Skip to main content
Certyneo

Electronic Signature Glossary

112 key terms to master electronic signatures, cryptography, and eIDAS compliance.

Updated on .

Glossaire signature électronique — références et définitions

A

Acte authentique électronique (AAE)
L'acte authentique électronique (AAE) est un acte notarié dressé, reçu et conservé sous forme numérique conformément au décret n° 2005-973 du 10 août 2005. Le notaire appose sa signature électronique qualifiée (niveau QES, eIDAS) à l'aide d'un QSCD habilité, et l'acte est ensuite transmis à la plateforme Real.not (Réseau électronique des actes de notaires). L'AAE a la même force probante et la même force exécutoire qu'un acte papier : il constitue preuve parfaite de son contenu et peut fonder une saisie sans jugement préalable. Les contrats immobiliers, donations, fusions d'entreprises et mandats de protection future font partie des actes susceptibles d'être dressés sous forme électronique. Certyneo accompagne les études notariales dans la mise en œuvre des flux de co-signature préalables (avant-contrats, mandats de vente) en amont de la signature de l'acte authentique chez le notaire.
AES (Advanced Electronic Signature)
The Advanced Electronic Signature (AES) is the second level defined by the eIDAS regulation. It must be uniquely linked to the signatory, enable their identification, be created using data under their sole control, and allow the detection of any subsequent modification to the document. In practice, Certyneo implements it via strong authentication (email + OTP SMS) and a timestamped audit trail. Understand signature levels →
API REST signature électronique
Une API REST (Representational State Transfer) de signature électronique expose les opérations du moteur de signature comme des ressources HTTP accessibles par n'importe quel langage de programmation. Les flux types incluent : création d'enveloppe (POST /envelopes), upload de document (PUT /envelopes/{id}/documents), ajout de signataires et de champs (POST /recipients), envoi pour signature (PUT /envelopes/{id}/send), puis récupération du document signé (GET /envelopes/{id}/signed-pdf). L'authentification s'appuie sur des jetons Bearer (OAuth 2.0 / clés API). Les webhooks complètent l'API en poussant les événements (document signé, refus, expiration) vers votre backend sans polling. Une bonne API REST de signature garantit l'intégrité du document via un hash SHA-256 retourné à chaque étape et supporte la piste d'audit horodatée. Certyneo expose une API REST complète documentée en OpenAPI 3.1 avec SDK disponibles en Node.js, Python et PHP.
Electronic archiving
Electronic archiving refers to the long-term storage of digital documents under conditions that guarantee their integrity, readability and evidentiary value. A probative archiving system allows signed documents and their audit trails to be kept for several years or even decades. On Certyneo, signed envelopes are retained for 10 years in compliance with legal requirements.
Attestation France Travail (ex-Pôle emploi)
L'attestation destinée à France Travail (anciennement Pôle emploi) est un document que l'employeur doit obligatoirement remettre au salarié à la fin de son contrat (art. R1234-9 du Code du travail). Elle permet au salarié de faire valoir ses droits à l'assurance chômage ; l'employeur la transmet également à France Travail. Elle peut être générée et signée électroniquement dans le parcours de fin de contrat. Documents obligatoires de fin de contrat →
Authentication
Authentication is the process of verifying the identity of a user or system before granting them access to a service or authorising the placement of an electronic signature. It can be simple (password alone), strong (multi-factor) or biometric. The robustness of authentication directly determines the achievable signature level: an AES requires at least two distinct factors.
Strong authentication
Strong authentication (or multi-factor authentication, MFA) requires the presentation of at least two distinct pieces of identity evidence to verify a user's identity. In the context of an advanced electronic signature (AES), it typically involves a combination of email + OTP SMS, strengthening the link between the signed document and its author. This is one of the requirements set by the eIDAS regulation for advanced-level signatures.
Certification authority (CA)
A certification authority (CA) is a trusted body that issues X.509 electronic certificates linking a public key to the identity of its holder. Qualified CAs are supervised by national authorities (ANSSI in France) and listed on the EU trust list. They form the backbone of the PKI and the chain of trust for qualified signatures.

