Electronic signatures
Electronic signatures are recognized in the legislation to have similar status as traditional signatures have. Electronic signatures are governed by uniform regulations and are mutually recognized within the European Union member states. The EU eIDAS Regulation (910/2014) that is directly applicable in each member state governs validity of electronic signatures.
In SignSpace service you can make both basic electronic signatures and advanced electronic signatures (as defined in Article 26 of eIDAS Regulations). SignSpace provides eIDAS regulated trust services and is a Trust Service Provider.
Signing technology
All signatures made in SignSpace are based on Public Key Infrastucture (PKI) technology.
Electronic seals are created using certificates issued by GlobalSign. Private keys are are stored in Hardware Secure Module (HSM).
Data about the signed documents is being archived in the service that proves non-repudiation of the signed document. The service will create a distribution version of the document that contains signing page as the last page of the .pdf document or as a separate .pdf file in case the original signed document was other than a .pdf file.
The PDF content of the distribution version is signed electronically with the electronic seal of the SignSpace service. In use from 2023-04-13.
Integrity of the signed document is secured by using electronic sear certificates (with FIPS140-2 certified HSM equipment) and time stamp services (RFC 3161). Use of the HSM equipment ensures that system signature certificate keys are available only to the SignSpace service. Secure time stamp provides third party evidence that the signature has been executed at a certain moment of time.
The person sending a signing request can select what is the required level for identification of the person signing the document.
- Strong - The person has identified herself/himself using strong electronic identification method during this signing event.
- Light - The person has identified herself/himself by means of email address and/or mobile phone verification. Identity has been verified by using a one-time security code sent to the method(s) used.
- Ultra light - The person has identified herself/himself by means of email address and/or mobile phone verification.
The signatures page contains information of the used identification methods as follows:
- SMS – The signatory’s identity information is based on the name provided by the signatory in connection to the signing process and on the use of a mobile phone number that was controlled by the signatory at the time of signing.
- Email – The signatory's identity information is based on the name provided by the signatory in connection to the signing process and on the use of an email address that was controlled by the signatory at the time of signing.
- Bank ID – The identity of the signatory has been verified by using a strong authentication method. The signatory has verified his or her identity in connection to the signing process via the Signicat Connect identity verification service by using online banking credentials that have been issued by a Nordic bank.
- Smart ID – The identity of the signatory has been verified by using a strong authentication method. The signatory has verified his or her identity in connection to the signing process via the Signicat Connect identity verification service by using the Smart ID method, which is used in the Baltic countries.
- Mobile ID – The identity of the signatory has been verified by using a strong authentication method. The signatory has verified his or her identity in connection to the signing process via the Signicat Connect identity verification service by using Mobile ID.
Registered users will log in the service using their user ID and password. Users can protect signing requests and other provided content with a security function that requires multi-factor authentication.
Strong electronic identification is executed by using Signicat Connect service that is an identity broker service belonging to the Finnish Trust Network that is accepted by the Finnish Transport and Communications Agency (Traficom). Users can identify themselves by using BankID or mobile ID.
External trust services in use
The trust service (certificate authority) used for electronic seals is GlobalSign. Previously, the service also utilised certificates issued by Finnish Digital and Population Data Services Agency.
The trust service (timestamp provider) used for timestamps is GlobalSign. Previously, the service also used timestamps from CardPlus.
The trust service used for strong electronic authentication (identity brokerage service) is Signicat Connect, which is approved by the Finnish Transport and Communications Agency and is part of the Finnish Trust Network. Users authenticate strongly to the Signicat Connect service, for example, using mobile ID or bank ID.
Validation service
SignSpace provides an interface for validating electronic signatures made in the SignSpace service. Validation service is available to both to registered users and external parties. Using the service the recipient of a signed document can verify that the signed document package is original and unmodified.
In the validation service the user downloads signed documents in the service and documents will be compared to the archived original information.
The signature of a pdf-type file can be checked with, for example, the Adobe Acrobat Reader application. The immutability of other attachment files can be ensured with hash sums calculated from the files. These checks are also included in the offered verification service.
Security practises
SignSpace service commits to archive related signing evidence at least 10 years from the time of signing.
Secure storage of the content is achieved by using, for example, the following means:
- integrity of the content is secured by use of system signature certificates (FIPS140-2 certified HSM equipment) and time stamp services (RFC 3161 Use of the HSM equipment ensures that system signature certificate keys are available only to the SignSpace service.
- Secure time stamp provides third party evidence that the signature has been executed at a certain moment of time.
- Secure storage is secured by using centralized log management system, appropriate cryptographic tools and role based access management, Secure logging ensures that log files concerning signing events cannot be modified afterwards.
- System has been developed using secure development life-cycle (SDLC) practises.
- The service's management system complies with ISO 27001 requirements. The service is certified from 9/2019 onwards. Certification includes annual audits.
- The service is subject to continuous security testing. An independent service provider is used for security evaluation and testing.
- All files uploaded or downloaded in the service will have automatic virus scanning.
- SignSpace fulfills the requirements of the European Union NIS2 directive.
Terms and conditions
SignSpace Terms of Service
Processing of personal data
A Data Processing Agreement that is required under Article 28 of General Data Protection Regulation is included as an appendix in the SignSpace Terms of Service document.
All customer specific content will be stored in data centers that are located within the European Economic Area.
The supplier is the processor and the customer is the controller of any personal data that is contained in customer’s content stored in SignSpace service.
The supplier is controller for the log files of the service as well as for the SignSpace customer and marketing communication register, SignSpace certificate register and signing event register. The supplier may use in its processing of customer and marketing communication register cloud based services where part of the processing may be located outside the European Economic Area. Supplier’s processing of personal data is described in more detail in the SignSpace Privacy Policy.
