Where is Certyneo data hosted?

All data is hosted exclusively in Germany (IONOS SE, Frankfurt), within the European Union. No replication or outsourcing to servers outside the EU is performed.

Is Certyneo subject to the US Cloud Act?

No. Certyneo is a French entity (French law SAS), not subject to the extraterritorial reach of the US Cloud Act. Unlike DocuSign, Adobe Sign, or Dropbox Sign (US companies), US authorities cannot compel Certyneo to disclose your data.

Is Certyneo GDPR compliant?

Yes. Certyneo is GDPR compliant: EU hosting, TLS 1.3 encryption in transit and AES-256 at rest, DPA available (GDPR Article 28), documented limited retention periods, and right of access and deletion respected.

How are signed documents protected against tampering?

Each signed document is protected by a cryptographic seal (SHA-256 hash) recorded in a timestamped audit trail. Any modification to the document after signing invalidates the seal and is detected immediately. The audit trail is retained for 10 years.

Does Certyneo have a DPA (Data Processing Agreement)?

Yes. Certyneo offers a DPA compliant with GDPR Article 28, available and electronically signable from your dashboard or upon request. It details sub-processors, technical and organisational measures (TOMs), and data subject rights.

Security and compliance

Trust is at the heart of Certyneo. This page describes exactly what is in place today in our infrastructure and application.

Updated on 17 April 2026.

Certyneo security — infrastructure and encryption

eIDAS compliant

Our simple signatures (SES) and advanced signatures (AES with OTP email + SMS) comply with the European Union's eIDAS regulation.

TLS 1.3 encryption

All client-server communications are protected by TLS 1.3 via our reverse proxy (auto-renewed Let's Encrypt certificates).

Hosting in Germany (EU)

The application, PostgreSQL database and object storage are hosted on our infrastructure in Germany (IONOS), within the European Union.

Signature audit trail

Every action (opening, OTP, signature, refusal, expiration) is timestamped and stored. An audit footer is embedded in the signed PDF.

Signer authentication

For advanced level (AES): dual OTP email + SMS (our SMS OTP provider). For sender login: email + password, Google, Microsoft Entra.

GDPR

Compliance with the General Data Protection Regulation: right of access, rectification and erasure, processing register.

Regulatory compliances

Certyneo complies with the European regulations applicable to electronic signatures and data protection.

eIDAS

SES and AES signatures

Simple electronic signature (SES) by default. Advanced electronic signature (AES) with OTP email + SMS for enhanced probative value under regulation (EU) No. 910/2014.

GDPR

Data protection

Compliance with Regulation (EU) 2016/679. Data hosted within the European Union, documented retention period, processing register and DPA available upon request.

Our security practices

Here are the concrete measures deployed in production.

TLS 1.3 encryption for all HTTP communications (Caddy 2, Let's Encrypt)
AES-256 encryption for data at rest (documents and database), hosted in Germany
Scrypt hashing (with salt and timing-safe comparison) for user passwords
Email verification and password reset tokens for single use, 1-hour expiration
OTP (SMS OTP) for advanced signature, short validity, single use
Application rate limiting (Redis) by plan on sensitive endpoints
S3-compatible object storage with versioning enabled on documents
Timestamped audit log of each step in the envelope lifecycle

Ready to sign securely?

5 free envelopes per month, no credit card required. eIDAS and GDPR compliance included.

Get started for free Request a demo

Security roadmap

Our next steps to strengthen trust and compliance.

Q4 2026
ISO 27001 Audit
Planned
ISO 27001 certification audit scheduled with an accredited body.
2027
The following shall be reported:
Planned
SOC 2 Type II report covering security, availability, and confidentiality.

Responsible Disclosure

Have you discovered a vulnerability? Please contact us responsibly before any public disclosure. We will acknowledge receipt within 48 business hours.

security@certyneo.com

Data Processing Agreement

Our DPA details Certyneo's obligations as a data processor under the GDPR, including technical and organisational measures.

Télécharger le DPA (PDF)

Frequently Asked Questions about Certyneo Security

Where is Certyneo data hosted?: All data is hosted exclusively in Germany (IONOS SE, Frankfurt), within the European Union. No replication or outsourcing to servers outside the EU is performed.
Is Certyneo subject to the US Cloud Act?: No. Certyneo is a French entity (French law SAS), not subject to the extraterritorial reach of the US Cloud Act. Unlike DocuSign, Adobe Sign, or Dropbox Sign (US companies), US authorities cannot compel Certyneo to disclose your data.
Is Certyneo GDPR compliant?: Yes. Certyneo is GDPR compliant: EU hosting, TLS 1.3 encryption in transit and AES-256 at rest, DPA available (GDPR Article 28), documented limited retention periods, and right of access and deletion respected.
How are signed documents protected against tampering?: Each signed document is protected by a cryptographic seal (SHA-256 hash) recorded in a timestamped audit trail. Any modification to the document after signing invalidates the seal and is detected immediately. The audit trail is retained for 10 years.
Does Certyneo have a DPA (Data Processing Agreement)?: Yes. Certyneo offers a DPA compliant with GDPR Article 28, available and electronically signable from your dashboard or upon request. It details sub-processors, technical and organisational measures (TOMs), and data subject rights.

Learn more

Deepen your understanding of regulations and signature levels.