B

Bearer token
A bearer token is an API access token that grants whoever holds ("bears") it the right to access protected resources, without any further proof of identity — possession alone is sufficient, like cash. It is transmitted in the HTTP header Authorization: Bearer <token>. In OAuth 2.0: bearer tokens are the standard access-token format; they are typically short-lived and carry scopes that bound what the holder may do. Certyneo's REST API uses bearer tokens to authenticate programmatic calls: creation of envelopes, status queries, webhook configuration and downloading of signed documents. Security implications: because the token is the credential, it must travel only over TLS, never be exposed client-side or logged, and be rotated regularly; a leaked bearer token is as dangerous as a leaked password until it expires or is revoked. Good practice: scope each token to the minimum required permissions, set a short expiry, and prefer per-integration tokens so one can be revoked without affecting the others.
Biometrics
Biometrics encompasses identification techniques based on a person's physical or behavioural characteristics (fingerprint, facial recognition, handwritten trace, voice). In electronic signatures, a biometric signature can capture the handwritten trace on a touchscreen (speed, pressure, angle) to create a direct link between the signatory and their consent. Under eIDAS, biometrics alone is not sufficient to reach the advanced level (AES): it must be combined with strong authentication. Biometric data is considered sensitive under the GDPR and its processing requires explicit consent.
Blockchain et notarisation électronique
La notarisation blockchain consiste à ancrer l'empreinte cryptographique (hash SHA-256) d'un document dans un registre distribué immuable (Bitcoin, Ethereum, etc.) afin de prouver son existence à un instant donné. Contrairement à l'horodatage qualifié RFC 3161, la notarisation blockchain n'est pas reconnue comme preuve légale au sens de l'eIDAS : elle constitue un indice recevable devant certaines juridictions mais ne remplace pas un QTSP accrédité. Son avantage est la décentralisation : la preuve survit à la disparition du prestataire. Dans un contexte d'entreprise, la blockchain est surtout pertinente pour l'archivage de preuves complémentaires (hash publié on-chain) en couche de redondance par-dessus un archivage électronique à valeur probante classique.

