1. When signing electronically through Signaturit is it necessary to sign each page of the document?
Such documents that are signed manually are usually signed or initialized on all pages in order to ensure that the content of the document remains unchanged.
However, when using Signaturit, it will not be necessary to keep this practice and it will be enough to sign the document once as Signaturit ensures the absolute integrity and inalterability of the signed document. This is because, once the document has been signed once by each of the signatories, Signaturit will proceed to close the document, encrypting the information and establishing a qualified time stamp that will ensure the absolute inalterability of the relevant document.
2. If I forward the signature request to another email, what happens?
In all cases, we recommend signing the document from the indicated email address and not forwarding the signature request to a different email address. This is because, in case the signature request is forwarded to another email address, the audit trail will collect the information that the request was opened from different devices and different IPs, weakening an essential component tending to identify the signer. Likewise, it will be recorded that the document has been forwarded to another email address (different from that of the desired signer in the first instance), weakening essential identification elements of the signer.
It is important to keep in mind that the proper identification of the signatory is not only an element that provides security to the signing process, but is also a necessary requirement for an advanced electronic signature to be valid, in compliance with the provisions of article 26 of the eIDAS Regulation.
Although, beyond the email address, Signaturit collects additional identifying elements (such as date / time of signature, document data, and information about the signature graph -pressure, acceleration and speed), it is It is important to be able to gather as many elements as possible so that there are no doubts about who the signer was.
3. What GDPR coverage do you have implemented?
Signaturit complies with all its obligations under the GDPR. First of all, towards its clients, Signaturit acts as data processor, assuming the corresponding obligations, based on the provisions of article 28 of the GDPR. As data processor, Signaturit carries out a treatment on behalf of the data controller who will the specific treatment that Signaturit will be allowed carry out regarding the personal data.
In order to duly perform its role as data processor, Signaturit has implemented several security measures aimed at ensuring the proper treatment of data. Some of the measures taken by Signaturit are the following:
4. Which are the differences between a simple electronic signature and an advanced electronic signature?
The eIDAS Regulation defines a simple electronic signature as follows: “the data in electronic format attached to other electronic data or logically associated with them that the signatory uses to sign”. The simple electronic signature is usually the one where you request to accept a condition by completing a checkbox or an OTP code and does not have the ability to properly identify the signer.
On its part, eIDAS Regulation defines the advanced electronic signature as: the electronic signature that meets the requirements set forth in article 26. The requirements contemplated in article 26 of the eIDAS Regulation are the following: i) it is uniquely linked to the signatory; ii) it is capable of identifying the signatory; iii) it is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control; and iv) it is linked to the data signed therewith in such a way that any subsequent change in the data is detectable. Unlike the simple electronic signature, through the advanced electronic signature, the signer has to draw his/her signature – properly speaking – with the finger or the mouse; and the signer is duly identified.
Although both electronic signatures have legal validity, the advanced electronic signature is more secure since it allows obtaining information aimed at properly identifying the signer and detecting any subsequent change. Therefore, it is recommended to use the simple electronic signature in those matters where it is not vital to properly identify the signer, while we recommend using the advanced electronic signature for all those documents or agreements that are sufficiently relevant and where it is necessary or useful enough to properly identify the signer.
5. If one of the signatures is a scanned one (handwritten signature that was scanned in order to count with a digital document) is the document legally valid?
No. A digitized signature (that is to say, a scanned signature that is implanted on a document) has no legal validity since it does not meet the validity requirements required by both the eIDAS Regulation and the Electronic Signature Law 59/2003.
Therefore, for the signatures of a document to be valid, they must have been done through an electronic signature method that meets the validity requirements indicated by the eIDAS Regulation. Otherwise, the document would be validly signed only by the party that had used a recognized electronic signature method, such as Signaturit. In all cases, we recommend that all parties to an agreement sign it validly to avoid future questions regarding the validity of the relevant act.
6. Which kind of signatures does Signaturit offer?
At Signaturit we offer the simple electronic signature, the advanced electronic signature and the qualified electronic signature. Therefore, we offer the three types of electronic signature defined by the eIDAS Regulation.
The simple electronic signature and the advanced electronic signature are the most used signatures by our clients due to its practicality, convenience and full legal validity.
All electronic signatures offered by Signaturit fully comply with the requirements of the eIDAS Regulation, providing the security that our clients need when signing documents and agreements.
The simple electronic signature is usually the one where the signer is asked to express consent by completing a checkbox or an OTP code.
On the other hand, with an advanced electronic signature, the signer draws his/her sign -properly said- with the finger or the mouse and is duly identified. One of the most interesting features of Signaturit’s advanced electronic signature is that, in addition to collecting the email, data related to the IP number of the device, and date and time of the signature, we obtain biometric data from the graph (pressure, acceleration and speed).
The qualified electronic signature is that advanced electronic signature that is created using a qualified electronic signature creation device and that is based on a qualified electronic signature certificate.
7. How does Signaturit's advanced signature comply with article 26 of the eIDAS?
Signaturit’s advanced electronic signature meets the requirements of Article 26 of the eIDAS Regulation as follows:
1) In order to guarantee that the signature is associated with a sole signer, the document is sent to the email address of the relevant signer;
2) In order to identify the signer, we obtain the IP addresses of origin and destination of the request, the date/time of the signature; and the biometric data of the signer’s graph (pressure, speed and acceleration). In addition, we can request a second authentication, such as an OTP code that is sent to the signer’s mobile phone, or request a selfie and/or photo of the signer’s ID so that the validity can be determined by applying OCR technology. These additional elements serve to reinforce the evidence to identify the signer;
3) Full control of the signature is guaranteed by the possibility that we grant the signer to sign the document through any device with an internet connection (computer, tablet, mobile); and
4) We prevent any subsequent change in the signature guaranteeing the absolute integrity and inalterability of the document. To guarantee the absolute integrity, we encrypt the document and include a time stamp that ensures that the document has not been modified from the moment it was signed.
8. What is the term of custody of the documentation that is managed through Signaturit?
Signaturit, as a trusted third party, must comply with article 25.2 of the LSSICE, which states that we need to keep copy of the documentation for a minimum period of five years.
Therefore, Signaturit must guard the documentation for a minimum period of five years (regardless of whether or not the client holding the documentation remains a client during the aforementioned period). It is important to clarify that, if the customer holding the documentation continues to be a customer, the information will continue to be kept by Signaturit for the duration of their business relationship (that is, even if the 5-year term has expired, Signaturit will continue with custody). On the other hand, if after the 5-year period the customer holding the documentation has ceased to be a customer, Signaturit will only continue keeping the custody at the request of the owner (please note that this service has an additional cost).
9. Which procedure does Signaturit follow to collect biometric data from the signature graph legally?
In relation to the provisions of the previous question, section a) of article 9.2 of the GDPR establishes that the prohibition on the treatment of biometric data will not be applicable as long as the interested party for said treatment had given their explicit consent for said treatment with one or more than the specified purposes, except that there is a legal ban at a European or state level on it.
For this reason, before collecting any information related to the biometric data of the signature of the signatory, Signaturit requests the signer’s express consent. The express consent of the signer is granted by means of a simple signature, which is generated by filling in a checkbox at the beginning of the signing process.
10. What is the correlation between the document and the audit trail for presentation of evidence in court?
In the trust services provided by Signaturit, the audit trail and the signed document are linked by an electronic hash that links them in a unique way. Also, once a signature request process has been completed, the user will receive the signed document and the audit trail as attachments in an email to facilitate the linkage between the two documents.