Legal & Compliance

All resources  

This section covers the following topics:

Electronic signatures

Electronic signatures are recognized in the legislation to have similar status as traditional signatures have. Electronic signatures are governed by uniform regulations and are mutually recognized within the European Union member states. The EU eIDAS Regulation (910/2014) that is directly applicable in each member state governs validity of electronic signatures.

In SignSpace service you can make both basic electronic signatures and advanced electronic signatures (as defined in Article 26 of eIDAS Regulations).

Signing technology

All signatures made in SignSpace are based on Public Key Infrastucture (PKI) technology.

System signatures are using system signature certificates that are issued by the Finnish Population Register Centre. Private keys are are stored in Hardware Secure Module (HSM).

The original signed document version is being archived in the service and it contains information that proves non-repudiation of the signed document. The service will create a distribution version of the document that contains signing page as the last page of the .pdf document or as a separate .pdf file in case the original signed document was other than a .pdf file.

The PDF content of the distribution version is signed electronically with the electronic stamp of the SignSpace service. In use from 2023-04-13.

Integrity of the signed document is secured by using system signature certificates (with FIPS140-2 certified HSM equipment) and time stamp services (RFC 3161). Use of the HSM equipment ensures that system signature certificate keys are available only to the SignSpace service. Secure time stamp provides third party evidence that the signature has been executed at a certain moment of time.

The person sending a signing request can select what is the required level for identification of the person signing the document. 

  • Strong - The person has identified herself/himself using strong 
    electronic identification device during this signing event.
  • Light - The person has identified herself/himself by means of email 
    address and/or mobile phone verification. Identity has been verified 
    by using a one-time security code sent to the method(s) used.
  • Ultra light - The person has identified herself/himself by means of 
    email address and/or mobile phone verification.

The signatures page contains information of the used identification methods as follows:

  • SMS – The signatory’s identity information is based on the 
    name provided by the signatory in connection to the signing 
    process and on the use of a mobile phone number that was 
    controlled by the signatory at the time of signing.
  • Email – The signatory's identity information is based on the 
    name provided by the signatory in connection to the signing 
    process and on the use of an email address that was 
    controlled by the signatory at the time of signing.
  • Bank ID – The identity of the signatory has been verified by 
    using a strong authentication method. The signatory has 
    verified his or her identity in connection to the signing 
    process via the Signicat Connect identity verification service 
    by using online banking credentials that have been issued by 
    a Nordic bank.
  • Smart ID – The identity of the signatory has been verified by 
    using a strong authentication method. The signatory has 
    verified his or her identity in connection to the signing 
    process via the Signicat Connect identity verification service 
    by using the Smart ID method, which is used in the Baltic 
    countries.
  • Mobile ID – The identity of the signatory has been verified by 
    using a strong authentication method. The signatory has 
    verified his or her identity in connection to the signing 
    process via the Signicat Connect identity verification service 
    by using Mobile ID.

Registered users will log in the service using their user ID and password. Users can protect signing requests and other provided content with a security function that requires two-factor authentication.

Strong electronic identification is executed by using Signicat Connect service that is an identity broker service belonging to the Finnish Trust Network that is accepted by the Finnish Transport and Communications Agency (Traficom). Users can identify themselves by using BankID or mobile ID.

Validation service

SignSpace provides an interface for validating electronic signatures made in the SignSpace service. Validation service is available to both to registered users and external parties. Using the service the recipient of a signed document can verify that the signed document package is original and unmodified.

In the validation service the user downloads signed documents in the service and documents will be compared to the archived original information.

The signature of a pdf-type file can be checked with, for example, the Adobe Acrobat Reader application. The immutability of other attachment files can be ensured with hash sums calculated from the files. These checks are also included in the offered verification service.

Security practises

SignSpace service commits to archive signed contents and related signing evidence at least 10 years from the time of signing.

Secure storage of the content is achieved by using, for example, the following means:

  • integrity of the content is secured by use of system signature certificates (FIPS140-2 certified HSM equipment) and time stamp services (RFC 3161 Use of the HSM equipment ensures that system signature certificate keys are available only to the SignSpace service. Secure time stamp provides third party evidence that the signature has been executed at a certain moment of time.
  • Secure storage is secured by using centralized log management system, appropriate cryptographic tools and role based access management, Secure logging ensures that log files concerning signing events cannot be modified afterwards.
  • System has been developed using secure development life-cycle (SDLC) practises.
  • The service's management system complies with ISO 27001 requirements. The service is certified from 9/2019 onwards. Certification includes annual audits.
  • The service is subject to continuous security testing. An independent service provider is used for security evaluation and testing.
  • All files uploaded or downloaded in the service will have automatic virus scanning.

Terms and conditions

SignSpace Terms of Service

Processing of personal data

A Data Processing Agreement that is required under Article 28 of General Data Protection Regulation is included as an appendix in the SignSpace Terms of Service document.

All customer specific content will be stored in data centers that are located within the European Economic Area.

The supplier is the processor and the customer is the controller of any personal data that is contained in customer’s content stored in SignSpace service.

The supplier is controller for the log files of the service as well as for the SignSpace customer and marketing communication register, SignSpace certificate register and signing event register. The supplier may use in its processing of customer and marketing communication register cloud based services where part of the processing may be located outside the European Economic Area. Supplier’s processing of personal data is described in more detail in the SignSpace Privacy Policy.