Legal & Compliance

All resources  

Electronic signatures

Electronic signatures are recognised in the legislation to have similar status as traditional signatures have. Electronic signatures are governed by uniform regulations and are mutually recognised within the European Union member states. The EU eIDAS Regulation (910/2014) that is directly applicable in each member state governs validity of electronic signatures.

In SignSpace service you can make both basic electronic signatures and advanced electronic signatures (as defined in Article 26 of eIDAS Regulations).

 

Signing technology

All signatures made in SignSpace are based on Public Key Infrastucture (PKI) technology.

System signatures and electronic seals use certificates issued by a trust service provider, whose secret keys are protected by security hardware (Hardware Security Module, HSM).

The original signed document version is being archived in the service and it contains information that proves non-repudiation of the signed document. The service will create a distribution version of the document that contains signing page as the last page of the .pdf document or as a separate .pdf file in case the original signed document was other than a .pdf file.

The PDF content of the distribution version is signed electronically with the electronic stamp of the SignSpace service. In use from 2023-04-13.

Integrity of the signed document is secured by using electronic seals and time stamp services. Use of the security hardware ensures that system signature certificate keys are available only to the SignSpace service. Secure time stamp provides third party (trust service) evidence that the signature has been executed at a certain moment of time.

Signatory identification is central to the evidentiary value of an electronic signature. The SignSpace service leverages an external authentication (trust service) for strong electronic identification.

The person sending a signing request can select what is the required level for identification of the person signing the document. 

  • Strong - The person has identified herself/himself using strong electronic identification device during this signing event.
  • Light - The person has identified herself/himself by means of email address and/or mobile phone verification. Identity has been verified by using a one-time security code sent to the method(s) used.
  • Ultra light - The person has identified herself/himself by means of email address and/or mobile phone verification.

The signatures page contains information of the used identification methods as follows:

  • SMS – The signatory’s identity information is based on the name provided by the signatory in connection to the signing process and on the use of a mobile phone number that was controlled by the signatory at the time of signing.
  • Email – The signatory's identity information is based on the 
    name provided by the signatory in connection to the signing process and on the use of an email address that was controlled by the signatory at the time of signing.
  • Bank ID – The identity of the signatory has been verified by using a strong authentication method. The signatory has verified his or her identity in connection to the signing process via an identity verification service by using online banking credentials that have been issued by a Nordic bank.
  • Smart ID – The identity of the signatory has been verified by using a strong authentication method. The signatory has verified his or her identity in connection to the signing process via an identity verification service by using the Smart ID method, which is used in the Baltic countries.
  • Mobile ID – The identity of the signatory has been verified by using a strong authentication method. The signatory has verified his or her identity in connection to the signing process via an identity verification service by using Mobile ID.

Registered users will log in the service using their user ID and password. Users can protect signing requests and other provided content with a security function that requires two-factor authentication.


An external authentication service (trust service) is utilized for strong electronic identification.

 

External trust services in use

The trust service (certificate authority) used for electronic seals is GlobalSign. Previously, the service also utilised certificates issued by Digital and Population Data Services Agency.

The trust service (timestamp provider) used for timestamps is GlobalSign. Previously, the service also used timestamps from CardPlus.

The trust service used for strong electronic authentication (identity brokerage service) is Signicat Connect, which is approved by the Finnish Transport and Communications Agency and is part of the Finnish Trust Network. Users authenticate strongly to the Signicat Connect service, for example, using mobile ID or bank ID.

 

Validation service

SignSpace provides an interface for validating electronic signatures made in the SignSpace service. Validation service is available to both to registered users and external parties. Using the service the recipient of a signed document can verify that the signed document package is original and unmodified.

In the validation service the user downloads signed documents in the service and documents will be compared to the archived original information.

The signature of a pdf-type file can be checked with, for example, the Adobe Acrobat Reader application. The immutability of other attachment files can be ensured with hash sums calculated from the files. These checks are also included in the offered verification service.

 

Security practises

SignSpace service commits to archive signed contents and related signing evidence at least 10 years from the time of signing.

Secure storage of the content is achieved by using, for example, the following means:

  • integrity of the content is secured by use of system signature certificates (FIPS140-2 certified HSM equipment) and time stamp services (RFC 3161 Use of the HSM equipment ensures that system signature certificate keys are available only to the SignSpace service. Secure time stamp provides third party evidence that the signature has been executed at a certain moment of time.
  • Secure storage is secured by using centralised log management system, appropriate cryptographic tools and role based access management, Secure logging ensures that log files concerning signing events cannot be modified afterwards.
  • System has been developed using secure development life-cycle (SDLC) practises.
  • The service's management system complies with ISO 27001 requirements. The service is certified from 9/2019 onwards. Certification includes annual audits.
  • The service is subject to continuous security testing. An independent service provider is used for security evaluation and testing.
  • All files uploaded or downloaded in the service will have automatic virus scanning.

Terms and conditions

SignSpace Terms of Service

 

Processing of personal data

A Data Processing Agreement that is required under Article 28 of General Data Protection Regulation is included as an appendix in the SignSpace Terms of Service document.

All customer specific content will be stored in data centers that are located within the European Economic Area (Amazon Web Services Sarl).

The supplier is the processor and the customer is the controller of any personal data that is contained in customer’s content stored in SignSpace service.

The supplier is controller for the log files of the service as well as for the SignSpace customer and marketing communication register, SignSpace certificate register and signing event register. The supplier may use in its processing of customer and marketing communication register cloud based services where part of the processing may be located outside the European Economic Area. Supplier’s processing of personal data is described in more detail in the SignSpace Privacy Policy.