Where is Certyneo data hosted?

All data is hosted exclusively in Germany (IONOS SE, Frankfurt), within the European Union. No replication or outsourcing to servers outside the EU is performed.

Is Certyneo subject to the American Cloud Act?

No. Certyneo is a French entity (French SAS), not subject to the extraterritorial reach of the American Cloud Act. Unlike DocuSign, Adobe Sign or Dropbox Sign (American companies), American authorities cannot compel Certyneo to disclose your data.

Is Certyneo GDPR compliant?

Yes. Certyneo is GDPR compliant: EU hosting, TLS 1.3 encryption in transit and AES-256 at rest, DPA available (Article 28 of the GDPR), limited and documented retention period, and access and deletion rights respected.

How are signed documents protected against tampering?

Each signed document is protected by a cryptographic seal (SHA-256 hash) recorded in a timestamped audit trail. Any modification to the document after signing invalidates the seal and is detected immediately. The audit trail is retained for 10 years.

Does Certyneo have a DPA (Data Processing Agreement)?

Yes. Certyneo provides a DPA compliant with Article 28 of the GDPR, available and electronically signable from your dashboard or upon request. It details sub-processors, technical and organisational measures (TOMs), and the rights of data subjects.

Security and compliance

Trust is at the heart of Certyneo. This page describes exactly what is in place today in our infrastructure and application.

Updated 17 April 2026.

Certyneo security — infrastructure and encryption

eIDAS compliant

Our simple signatures (SES) and advanced signatures (AES with email + SMS OTP) comply with the EU eIDAS regulation.

TLS 1.3 encryption

All client-server communications are protected by TLS 1.3 via our reverse proxy (auto-renewed Let's Encrypt certificates).

Hosting in Germany (EU)

The application, PostgreSQL database and object storage are hosted on our infrastructure in Germany (IONOS), within the European Union.

Signature audit trail

Each action (opening, OTP, signature, refusal, expiration) is timestamped and stored. An audit footer is embedded in the signed PDF.

Signer authentication

For advanced level (AES): dual email + SMS OTP (via our SMS OTP provider). For sender login: email + password, Google, Microsoft Entra.

GDPR

Compliance with the General Data Protection Regulation: right of access, rectification and erasure, processing register.

Regulatory compliance

Certyneo complies with applicable EU regulations for electronic signature and data protection.

eIDAS

SES and AES signatures

Simple electronic signature (SES) by default. Advanced electronic signature (AES) with OTP email + SMS for increased probative value under regulation (EU) No. 910/2014.

GDPR

Data protection

Compliance with Regulation (EU) 2016/679. Data hosted within the European Union, documented retention period, processing register and DPA available upon request.

Our security practices

Here are the concrete measures deployed in production.

TLS 1.3 encryption for all HTTP communications (Caddy 2, Let's Encrypt)
AES-256 encryption for data at rest (documents and database), hosted in Germany
Scrypt hashing (with salt and timing-safe comparison) for user passwords
Single-use email verification and password reset tokens, 1-hour expiration
OTP (SMS OTP) for advanced signature, short validity, single use
Application-level rate limiting (Redis) by plan on sensitive endpoints
S3-compatible object storage with versioning enabled on documents
Timestamped audit log of each step in an envelope's lifecycle

Ready to sign securely?

5 free envelopes per month, no credit card required. eIDAS and GDPR compliance included.

Start for free Request a demo

Security roadmap

Our next steps to strengthen trust and compliance.

Q4 2026
ISO 27001 Audit
Planned
ISO 27001 certification audit scheduled with an accredited body.
2027
The following shall be reported:
Planned
SOC 2 Type II report covering security, availability and confidentiality.

Responsible Disclosure

Have you discovered a vulnerability? Please contact us responsibly before any public disclosure. We will acknowledge receipt within 48 business hours.

security@certyneo.com

Data Processing Agreement

Our DPA details Certyneo's obligations as a processor under the GDPR, including technical and organisational measures.

Télécharger le DPA (PDF)

Frequently Asked Questions about Certyneo Security

Where is Certyneo data hosted?: All data is hosted exclusively in Germany (IONOS SE, Frankfurt), within the European Union. No replication or outsourcing to servers outside the EU is performed.
Is Certyneo subject to the American Cloud Act?: No. Certyneo is a French entity (French SAS), not subject to the extraterritorial reach of the American Cloud Act. Unlike DocuSign, Adobe Sign or Dropbox Sign (American companies), American authorities cannot compel Certyneo to disclose your data.
Is Certyneo GDPR compliant?: Yes. Certyneo is GDPR compliant: EU hosting, TLS 1.3 encryption in transit and AES-256 at rest, DPA available (Article 28 of the GDPR), limited and documented retention period, and access and deletion rights respected.
How are signed documents protected against tampering?: Each signed document is protected by a cryptographic seal (SHA-256 hash) recorded in a timestamped audit trail. Any modification to the document after signing invalidates the seal and is detected immediately. The audit trail is retained for 10 years.
Does Certyneo have a DPA (Data Processing Agreement)?: Yes. Certyneo provides a DPA compliant with Article 28 of the GDPR, available and electronically signable from your dashboard or upon request. It details sub-processors, technical and organisational measures (TOMs), and the rights of data subjects.

Go further

Deepen your understanding of regulation and signature levels.