Legal & Compliance

All resources  

This section covers the following topics:

Electronic signatures

Electronic signatures are recognized in the legislation to have similar status as traditional signatures have. Electronic signatures are governed by uniform regulations and are mutually recognized within the European Union member states. The EU eIDAS Regulation (910/2014) that is directly applicable in each member state governs validity of electronic signatures.

In SignSpace service you can make both basic electronic signatures and advanced electronic signatures (as defined in Article 26 of eIDAS Regulations).

Signing technology

All signatures made in SignSpace are based on Public Key Infrastucture (PKI) technology.

System signatures are using system signature certificates that are issued by the Finnish Population Register Centre. Private keys are are stored in Hardware Secure Module (HSM).

Electronic signatures made with SignSpace Key application are advanced electronic signatures that are created using user’s personal signing certificate. Personal signing certificates are issued by SignSpace Certificate Authority.

The original signed document version is being archived in the service and it contains information that proves non-repudiation of the signed document. The service will create a distribution version of the document that contains signing page as the last page of the .pdf document or as a separate .pdf file in case the original signed document was other than a .pdf file.

The PDF content of the distribution version is signed electronically with the electronic stamp of the SignSpace service. In use from 2023-04-13.

Integrity of the signed document is secured by using system signature certificates (with FIPS140-2 certified HSM equipment) and time stamp services (RFC 3161). Use of the HSM equipment ensures that system signature certificate keys are available only to the SignSpace service. Secure time stamp provides third party evidence that the signature has been executed at a certain moment of time.

The person sending a signing request can select what is the required level for identification of the person signing the document. The signatures page contains information of the used identification methods as follows:

  • Strong – The person has identified herself/himself using strong electronic identification device during this signing event or the person has executed an advanced electronic signature (AES) and has identified herself/himself with a strong electronic identification device earlier when applying for the personal AES certificate.
  • Light - The person has identified herself/himself by means of email address verification either during SignSpace account registration or during this signing event by using a one-time security code that has been delivered to her/his email address.

Registered users will log in the service using their user ID and password. Users can protect signing requests and other provided content with a security function that requires two-factor authentication.

Strong electronic identification is executed by using Signicat Connect service that is an identity broker service belonging to the Finnish Trust Network that is accepted by the Finnish Transport and Communications Agency (Traficom). Users can identify themselves by using BankID or mobile ID.

A user can sign documents as a representative of a legal entity. During the registration process users authority to represent a legal entity will be verified.

Validation service

SignSpace provides an interface for validating electronic signatures made in the SignSpace service. Validation service is available to both to registered users and external parties. Using the service the recipient of a signed document can verify that the signed document package is original and unmodified.

In the validation service the user downloads signed documents in the service and documents will be compared to the archived original information.

The signature of a pdf-type file can be checked with, for example, the Adobe Acrobat Reader application. The immutability of other attachment files can be ensured with hash sums calculated from the files. These checks are also included in the offered verification service.

Security practises

SignSpace service commits to archive signed contents and related signing evidence at least 10 years from the time of signing.

Secure storage of the content is achieved by using, for example, the following means:

  • integrity of the content is secured by use of system signature certificates (FIPS140-2 certified HSM equipment) and time stamp services (RFC 3161 Use of the HSM equipment ensures that system signature certificate keys are available only to the SignSpace service. Secure time stamp provides third party evidence that the signature has been executed at a certain moment of time.
  • Secure storage is secured by using centralized log management system, appropriate cryptographic tools and role based access management, Secure logging ensures that log files concerning signing events cannot be modified afterwards.
  • System has been developed using secure development life-cycle (SDLC) practises.
  • The service's management system complies with ISO 27001 requirements. The service is certified from 9/2019 onwards. Certification includes annual audits.
  • The service is subject to continuous security testing. An independent service provider is used for security evaluation and testing.
  • All files uploaded or downloaded in the service will have automatic virus scanning.

Terms and conditions

SignSpace Terms of Service

Processing of personal data

A Data Processing Agreement that is required under Article 28 of General Data Protection Regulation is included as an appendix in the SignSpace Terms of Service document.

All customer specific content will be stored in data centers that are located within the European Economic Area.

The supplier is the processor and the customer is the controller of any personal data that is contained in customer’s content stored in SignSpace service.

The supplier is controller for the log files of the service as well as for the SignSpace customer and marketing communication register, SignSpace certificate register and signing event register. The supplier may use in its processing of customer and marketing communication register cloud based services where part of the processing may be located outside the European Economic Area. Supplier’s processing of personal data is described in more detail in the SignSpace Privacy Policy.

SignSpace Certificate Policies and Certification Practise Statements

SignSpace service’s Certificate Policy and Certification Practise Statements are published on the website: