate the signing of the documents where the consent has to be obtained in combination with other documents;
  • allow to easily request the renewing of consent.
  • Furthermore, digital signature can be used to securely sign data processing agreements between data controllers and data processors while complying with the Regulation.

    How can Penneo help customers with the GDPR-compliance process?

    Our customers can rely on Penneo for processing their documents in compliance with GDPR and other relevant regulations. The GDPR requirements set a high standard for consent and processing of personal data, but in turn being compliant definitely help to build trust, enhance brand and reputation, and avoid unwelcome costly consequences. Our signature solution complies with both the consent requirements and the rules for DPAs. Penneo can help you to manage and automate the digital signing processes in a fast, easy and compliant way. With a single and effective solution, you can consistently reinforce your data security and privacy management, while equipping your business with an auditable and user-friendly means to comply with industry standards and legislative obligations.

    What is a sub-processor? How does Penneo govern sub-processors?

    A data processor can entrust all or part of the tasks assigned to it to another processor, which can be called a "sub-processor" or a "level 2 processor". Under the GDPR, the data controller must give its prior written authorization when its processor intends to engage a sub-processor. Even after having obtained the controller's formal authorization, the processor remains fully liable to the controller for the performance of the sub-processor's obligations. The GDPR also establishes clauses that must be included in the contract between a processor and a sub-processor. To be able to deliver a secure high-quality service, Penneo has a formal policy in place to manage third party service providers. Replaceable high-risk or high-impact service providers must be able to produce an annually updated ISAE 3402 assurance report or similar for risk management purposes. These assurance reports are reviewed and assessed annually in order to determine whether any changes or deviations in the third-party providers controls can affect the risk profile of Penneo.

    Penneo entrusts the storage of the data collected and processed to AWS as a sub-processor: in order to manages and operates its software as a service (SaaS) and offer its product to customers, Penneo uses the IT infrastructure (IaaS) provided by Amazon Web Services (AWS). By hosting its IT-systems and websites in AWS, Penneo ensures compliance with global data privacy legislation; in fact, all AWS Services are GDPR-compliant as shown by the assurance reports SOC 1 and SOC 2. AWS is also certified under the EU-US Privacy Shield, the CISPE Code of Conduct, ISO 27001, 27017, and 27018. Security



    How does Penneo demonstrate its compliance with security standards?

    From authentication to encryption, everything provided at Penneo is following the highest security standards. Our Security Management System continually undergoes third-party audits and assessments: Penneo receives an ISAE 3000 Report on an annual basis and we are committed to securely manage your data in compliance with the Trust Service Criteria described by SOC 2. Our IT-governance is framed on ISO/IEC 27001 (2013) and Penneo's digital signatures are built on PAdES and follow the AES-256 cryptographic standards defined by NIST to protect PII.

    How does Penneo's risk management works?

    Penneo relies on a risk-based approach based on OWASP (Open Web Application Security Project) best practices, the worldwide best-recognized guidelines for improving the security of software. The OWASP Risk Rating Methodology involves several steps, such as:

    • identification of the security risk that needs to be rated
    • estimating likelihood and impact
    • determining the severity of the risk to finally decide what to fix.

    How does Penneo manage changes concerning infrastructure or software?

    Penneo has implemented a formal change management procedure to ensure that changes are always handled in a consistent and responsible way. The purpose of this ad hoc procedure is to minimize the risk of unauthorized access to data or resources and the chance of failure to process or validate documents. The procedure takes place in the event of alterations concerning both infrastructure and software: for every modification, the security implication is assessed. Regardless of the level of criticality, changes are always tested, reviewed and approved by at least two reviewers before they are authorized to be released into our production environments.

    Does Penneo carry out risk assessments?

    The risk assessment is reviewed and approved by management at least once a year. Moreover, since changes to a business process have the potential to change the risk profile, when significant changes are made the risk assessment is updated to reflect the new risk profile.

    How does Penneo ensure business continuity? Does Penneo have a disaster recovery plan?

    The trust our customers place in us is based on the security we provide in terms of continuity and good performance of the services we offer. To preserve the reliability of our products and the safety of the operations carried out through them, a formal disaster recovery plan has been determined. It basically resulted from the vulnerabilities and worst-case scenarios identified through the performed risk assessment and it explains in detail how business operations are re-established in case of emergency and how the customers are kept updated about the incident and its consequences. According to our plan, systems will be re-established in a predefined order based on criticality and customers will be kept up to date with the process and timeline estimates. A chain of command is set to minimize the time from when disaster hits until the recovery process begins. The disaster recovery plan is tested at least once a year and is kept up to date to reflect the current risk profile of the business.

    Will Penneo employees have access to our data and what data will they have access to?

    Penneo's logical security is built on the principle of least privilege which requires that every user, program or process must be able to access only the information and resources that are necessary for its legitimate purpose. The principle also applies to our employees, meaning that they will have only those minimal privileges, provided on work-based needs, which are essential to perform their intended function while any other privileges are blocked.

    How does Penneo manage the access to the production and development environment?