C

Electronic seal
An electronic seal is the equivalent of an electronic signature for legal entities (companies, public bodies). It guarantees the origin and integrity of a document issued on behalf of an organisation without involving an identified human signatory. The eIDAS regulation recognises simple, advanced and qualified electronic seals, on the same basis as signatures.
SSL / TLS padlock
The SSL/TLS padlock is the visual indicator displayed by the browser (padlock icon in the address bar) confirming that an encrypted TLS connection is established between the browser and the server. It attests that the data exchanged (documents, OTP codes, credentials) cannot be intercepted in plain text. Certyneo enforces TLS 1.3 across all its endpoints, making the padlock visible on all signature pages.
Certificat de travail
Le certificat de travail est un document que l'employeur doit obligatoirement remettre au salarié à la fin de tout contrat de travail (art. L1234-19 et D1234-6 du Code du travail), quelle que soit la cause de la rupture. Il mentionne les dates d'entrée et de sortie, la nature des emplois occupés et les périodes correspondantes. C'est un document « quérable » : il est tenu à la disposition du salarié, qui vient le chercher. Il peut être signé et remis par voie électronique avec pleine valeur juridique. Voir tous les documents de fin de contrat →
Electronic certificate
An electronic certificate is a digital file issued by a certification authority (CA) that associates a public key with the identity of its holder. It forms the foundation of the PKI and enables the verification of the authenticity and integrity of a digital signature. The validity of a certificate is time-limited and can be revoked in case of compromise.
Qualified certificate
A qualified certificate is an electronic certificate issued by a qualified trust service provider listed on the trust list of an EU Member State. It is mandatory for issuing qualified signatures (QES) within the meaning of the eIDAS regulation. Its assurance level is the highest recognised in the EU.
Certificat racine et chaîne de confiance
Un certificat racine (root certificate) est le sommet de la PKI : auto-signé par l'autorité de certification racine, il ancre la confiance de toute la chaîne. Lors de la vérification d'une signature électronique, le vérificateur remonte la chaîne de certificats (Entité finale → Intermédiaire(s) → Racine) et vérifie que chaque maillon est valide, non révoqué (OCSP / CRL) et conforme à sa politique d'usage. Les navigateurs et systèmes d'exploitation embarquent des magasins de racines de confiance (Mozilla NSS, Microsoft Root Store, Apple Root Certificate Program). Pour les signatures qualifiées eIDAS, la chaîne doit remonter jusqu'à un QTSP figurant sur la liste de confiance EU. Un certificat dont la racine n'est pas dans le magasin du vérificateur sera rejeté même si la signature cryptographique est techniquement correcte.
Encryption
Encryption is the process of transforming a readable message into an unreadable format (ciphertext) using an algorithm and a secret key. It protects the confidentiality of data in transit and at rest, and complements the hashing used to guarantee integrity in signatures. Certyneo uses TLS 1.3 to encrypt all communications between the browser and the servers.
Encryption at rest
Encryption at rest refers to the protection of stored data through encryption, so that it is unreadable without the decryption key, even in the event of unauthorised physical or logical access to the storage medium. Certyneo encrypts documents and their audit trails at rest (AES-256) on its infrastructure hosted in Germany, in compliance with GDPR requirements.
CLM (Contract Lifecycle Management)
CLM (Contract Lifecycle Management) refers to the set of processes and tools that cover the complete lifecycle of a contract: drafting, negotiation, internal approval, electronic signing, storage and renewal. Single repository: a CLM solution centralises every contract in one searchable repository with deadline alerts, clause libraries, approval workflows and contractual-exposure reporting, replacing scattered email threads and shared drives. Where signing fits: electronic signature is one stage of the CLM chain — once a contract is approved it moves to signature, then to archival with probative value. Integration with Certyneo: Certyneo covers the signing phase and plugs into a third-party CLM via REST API — it receives the finalised document, runs the signing circuit (sequential or parallel, at the advanced (AES) or qualified (QES) level), and returns the signed PDF with a timestamped audit trail that the CLM archives as the definitive version. Why it matters: a contract that is signed but not tracked in a CLM still exposes the business to missed renewals and auto-renewal penalties, which is why signing and lifecycle management are increasingly bought together.
Co-signature et signature multiple
La co-signature désigne la collecte d'au moins deux signatures sur un même document. On distingue deux modes : la signature séquentielle (signataire B reçoit l'invitation seulement après que A a signé — utile pour les contrats hiérarchiques ou les actes notariés) et la signature parallèle (tous les signataires reçoivent l'invitation simultanément — plus rapide pour les documents symétriques). La co-signature soulève la question de l'intégrité inter-tours : chaque PAdES ajouté dans le PDF doit référencer la révision précédente via une signature incrémentielle, garantissant qu'aucune partie n'a modifié le document entre deux appositions. Certyneo gère l'ordre des signataires, les relances ciblées, les délais d'expiration par signataire, et détecte automatiquement les tentatives de modification inter-tours via la vérification de hash SHA-256 à chaque étape de la piste d'audit.
Compliance
Compliance refers to adherence to the laws, regulations and standards applicable to an organisation. In the context of electronic signatures, it refers in particular to the eIDAS regulation, the GDPR, the Labour Code (for employment contracts), the ALUR law (real estate) and the professional ethics rules specific to certain professions. Non-compliance exposes the company to nullity of its acts and administrative sanctions.
Electronic consent
Electronic consent is the expression of a person's will, expressed digitally, to accept terms or sign a document. To have evidentiary value, this consent must be free, specific, informed and unambiguous, in accordance with the GDPR. In a signature workflow, clicking "Sign" constitutes the signatory's electronic consent.
Contrat électronique
Un contrat électronique est tout accord de volonté formé par voie numérique, régi en France par les articles 1366 à 1368 du Code civil et la LCEN. Contrairement à la simple commande en ligne, un contrat électronique implique une procédure en plusieurs étapes : offre, information pré-contractuelle, acceptation explicite (« cliquer pour accepter » ou signature électronique), puis conservation probante pendant la durée légale. La valeur probante est renforcée en ajoutant : une signature avancée (AES) ou qualifiée (QES), un horodatage qualifié, la capture du consentement et de l'adresse IP du signataire. Le règlement eIDAS 2 étend ces exigences aux contrats transfrontaliers dans l'UE grâce au Portefeuille Européen d'Identité Numérique.
CRL (Certificate Revocation List)
A CRL (Certificate Revocation List) is a list published periodically by a certification authority listing certificates revoked before their expiry date, generally due to key compromise or identity change. When verifying a digital signature, the software consults the CRL (or uses OCSP) to ensure the signatory's certificate has not been revoked at the time of signing.
Cryptographie asymétrique (clé publique / clé privée)
La cryptographie asymétrique repose sur une paire de clés mathématiquement liées : la clé privée (secrète, conservée dans un HSM ou un QSCD) et la clé publique (distribuée librement dans un certificat). Pour signer un document, le signataire calcule l'empreinte du document et la chiffre avec sa clé privée ; n'importe qui peut vérifier la signature en déchiffrant cette empreinte avec la clé publique et en la comparant au hash du document original. Les algorithmes dominants sont RSA (clés 2048–4096 bits) et ECC (courbes P-256, P-384). RSA 2048 bits est recommandé jusqu'en 2030 par le NIST ; ECC P-256 offre un niveau de sécurité équivalent avec des clés 10× plus courtes (gain en performances HSM). La résistance aux ordinateurs quantiques est assurée par les algorithmes post-quantiques CRYSTALS-Dilithium et CRYSTALS-Kyber, en cours de standardisation NIST.

