Security and confidentiality are becoming more and more an integral part of regulations.

Visit regulations that impact the use of electronic signatures! An essential milestone in the digital transformation of organizations, this technology is subject to numerous standards and legislations that publishers comply with at different levels:

  • General Data Protection Regulation (GDPR);
  • Regulation eIDAS ;
  • Law for a Digital Republic;
  • Draft European laws on the Digital Services Act (DSA) and the Digital Market Act (DMA).

To ensure data security and confidentiality, Lex Persona leaves nothing to chance! The aim is to enable users to sign without risk.


An electronic signature editor not subject to the Cloud Act

Across the Atlantic, the Cloud Act sets the standard for data management.

In particular, it stipulates that service providers established on American territory must provide the data of all their customers. At the request of the American justice authorities. This measure naturally raises a number of privacy issues. Many electronic signature publishers are subject to this requirement.

Based in France, Lex Persona is de facto exempt from the Cloud Act. The company goes even further, since it only works with suppliers not subject to this legislation, giving preference to French players. Similarly, Lex Persona owns and operates its own IT infrastructure in data centers located in France.


GDPR points of vigilance

A publisher is considered a subcontractor by the GDPR. It is therefore not responsible for processing the personal data of users of its solutions.

This obligation is therefore incumbent on the publisher's customers, who use its tools to sign documents.

However, the electronic signature provider is obliged to retain personal and registration data enabling verification of a signatory's identity (date of birth, copy of identity document, etc.) for a period of 7 years. After this period, this information is deleted or anonymized at the customer's request. In all cases, the retention period and the nature of the archived data are established at the start of the service with the customer. Similarly, the purpose for which the data will be used must always be specified in the publisher's General Terms and Conditions of Use.

Lex Persona is very vigilant about compliance with the GDPR. In particular, it specifies the respective rights and duties of the publisher, its customers and its users. Whether through its service contracts or its General Conditions of Use.


Certifications, the key to the conformity and durability of your signatures

In addition to complying with current regulatory requirements, the measures taken by Lex Persona can meet the criteria of various certifications and labels to guarantee the reliability and durability of the signatures, proof files and logs produced. These certifications demonstrate compliance with the security requirements of certain standards.

Possible certifications include ISO 27001 (Information Security Management). As well as HDS (Health Data Hosting) certification.

Lex Persona is regularly audited, notably for its eIDAS-qualified time-stamping service. In addition, it offers users the option of signing with certificates generated "on the fly" by a Public Key Infrastructure, certified in compliance with the ETSI EN 319 411 standard used for electronic signatures. It has also been awarded the 2D-Doc label by the FNTC. To date, Lex Persona's online electronic signature API is the only one to be CSPN certified byANSSI.


Integrating a "security by design" approach

These certifications can be supplemented by other initiatives to guarantee the security and total control of processes linked to electronic signatures.

Setting up a hybrid architecture combining a component installed on the customer's premises and a SaaS component at the software vendor's is, for example, a good way to meet the needs of organizations with very high confidentiality requirements (ministries, defense sector, etc.).

Thanks to this hybrid process, Lex Persona never comes into contact with signed documents; only the signatories have access to them.

The use of smart cards is also perfectly suited to the public sector. They have access to eIDAS-qualified signature certificates, which can be accessed directly on a physical medium. The use of these certificates guarantees the identity of the signatory.

When these qualified certificates are supplied on a QSCD, the solution, like other applications from the editor, enables eIDAS-qualified signatures.