    The principle of least privilege also takes shape in the logical isolation of the various segments of the company (production, development, customer support and other corporate departments). Not only the access to the production environment is provided on work-based needs, but it's also used a role-based access control model, access is logged, and the assignment of privileges is reviewed every six months. Moreover, a multi-factor authentication by at least two employees is always required to access the production environment and to perform operations such as firewall changes, assigning and revoking privileges, access to backups. Access to the virtual infrastructure is provided through an SSL-encrypted channel while access to the OS level is provided through SSH and its primary purpose is to support the software deployment process.

    How does Penneo protect the confidentiality of personal data?

    At Penneo personal data is protected in accordance with local, national, and international statutes and regulations. All documents are stored in encrypted form and all communication to and from Penneo's server(s) is encrypted and firewalls have been established to secure the Software. To safeguard customers' data and documents and their business privacy, personal data is never used outside the production environment for internal purposes, it is only accessible for Penneo employees if access is explicitly granted by the data owner; it's never shared with a third party through our systems unless initiated by the data owner. The access level security is configurable by the individual customers, but Penneo always advises customers to use the strictest settings applicable for the customer use case. In the strictest case all access to customer data is restricted using multi-factor authentication and data is always transmitted relying on end-to-end encrypted channels.

    Which IT infrastructure does Penneo rely on?

    Penneo uses the IT infrastructure (IaaS) provided by Amazon Web Services (AWS), the most reliable and secure cloud computing environment with the highest quality global network performance available today. Hosting in AWS Data Center enables us to automate most of our operational task related to the IT infrastructure thus minimizing human interaction. AWS gives us instant access to one of the world's biggest infrastructure resource pools. This allows us to handle any size of workload by automated infrastructure scaling and makes us able to recover from complete system failure in a matter of minutes instead of hours or days.

    Where are documents and customers' data stored? How does Penneo manage backups?

    All data stored are placed with Penneo's sub-supplier AWS (Amazon Web Services, Inc.) within the EU; the data stored in the Penneo production environment is mirrored between three data centers which reside in two physical locations and stored on multiple devices in each data center. At Penneo, we define two classes of data that are treated differently when it comes to backup strategies: the first category includes customer's data and document, the second class refers to system data. Customers?data and documents are stored in six different physical facilities and the storage solution performs regular, systematic data integrity checks and is built to be automatically "self-heal" if data is lost in four storage facilities; every document is versioned in order to being able to roll back changes. The second category, system data, is stored in at least two separate physical locations and backed up daily with support for point-in-time recovery; the retention period for these backups is 30 days.

    A backup restore test is performed at least once a year and the restore test is kept up to date to reflect the current risk profile of the business.

    Does Penneo encrypt the data stored?

    At Penneo, sensitive data and Personally Identifiable Information (PII) are encrypted following the cryptographic standards defined by the National Institute of Standards and Technology (NIST). Penneo only uses encryption algorithms that are FIPS-approved and NIST-recommended. In particular, our security system follows the AES 256 (Advanced Encryption Standard), a specification for the encryption of electronic data established by NIST which provides the strongest level of encryption: the result is a tremendously sophisticated form of encryption that is virtually impenetrable using brute-force methods. This encrypting method brings additional security because it uses a key hierarchy, meaning it involves a master key that is used to encrypt other keys that are in turn used to encrypt the actual data you want to protect.Key hierarchies allow to segment data, limit the risk of key exposure, and minimize key material that needs to be stored in plaintext.Since the master key can decrypt all the other keys, and therefore (indirectly) all of the data, we need to be able to provide full protection to the master key while keeping it accessible and available when needed; to do so, Penneo uses the AWS CloudHSM service that stores the encryption keys in an HSM (Hardware Security Module), a purpose-built hardware that is designed to protect sensitive data. The HSM provides physical and logical protection for cryptographic key material and meet some of the most stringent security standards, offering a high level of security for the key and the data it encrypts.

    What are the benefits of using a key hierarchy?

    A key hierarchy provides three major benefits:

    1. It allows the segmentation of the data that needs to be protected by encrypting different data using separate encryption keys instead of having all data encrypted using a single key. These separate data encryption keys and the data they protect can be managed independently. Consequently, in the event that a user loses the data key, the data encrypted with other data keys remains protected and this limits the potential impact of losing a key to data protected with that key.
    2. It allows to minimize the amount of plaintext key material that needs to be protected since only the master key must to be stored in plaintext; it's undoubtably easier to provide strong protection and restrict access to one key rather than many keys.
    3. It reduces the processing load on the HSM by avoiding the performance of bulk encryption operations since the HSM only has to decrypt data keys; bulk encryption can be distributed to one or more application instances, while the most sensitive keys stay protected in the HSM.

    How do I submit a potential security incident to Penneo?

    Penneo values the contribution the customers themselves can make by reporting potential issues or worries. Consequently, we ask you to contact our Support Team by using our form whenever you recognize problems or suspicious activities (Submit a request).

    Get started with Penneo today

    Try now and get your first signatures for FREE!