Signatur is a Simple Electronic Signature platform for the EU/EEA market. We're not a Qualified Trust Service Provider. We are obsessive about evidence, transparency, and getting the privacy work right — and we publish exactly what we do and don't do.
Per eIDAS Regulation (EU) 910/2014 Article 3(10). We are not a Qualified Trust Service Provider. We do not issue Qualified Electronic Signatures (QES) or Advanced Electronic Signatures (AES) on our own. We are not a BankID provider.
Per Article 25(1), an electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form. Our job is to make the surrounding evidence — identity verification, hash-chained audit trail, document integrity — as strong as it can be at the SES tier.
Read the full eIDAS disclosureWe're not a Qualified Trust Service Provider and hold no security certifications yet. ISO 27001, SOC 2, qualified timestamps and BankID/QES are on our roadmap — we'll only badge them once earned.
Every event is hashed and chained to the previous. Tampering is detectable. Audit logs are exportable as a sealed PDF.
All production data stored in eu-north-1 (Stockholm) by default. No US-resident sub-processors for production data.
Field-level encryption for PII. RBAC + Row-Level Security in PostgreSQL. AI off by default and never trained on your documents.
Every completed envelope ships with a downloadable evidence package: signed PDF + JSON audit + verification instructions.
We tell you when SES is appropriate — and when it isn't. The classifier warns before send for high-risk document types.
Conservative default for completed envelopes. Customer-configurable. Anonymisation after retention preserves chain integrity.
We use the following vendors to deliver the service. Each has signed a GDPR Art. 28 DPA. We notify customers 30 days before adding or replacing any sub-processor.
| Vendor | Purpose | Region | Mechanism |
|---|---|---|---|
| AWS | Hosting, object storage | EU (eu-north-1) | Art. 28 DPA |
| Cloudflare | Edge, DDoS, WAF | Global edge; EU origin | Art. 28 DPA |
| Stripe | Payments | EU | Art. 28 DPA + SCCs |
| Resend | Transactional email | EU | Art. 28 DPA |
| Plausible | Analytics (consent-gated) | EU | Art. 28 DPA |
| Sentry | Error tracking | EU | Art. 28 DPA |