Trust Center

Trust is the only product we sell. Here's the work.

Signatur is a Simple Electronic Signature platform for the EU/EEA market. We're not a Qualified Trust Service Provider. We are obsessive about evidence, transparency, and getting the privacy work right — and we publish exactly what we do and don't do.

System status
Operational
Last security review
2026-04-22
Data region
EU (eu-north-1)
Disclosure version
v2026.05
eIDAS classification

Signatur produces Simple Electronic Signatures (SES).

Per eIDAS Regulation (EU) 910/2014 Article 3(10). We are not a Qualified Trust Service Provider. We do not issue Qualified Electronic Signatures (QES) or Advanced Electronic Signatures (AES) on our own. We are not a BankID provider.

Per Article 25(1), an electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form. Our job is to make the surrounding evidence — identity verification, hash-chained audit trail, document integrity — as strong as it can be at the SES tier.

Read the full eIDAS disclosure

What's true today

  • Simple Electronic Signatures under eIDAS Art. 3(10), admissible under Art. 25(1)
  • Hash-chained, tamper-evident audit trail (SHA-256)
  • Evidence package + public verification with every completed envelope
  • Email-verified signer identity with IP, device & timestamp evidence
  • GDPR-compliant data handling; EU data residency by default
  • Built and operated from Norway

What we don't claim

  • Not a Qualified Electronic Signature (QES) or Advanced (AES)
  • Not a Qualified Trust Service Provider; not on the EU Trusted List
  • Not BankID, Buypass or any national eID — yet
  • No qualified (RFC-3161) timestamps by default
  • Not ISO 27001 / SOC 2 certified yet — no badge until audited
  • Not "tamper-proof" or "court-proof" — tamper-evident, designed for admissibility

We're not a Qualified Trust Service Provider and hold no security certifications yet. ISO 27001, SOC 2, qualified timestamps and BankID/QES are on our roadmap — we'll only badge them once earned.

What we commit to

Hash-chained audit

Every event is hashed and chained to the previous. Tampering is detectable. Audit logs are exportable as a sealed PDF.

EU data residency

All production data stored in eu-north-1 (Stockholm) by default. No US-resident sub-processors for production data.

Privacy by default

Field-level encryption for PII. RBAC + Row-Level Security in PostgreSQL. AI off by default and never trained on your documents.

Evidence, not promises

Every completed envelope ships with a downloadable evidence package: signed PDF + JSON audit + verification instructions.

Honest about SES

We tell you when SES is appropriate — and when it isn't. The classifier warns before send for high-risk document types.

10-year retention default

Conservative default for completed envelopes. Customer-configurable. Anonymisation after retention preserves chain integrity.

Sub-processors

We use the following vendors to deliver the service. Each has signed a GDPR Art. 28 DPA. We notify customers 30 days before adding or replacing any sub-processor.

VendorPurposeRegionMechanism
AWSHosting, object storageEU (eu-north-1)Art. 28 DPA
CloudflareEdge, DDoS, WAFGlobal edge; EU originArt. 28 DPA
StripePaymentsEUArt. 28 DPA + SCCs
ResendTransactional emailEUArt. 28 DPA
PlausibleAnalytics (consent-gated)EUArt. 28 DPA
SentryError trackingEUArt. 28 DPA

Resources

Contacts

Security disclosures
security@signatur.app
Vulnerability reports. PGP key on /trust/security.
Privacy & DSR
privacy@signatur.app
Access, rectification, erasure requests.
Legal
legal@signatur.app
DPA, sub-processor objections, jurisdiction.