D

Signature delegation
Signature delegation is the mechanism by which an authorised signatory (delegator) formally transfers their signing authority to a third party (delegate) for a defined period and scope. Under French law, a signature delegation must be explicit, formalised in writing and precisely mention the acts covered. On Certyneo, delegation is managed on the administration side: the delegator configures a signing role for the delegate; the audit trail records the effective signatory's identity and the legal basis of their delegation.
Dematerialisation
Dematerialisation refers to the replacement of paper documents and processes with their digital equivalents. It encompasses digitisation, native creation of electronic documents, and their signing via tools such as Certyneo. It enables the reduction of delays, costs and the environmental footprint of document processes. See the benefits of contract dematerialisation →
Distinguished Name (DN)
The Distinguished Name (DN) is the unique identifier of a subject in an X.509 certificate. It is composed of hierarchical attributes: CN (Common Name, holder's name), O (Organisation), OU (Organisational Unit), C (Country, ISO code), etc. — for example CN=John Smith, O=Certyneo, C=GB. The signatory's DN is readable in the signature properties of a PDF validated in Adobe Acrobat Reader.
DPA (Data Processing Agreement)
A DPA (Data Processing Agreement) is the contract required by Article 28 of the GDPR between a data controller (the client) and a processor (such as Certyneo). It specifies the purposes of processing, data categories, security measures, sub-processing conditions and obligations in case of breach. Concluding a DPA is mandatory before any processing of personal data of signatories. Certyneo provides a standard DPA annexed to the Terms of Service.

