In Addo Sign our first priority is security. People choose digital signatures for being the most secure type of electronic signature, thus digital signatures differ from a normal signature because digital signatures provide you with the highest level of assurance about the signers’ identity and the authenticity of the documents they sign.

1. User and Permission Management 
2. Automatically logged out if inactive
3. Storing of documents
4. Encrypted transmission of data and industry standards
5. Validity of the signature
6. Technical Security Surrounding the Signature in Addo Sign 
7. Signer authentification 
8. Content integrity 
9. Non-repuditation

User and Permission Management

With Addo Sign, it is possible to control permissions connected to the user profiles associated with your account. Each user will receive a username and password to be used when they log in. As an administrator, you can assign permissions to different user profiles according to the access the user needs.

Automatically logged out if inactive

If you are inactive for 15 minutes, you will automatically be logged out of Addo Sign. This is to ensure that no one but the users can access their Addo Sign account in case the user has forgotten to log out.

Storing of documents

Addo Sign is a transactional solution, therefore, Addo Sign only stores documents up to 10 days after the transaction is set to expire, after which the documents will be deleted.
It is very important that you make sure to save a copy of the signed documents or store them directly in your digital archive.

Encrypted transmission of data and industry standards

Addo Sign uses a security model where all communication and passwords are encrypted and transmitted through https. This security model ensures that the various parties can only access their own data and no other parties’, thus ensuring the safety of any sensitive personal information. Only the administrator of the Addo Sign account is granted access to the documents that the users send through Addo Sign. With Addo Sign, you get a safe solution. To establish secure communications, Addo Sign is using a wide range of industry standards. To read more information about the encryption in Addo Sign, you should read this article.

Validity of the signature

An electronic signature that is technically implemented in a document, based on the PAdES standard, is referred to as an AES (Advanced Electronic Signature). This means that the signature meets the requirements of the eIDAS regulation for an AES and can therefore not be denied its validity by any organization in a European country. An electronic signature that complies with the PAdES standard can therefore be used as proof of authenticity because of the identity of the secure signatory, using the eID that has been used to sign or identify with. It is also the signer and recipient of the document's security that no changes have been made after the signature has been set and that the signatory intended to sign the document.

There are therefore some requirements that apply for an electronic signature to be valid:

• The signature is directly linked to the signatory, as the signature is unique and can be traced back to the signatory.
• It is possible to identify the signatory, as the signer has sole control over the data that has been used to make the electronic signature.
• It is possible to identify the smallest change in the document after it has been signed and therefore appears invalid.
• The document is attached to a certificate for the electronic signature. This stamp is proof of the signatory's identity and links the validated data of the electronic signature to the signatory.
  
  

Addo Sign is therefore compliant with digital signatures and can vouch for its validity.

Technical Security Surrounding the Signature in Addo Sign

For a signature to be valid, either digital or physical, the signature must meet the following three basic requirements:

1. Signer Authentication
2. Content Integrity
3. Non-repudiation

These three basic requirements will be described below and also explain how Addo Sign meets these requirements with digital signature.

Signer Authentication

This requirement stipulates that we have security for signer’s identity. Addo Sign provides different authentication methods i.e. NemID, SMS code, BankID or SITHS to authenticate the signer's identity and demonstrate proof of signing.

To further increase security, when you use Nemid, the unique PID (Personal Identifier) is also printed on the document, assuring that the signer’s certificate is cryptographically bound to the document.

Furthermore, the signed document will always be locked for any changes no matter the signing method, the document has a timestamp with a certificate from a trusted third-party. All the cryptographically signing proofs are embedded in the PDF, in case it should be used to validate the signing in the future.  

In Norway and Sweden, BankID is the most widely used solution, and in Denmark, NemID is the most secure way of attaching a digital signature to a physical person. These signing methods are all supported by Addo Sign.

Content Integrity

Addo Sign is designed to keep your documents secure and prevent tampering of the documents. When a document is signed using Addo Sign, a unique Addo Sign identification number is printed on the document. Also a “checksum” is created based on the document content including the unique identification number. Addo Sign acts as a kind of notary on the signed document. Every step is captured in a secured audit trail and makes it extremely easy to verify if the signed document has been modified since it was signed. If the document changes after signing, the digital signature is invalidated.

Non-repudiation

Non-repudiation is important for Addo Sign. In this section, it is explained how non-repudiation is achieved using Addo Sign.

Non-repudiation can be achieved using one of the official public signatures (Nemid, BankID, etc) - either signing directly with a public signature or in combination with other forms of signature in Addo Sign.

These are signatures with an eID, which is approved by the eIDAS regulation, confirming its validity and that this does not make it possible to reject its authenticity in relation to a digital signature.