inSign: secure & provable
electronic signature

Legal

eIDAS Regulation – Types of Signatures

The eIDAS Regulation provides the legal framework for electronic signatures.

Article 3.10 defines all the requirements for an electronic signature. Signatures that meet these requirements are often called simple electronic signatures. There are also two types of signatures with additional requirements, the advanced electronic signature (AES) and the qualified electronic signature (QES).

Use in the EU and globally

The requirements for electronic signatures differ depending on the legal area. In Europe, eIDAS (EU) and the largely identical ZertES (Switzerland) are the relevant legal bases. inSign supports eIDAS and ZertES.
Send us a message if you need information on other countries.

These signature types are supported by inSign.

The advanced electronic signature can be done in two different ways with inSign:

by handwritten signature on a touch device
by entering a name on the keyboard

In addition to the signature, the name, email, date, time, device ID, client platform, timestamp, location data, server operator inSign version, transaction number and file name are stored in the signature field.

In addition, there is an automatically generated audit report as further proof.

With the handwritten signature, the signature is made on a touch-sensitive screen. The biometric signature data thus captured is embedded in the document in encrypted form. This allows the identity of the signatory to be verified by a handwriting expert.

The qualified electronic signature (QES) is a certificate-based signature. The signatory is already identified before signing via Video-Ident, eID-Ident or Giro-Ident and provides his signature via TAN.

eIDAS Regulation – Document protection

Subsequent modification of the document must be impossible or recognisable. With inSign, the signed document is protected with a seal certificate. After the signature of the first signatory, no more changes to the document are possible.

Advanced electronic signature (AES) by name input

Declaration of intent is made by:
Name input.

Proof of identity:
Confirmed email address / SMS number and process metadata (audit protocol).

Proof of content:
Sealed PDF hash.

Advanced electronic Signature (FES) by handwriting

Declaration of intent is made by:
Handwriting.

Proof of identity:
Via biometric data (encrypted) and audit protocol.

Proof of content:
Sealed PDF hash.

Qualified electronic signature (QES) by certificate

Declaration of intent is made by:
Personal certificate (PIN/TAN).

Proof of identity:
Via personal identification and audit protocol.

Proof of content:
Sealed PDF Hash.

Confidentiality declaration §203 StGB

Some professional groups are subject to special confidentiality obligations. These so-called secrecy bearers include, for example, doctors, pharmacists, psychologists, lawyers, patent attorneys, marriage, family or youth counsellors or employees in the public service. inSign can be used by these professional groups in compliance with the applicable secrecy obligations. Both the employees of inSign GmbH and those of the relevant subcontractors used by it are obliged to comply with the regulations of §203 StGB.

Civil Code (BGB)

Declarations of intent

In principle, the contracting parties are free to choose the form in which a declaration of intent is concluded. Verbal declarations of intent are more difficult to prove, which is why contracts are usually concluded in writing on paper or electronically with an e-signature solution.

Written form requirement

If a written form requirement is prescribed under the German Civil Code (BGB), the signature must be on paper or via a qualified electronic signature (QES). The QES is equivalent to signing on paper. With inSign, the documents to be signed are transferred to a cooperation partner for signing via QES. The QES process takes place seamlessly within inSign.

Evidence & provability

Linking signature to signatory

According to the eIDAS Regulation, an advanced electronic signature must be able to be linked to the signatory. With the qualified electronic signature, identification is also necessary. In contrast to the AES, this already takes place before signing.

Electronic signature may not be rejected as evidence

The eIDAS Regulation of 01 July 2016 further increases legal certainty in the use of the e-signature. inSign can be used in any country of the European Union. Thus, an electronic signature may not be rejected as evidence.

„An electronic transaction may not be rejected because a document is in electronic form.“

Biometric signature data

A handwritten signature (AES) on a touch-sensitive device records biometric signature data. This can be used as evidence in the event of a dispute.

What is biometric data?
These are, for example, writing speed, writing direction and writing pauses. These are stored together with the document checksum.

Audit report

inSign automatically creates an audit report for each process for all signature methods. This can help clarify any disputes.

What does an audit report contain?

Date and time of an event
Event type e.g. process created, file upload and download, signature etc.
Details of an action e.g. type of device used, system information, participant, name of the process etc.
Signature type
Contact information of persons involved (optionally masked)

Confirmed email address/SMS number

When signing by name entry via keyboard (AES), clicking on the signature link ensures that the signatory has access to the email address/SMS number used and links this to the signature.

Personal identification/qualified certificate

With the qualified electronic signature (QES), personal identification takes place before the signature (e.g. through Video-Ident). After successful identification, a qualified certificate is issued.

Security

Encryption/Notary Key

All captured biometric signature data is encrypted using an asymmetric encryption method (RSA-2048). A private and public key are used. The private key is typically generated and deposited by an independent authority (e.g. notary). We will be happy to assist you with this on request.

Document seal

All documents are protected from changes with a seal (hash). In the event of subsequent manipulation, the broken seal is displayed when the document is opened.

Two-factor authentication (2FA)

Two-factor authentication provides additional data protection. Here, the identity of a person is proven with the help of two different factors. When the document is released, the link to the document and the password for access are sent separately. It is possible to set in the software which method, e.g. SMS or email, is to be used for authentication.

Authentication

With the inSign verification tool, documents can be checked for authenticity. After uploading an inSign document, you receive further information about the individual signatures in the document, such as signature certificate, time stamp certificate, integrity, signature level,…

To the free verification tool
Request API connection

Data privacy

Made & Hosted in Germany

Our digital signature solution was developed in Germany and is operated on servers in Germany by German companies. We stand for maximum quality standards, the highest standards of data protection (especially with regard to the change in the law regarding the Privacy Shield) and thus for satisfied customers. Your data will stay in Germany and will of course not be transferred to the USA or other countries.

100 % GDPR-compliant

The electronic signature inSign takes into account all legal regulations of the DSGVO without exception. Data protection has the highest priority for us.

Independent audits

inSign is assessed and certified by TÜV (Federal Inspection Association) at annual intervals. The experts of TÜV Saarland conduct tests relating to the security and reliability of our electronic signature.

The user friendliness and error robustness of the tools also play a major part. During the development of our user-friendly software and app, we make sure that inSign complies with the most exacting quality and security standards. That’s why the TÜV quality criteria are so important for us as software producers.

The TÜV test label confirms the quality and security of our inSign application. Owing to the TÜV certification, inSign is widely accepted in the market. The certificate is a key quality criterion for our customers and partners.

You can see all test criteria under the respective certificate number (software: TK45177 and app: TK45178). The certification includes criteria such as IT security based on the fundamental IT protection regulations set out by the BSI, (Federal Office for Information Security) as well as the orientation help regarding the data protection requirements for app developers and app providers of 16 June 2014 issued by the Düsseldorfer Kreis (an association of data protection authorities from the German federal states).

BITMi certification

inSign was successfully certified by BITMi e. V. and also awarded the quality labels „Software Hosted in Germany“ and „Software Made in Germany“.

ISO 27001 certification

ISO 27001 Information security in organisations
ISO 27017 Security of data transmission in the cloud
ISO 27018 Data protection in the cloud

Download certificate

ISAE 3402 certification

The International Standard on Assurance Engagements 3402, or ISAE 3402 for short, is an internationally recognised standard for auditing the internal control system of an outsourcing service provider.

Convinced and curious to try it out?

Ask for your free trial today!