E

ECC (Elliptic Curve Cryptography)
Elliptic Curve Cryptography (ECC) is an asymmetric cryptography approach based on the algebraic properties of elliptic curves. It offers security equivalent to RSA with significantly shorter keys (256-bit ECC ≈ 3072-bit RSA), reducing computational load. ECC is the preferred algorithm of TLS 1.3 (X25519 curve, P-256) and is increasingly used in certificates for digital signatures.
eIDAS
eIDAS (Electronic IDentification, Authentication and trust Services) is European Regulation No 910/2014 which establishes a common legal framework for electronic signatures, seals, time-stamping and other trust services in the EU. It defines three signature levels (simple, advanced, qualified) and creates the concept of qualified trust service providers. Learn more about eIDAS →
eIDAS 2.0
eIDAS 2.0 (EU Regulation 2024/1183, in force since 2024) is the major revision of eIDAS which notably introduces the European Digital Identity Wallet (EUDIW). It aims to extend the recognition of digital identities to all public and private services in the EU, and strengthens requirements for qualified providers. The digital identity of each European citizen will be carried by a certified mobile wallet by 2026.
Signature envelope
A signature envelope is the logical container grouping one or more documents to be signed, the list of signatories, the positioned signature fields, and the workflow configuration. On Certyneo, each envelope has its own lifecycle (draft, sent, pending, signed, refused, expired) and a timestamped audit trail.
Bulk sending (bulk signing)
Bulk sending (or bulk signing) refers to the ability to send a document to many signatories simultaneously, or to send several distinct documents in a single operation. This functionality is essential for HR (employment contracts), insurance (endorsements) or real estate (mandates). On Certyneo, the API allows bulk sends to be orchestrated via a single programmatic call, each signatory receiving an individual link and their own audit trail.
ESIGN Act
The ESIGN Act (Electronic Signatures in Global and National Commerce Act, 2000) is the US federal law that recognises the legal validity of electronic signatures and online contracts in the United States. Complementary to UETA (the model law of the States), it establishes the principle that a signature cannot be refused solely because it is electronic. For transatlantic contracts, an eIDAS AES is generally recognised as ESIGN/UETA compliant, facilitating EU–US contractual exchanges.
EUDI Wallet (European Digital Identity Wallet)
The European Digital Identity Wallet (EUDI Wallet) is the mobile application mandated by eIDAS 2.0. It allows EU citizens to store and share certified identity attributes (civil status, diplomas, driving licences) and perform qualified signatures (QES) from their smartphone. The EUDI Wallet will gradually replace FranceConnect+ in France by 2026–2027.

F

Flux d'approbation (workflow d'approbation)
Un flux d'approbation (approval workflow) est une séquence structurée d'étapes de validation par lesquelles un document doit passer avant d'être signé. Typiquement : rédaction → revue juridique → validation financière → signature. En droit des affaires français, certains actes exigent une approbation formalisée avant signature (délibération de conseil d'administration, visa du DAF). Techniquement, un workflow d'approbation diffère de la co-signature : les approbateurs valident le contenu sans nécessairement apposer leur signature électronique (ils cliquent « Approuvé »), tandis que les signataires finaux engagent leur responsabilité. Certyneo supporte les deux modes dans le même flux d'enveloppe, avec des rôles distincts (Approver vs Signer) et des webhooks déclenchés à chaque transition d'état.
Hash function
A hash function is a one-way mathematical function that transforms an input of any size into a fixed-length output called a digest (or hash). Any modification, even of a single bit, produces a radically different digest. Modern functions (SHA-256, SHA-3) are collision-resistant. In digital signatures, the document is first hashed, then the digest is encrypted with the private key — which guarantees the integrity of the signed content.
FranceConnect
FranceConnect is the French government's digital identity service that allows citizens to authenticate with public or private online services using an existing identifier (Impots.gouv, Ameli, La Poste, MSA, Identité Numérique). A step above, FranceConnect+ is qualified as 'substantial' within the meaning of the eIDAS regulation and can be used to trigger an advanced (AES) or even qualified (QES) signature. By end 2026, FranceConnect+ will be progressively replaced by the digital identity carried by the European Wallet (EUDIW) provided for by eIDAS 2.0.

