Legal & Compliance
Electronic signatures are recognized in the legislation to have similar status as traditional signatures have. Electronic signatures are governed by uniform regulations and are mutually recognized within the European Union member states. The EU eIDAS Regulation (910/2014) that is directly applicable in each member state governs validity of electronic signatures.
In SignSpace service you can make both basic electronic signatures and advanced electronic signatures (as defined in Article 26 of eIDAS Regulations).
All signatures made in SignSpace are based on Public Key Infrastucture (PKI) technology.
System signatures are using system signature certificates that are issued by the Finnish Population Register Centre. Private keys are are stored in Hardware Secure Module (HSM).
Electronic signatures made with SignSpace Key application are advanced electronic signatures that are created using user’s personal signing certificate. Personal signing certificates are issued by SignSpace Certificate Authority.
The original signed document version is being archived in the service and it contains information that proves non-repudiation of the signed document. The service will create a distribution version of the document that contains signing page as the last page of the .pdf document or as a separate .pdf file in case the original signed document was other than a .pdf file.
Integrity of the signed document is secured by using system signature certificates (with FIPS140-2 certified HSM equipment) and time stamp services (RFC 3161). Use of the HSM equipment ensures that system signature certificate keys are available only to the SignSpace service. Secure time stamp provides third party evidence that the signature has been executed at a certain moment of time.
The person sending a signing request can select what is the required level for identification of the person signing the document. The signatures page contains information of the used identification methods as follows:
- Strong – The person has identified herself/himself using strong electronic identification device during this signing event or the person has executed an advanced electronic signature (AES) and has identified herself/himself with a strong electronic identification device earlier when applying for the personal AES certificate.
- Light - The person has identified herself/himself by means of email address verification either during SignSpace account registration or during this signing event by using a one-time security code that has been delivered to her/his email address.
Registered users will log in the service using their user ID and password. Users can protect signing requests and other provided content with a security function that requires two-factor authentication.
Strong electronic identification is executed by using Signicat Connect service that is an identity broker service belonging to the Finnish Trust Network that is accepted by the Finnish Transport and Communications Agency (Traficom). Users can identify themselves by using BankID or mobile ID.
A user can sign documents as a representative of a legal entity. During the registration process users authority to represent a legal entity will be verified.
SignSpace provides an interface for validating electronic signatures made in the SignSpace service. Validation service is available to both to registered users and external parties. Using the service the recipient of a signed document can verify that the signed document package is original and unmodified.
In the validation service the user downloads signed documents in the service and documents will be compared to the archived original information.
SignSpace service commits to archive signed contents and related signing evidence at least 10 years from the time of signing.
Secure storage of the content is achieved by using, for example, the following means:
- integrity of the content is secured by use of system signature certificates (FIPS140-2 certified HSM equipment) and time stamp services (RFC 3161 Use of the HSM equipment ensures that system signature certificate keys are available only to the SignSpace service. Secure time stamp provides third party evidence that the signature has been executed at a certain moment of time.
- Secure storage is secured by using centralized log management system, appropriate cryptographic tools and role based access management, Secure logging ensures that log files concerning signing events cannot be modified afterwards.
- System has been developed using secure development life-cycle (SDLC) practises.
- Information security management system is compliant with ISO 27001 requirements. Certification audited 9/2019.
- The service will be placed in near future under real-time, centralized cyber security monitoring and security incident handling process.
- All files uploaded or downloaded in the service will have automatic virus scanning.
Terms and conditions
SignSpace Terms of Service
Processing of personal data
A Data Processing Agreement that is required under Article 28 of General Data Protection Regulation is included as an appendix in the SignSpace Terms of Service document.
All customer specific content will be stored in data centers that are located within the European Economic Area.
The supplier is the processor and the customer is the controller of any personal data that is contained in customer’s content stored in SignSpace service.
SignSpace Certificate Policies and Certification Practise Statements
SignSpace service’s Certificate Policy and Certification Practise Statements are published on the website: