Legal FAQs

When documents are signed manually, they are usually signed or initialed on every page, to ensure that the content of the document remains unchanged.

However, when using Signaturit, it’s enough to sign the document once, as our software ensures the absolute integrity and inalterability of the signed document. Once the document has been signed once by each of the signatories, Signaturit will close the document, encrypt the information, and establish a qualified time stamp to ensure it cannot be changed in any way.

We always recommend signing the document from the indicated email address, and not forwarding the signature request to a different email address. If the signature request is forwarded, the audit trail collects this information, and will register that the request was opened from different devices and IP addresses, weakening essential identification elements of the signatory.

It is important to keep in mind that the proper identification of the signatory is not only an element that provides security to the signing process, but is also a necessary requirement for an advanced electronic signature to be valid, in compliance with the provisions of article 26 of the eIDAS Regulation.

While Signaturit collects additional identifying elements (such as date / time of signature and document data), correct email address is vital to ensure validity of signatory.

Signaturit is compliant with all relevant GDPR policies. Signaturit acts as data processor for its clients, assuming the corresponding obligations, based on the provisions of article 28 of the GDPR. As data processor, Signaturit carries out treatment on behalf of the data controller, who will advise accordingly.

In order to duly perform its role as data processor, Signaturit has implemented several security measures aimed at ensuring the proper treatment of data. These include:

• A system for the designation of users and passwords of its personnel, for both their own and third-party systems. Access is limited by attending to user profiles, assigning personalised users, and ensuring passwords expire at least once a year.
• Informing employees of the rights and duties that correspond to them regarding the processing of data of third parties.
• An updated list of profiles and permissions of its users, both to its own systems and those of third parties.
• A system for registering incidents, and the protocol to follow, including communication to the Data Controller, users, and supervisors.
• Appropriate measures for the transfer of owned or third-party media.
• Identification systems for the supports Signaturit work with.
• A circuit of backup copies of systems on a daily basis.
• A data recovery circuit, as part of the Business Continuity and Disaster Recovery Policy.
• An appointed Data Protection Officer, who can be contacted at: [email protected]
• Conducting audits every two years in the field of data protection.
• A system for registering entries and exits of media that may contain categories of data that comply with the parameters of the law.
• Limiting the unauthorised access to computer systems, establishing secure areas, and limiting access to trusted personnel.
• Recording the data recovery process, according to the parameters of regulations.
• An Information Security Management System, certified under the ISO 27001 standard by AENOR INTERNACIONAL, S.A.U.

If you have further questions about how we comply with our obligations regarding the protection of personal data, please check our Privacy Policy.

The eIDAS Regulation defines a simple electronic signature as: “the data in electronic format attached to other electronic data or logically associated with them that the signatory uses to sign”. The simple electronic signature is usually the one where you request to accept a condition by completing a checkbox or an OTP code, and it does not have the ability to properly identify the signatory.

The eIDAS Regulation defines an advanced electronic signature as: “the electronic signature that meets the requirements set forth in article 26”. The requirements in article 26 of the eIDAS Regulation are:
i) It is uniquely linked to the signatory.
ii) It is capable of identifying the signatory.
iii) It is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control.
iv) It is linked to the data signed therewith in such a way that any subsequent change in the data is detectable.
With the advanced electronic signature, the signatory has to draw their signature with their finger or mouse.

Although both electronic signatures have legal validity, the advanced electronic signature is more secure, as it obtains information to properly identify the signatory, and detect any subsequent change. Therefore, it’s recommended to use the simple electronic signature when it’s not vital to properly identify the signatory, and use the advanced electronic signature for documents or agreements that are sufficiently relevant, or where it is necessary to properly identify the signatory.

No, a scanned signature (handwritten signature that was scanned to produce a digital document) has no legal validity, since it doesn’t meet the validity requirements required by the eIDAS Regulation.

Therefore, for the signatures of a document to be valid, they must have been done through a recognised electronic signature method that meets these validity requirements, such as Signaturit.

At Signaturit we offer the simple electronic signature, the advanced electronic signature, and the qualified electronic signature. These are the three types of electronic signature defined by the eIDAS Regulation.

The simple and advanced electronic signature are the signatures used most by our clients, due to their practicality, convenience and full legal validity.

All electronic signatures offered by Signaturit fully comply with the requirements of the eIDAS Regulation, providing the security that our clients need when signing documents and agreements.

With the simple electronic signature, usually the signatory is asked to express consent by completing a checkbox or an OTP code. Whereas with an advanced electronic signature, the signatory draws their signature with their finger or mouse. With Signaturit’s advanced electronic signature, in addition to collecting the email, data of the device’s IP number, and date and time of the signature, we also obtain biometric data from a graph (pressure, acceleration and speed).

The qualified electronic signature is an advanced electronic signature which is created using a qualified electronic signature creation device, and is based on a qualified electronic signature certificate.

Signaturit’s advanced electronic signature meets the requirements of Article 26 of the eIDAS Regulation as follows:

• In order to guarantee that the signature is associated with a sole signatory, the document is sent to the email address of the relevant signatory.
• In order to identify the signatory, we obtain the IP addresses of origin and destination of the request, the date/time of the signature, and the biometric data of the signatory’s graph (pressure, speed and acceleration). In addition, we can request a second authentication, such as an OTP code that is sent to the signatory’s mobile phone, or request a photo of their face or ID, so that the validity can be determined by applying OCR technology.
• Full control is guaranteed, as documents can be signed through any device with an internet connection (computer, tablet, mobile).
• We prevent any subsequent change in the signature, guaranteeing the absolute integrity and inalterability of the document. We encrypt the document and include a time stamp, which ensures that the document hasn’t been modified after it was signed.

Signaturit, as a trusted third party, must comply with article 25.2 of the LSSICE, which states that we need to keep a copy of the documentation for a minimum period of five years.

Therefore, Signaturit must guard the documentation for a minimum period of five years (regardless of whether or not the client holding the documentation remains a client during that period). If the customer holding the documentation continues to be a customer, the information will continue to be kept by Signaturit for the duration of their business relationship (that is, even if the 5-year term has expired, Signaturit will continue with custody). On the other hand, if after the 5-year period, the customer holding the documentation has ceased to be a customer, Signaturit will only continue keeping the custody at the request of the owner (please note that this service has an additional cost).

In relation to the provisions of the previous question, section a) of article 9.2 of the GDPR establishes that the prohibition of the treatment of biometric data will not be applicable, as long as the interested party has given their explicit consent for that treatment, with one or more of the specified purposes (except if there is a legal ban at a European or state level on it).

For this reason, before collecting any information related to biometric data, Signaturit requests the signatory’s express consent. The express consent of the signatory is granted by means of a simple signature, which is generated by filling in a checkbox at the beginning of the signing process.