Where is Certyneo data hosted?

All data is hosted exclusively in Germany (IONOS SE, Frankfurt), within the European Union. No replication or outsourcing to servers outside the EU is performed.

Is Certyneo subject to the US Cloud Act?

No. Certyneo is a French entity (French law SAS), not subject to US Cloud Act extraterritoriality. Unlike DocuSign, Adobe Sign or Dropbox Sign (US companies), US authorities cannot compel Certyneo to disclose your data.

Is Certyneo GDPR compliant?

Yes. Certyneo is GDPR compliant: EU hosting, TLS 1.3 encryption in transit and AES-256 at rest, DPA available (GDPR article 28), documented and limited retention period, access and deletion rights respected.

How are signed documents protected against tampering?

Each signed document is protected by a cryptographic seal (SHA-256 hash) recorded in a timestamped audit trail. Any document modification after signing invalidates the seal and is detected immediately. The audit trail is retained for 10 years.

Does Certyneo have a DPA (Data Processing Agreement)?

Yes. Certyneo offers a DPA compliant with GDPR article 28, available and electronically signable from your dashboard or on request. It details sub-processors, technical and organisational measures (TOMs), and data subject rights.

Security and compliance

Trust is at the heart of Certyneo. This page describes exactly what is in place today in our infrastructure and application.

Updated 17 April 2026.

Certyneo security — infrastructure and encryption

eIDAS compliant

Our simple signatures (SES) and advanced signatures (AES with email + SMS OTP) comply with the European Union's eIDAS regulation.

TLS 1.3 encryption

All client-server communications are protected by TLS 1.3 via our reverse proxy (auto-renewed Let's Encrypt certificates).

Hosting in Germany (EU)

The application, PostgreSQL database and object storage are hosted on our infrastructure in Germany (IONOS), within the European Union.

Signature audit trail

Every action (opening, OTP, signature, refusal, expiration) is timestamped and stored. An audit footer is embedded in the signed PDF.

Signer authentication

For the advanced level (AES): dual OTP email + SMS (our SMS OTP provider). For sender login: email + password, Google, Microsoft Entra.

GDPR

Compliance with the General Data Protection Regulation: right of access, rectification and erasure, processing register.

Regulatory compliances

Certyneo complies with applicable European regulations for electronic signatures and data protection.

eIDAS

SES and AES signatures

Simple electronic signature (SES) by default. Advanced electronic signature (AES) with OTP email + SMS for enhanced probative value under regulation (EU) No. 910/2014.

GDPR

Data protection

Compliance with Regulation (EU) 2016/679. Data hosted within the European Union, documented retention period, processing register and DPA available upon request.

Our security practices

Here are the concrete measures deployed in production.

TLS 1.3 encryption for all HTTP communications (Caddy 2, Let's Encrypt)
AES-256 encryption for data at rest (documents and database), hosted in Germany
Scrypt hashing (with salt and timing-safe comparison) for user passwords
Single-use email verification and password reset tokens, 1-hour expiration
OTP (SMS OTP) for advanced signature, short validity, single-use
Application rate limiting (Redis) by plan on sensitive endpoints
S3-compatible object storage with versioning enabled on documents
Timestamped audit log of each step in an envelope's lifecycle

Ready to sign securely?

5 free envelopes per month, no credit card required. eIDAS and GDPR compliance included.

Start for free Request a demo

Security roadmap

Our next steps to strengthen trust and compliance.

Q4 2026
ISO 27001 Audit
Planned
ISO 27001 certification audit scheduled with an accredited body.
2027
The following shall be reported:
Planned
SOC 2 Type II report covering security, availability and confidentiality.

Responsible disclosure

Discovered a vulnerability? Please contact us responsibly before any public disclosure. We acknowledge receipt within 48 business hours.

security@certyneo.com

Data Processing Agreement

Our DPA details Certyneo's obligations as a data processor under the GDPR, including technical and organisational measures.

Télécharger le DPA (PDF)

Certyneo Security Frequently Asked Questions

Where is Certyneo data hosted?: All data is hosted exclusively in Germany (IONOS SE, Frankfurt), within the European Union. No replication or outsourcing to servers outside the EU is performed.
Is Certyneo subject to the US Cloud Act?: No. Certyneo is a French entity (French law SAS), not subject to US Cloud Act extraterritoriality. Unlike DocuSign, Adobe Sign or Dropbox Sign (US companies), US authorities cannot compel Certyneo to disclose your data.
Is Certyneo GDPR compliant?: Yes. Certyneo is GDPR compliant: EU hosting, TLS 1.3 encryption in transit and AES-256 at rest, DPA available (GDPR article 28), documented and limited retention period, access and deletion rights respected.
How are signed documents protected against tampering?: Each signed document is protected by a cryptographic seal (SHA-256 hash) recorded in a timestamped audit trail. Any document modification after signing invalidates the seal and is detected immediately. The audit trail is retained for 10 years.
Does Certyneo have a DPA (Data Processing Agreement)?: Yes. Certyneo offers a DPA compliant with GDPR article 28, available and electronically signable from your dashboard or on request. It details sub-processors, technical and organisational measures (TOMs), and data subject rights.

Learn more

Deepen your understanding of regulation and signature levels.