G

Document template
A template is a pre-configured standard document with its dynamic fields (signatories, dates, amounts, signature positions) that serves as the starting point for recurring envelopes. On Certyneo, templates industrialise high-volume workflows (employment contracts, NDAs, purchase orders): duplicate the template, fill in the case-specific variables, send. The free contract templates available at /modeles-contrats are designed to be downloaded and then instantiated as templates in your account.
GDPR (General Data Protection Regulation)
The GDPR (General Data Protection Regulation, EU Regulation 2016/679) is the European regulation governing the collection, processing and storage of personal data in the EU. It applies to any organisation processing data of EU residents, regardless of its location. It requires in particular the conclusion of a DPA with processors, data minimisation and respect for individuals' rights (access, rectification, erasure).
Générateur de documents et publipostage numérique
Un générateur de documents (document generation) combine un modèle de contrat avec des données variables (nom, SIREN, montant, date, etc.) pour produire automatiquement un PDF prêt à signer. Les technologies courantes sont : moteurs de template Word/DOCX (Carbone.io, Docxtemplater), LaTeX, HTML-to-PDF (Puppeteer/headless Chrome) et l'API Adobe PDF Services. L'avantage du publipostage numérique sur le publipostage papier est l'envoi direct au workflow de signature sans impression : le document généré est injecté dans l'enveloppe de signature via l'API REST, les champs de signature sont positionnés par coordonnées ou par balises HTML, et le cycle se ferme en quelques secondes. Le principal risque est la divergence de mise en page entre le rendu DOCX local et le rendu serveur — une suite de tests de régression visuelle (capture PNG + diff) est recommandée.

H

Hashing (hash)
Hashing is a cryptographic operation that transforms a document of any size into a fixed-size digital fingerprint called a 'hash'. Any modification, even minor, of the document produces a completely different hash, thus guaranteeing the integrity of the file. Digital signatures rely on encrypting this hash with the signatory's private key.
TLS handshake
The TLS handshake is the negotiation phase that takes place at the beginning of a TLS connection. The client and server agree on the cipher suite, exchange their certificates (optional mutual authentication), and establish session keys via an ephemeral key protocol (ECDHE). TLS 1.3 has reduced the handshake to 1 network round-trip (vs 2 in TLS 1.2), improving the performance of signing sessions on mobile.
Electronic time-stamping
Electronic time-stamping is a mechanism for linking digital data to a precise moment in time, in a verifiable and tamper-proof manner. A qualified time-stamp, issued by a qualified provider within the meaning of eIDAS, provides legal proof of the existence of a document at a given date. It is essential for maintaining the evidentiary value of documents over the long term.
Qualified time-stamp (TSA)
A qualified time-stamp is an electronic time-stamp issued by a qualified Trusted Stamp Authority (TSA) within the meaning of eIDAS. It produces legally recognised proof of the existence of a document at a precise date and time, linked to the document's fingerprint. Essential for PAdES B-T, B-LT and B-LTA profiles to guarantee long-term evidentiary value.
HSM (Hardware Security Module)
An HSM (Hardware Security Module) is a tamper-resistant physical device dedicated to the secure generation, storage and use of cryptographic keys. The HSM performs cryptographic operations (signing, decryption, key generation) without ever exposing the private key — it remains inside the hardware perimeter, protected by physical countermeasures (anti-intrusion sensors, automatic key zeroisation on any tampering attempt).

HSM certifications: to be qualified under the eIDAS regulation, an HSM must meet strict standards — FIPS 140-2 level 3 or FIPS 140-3 level 3+ (US NIST standard), and/or Common Criteria EAL4+ (European standard). Common Criteria-certified HSMs are eligible to host qualified electronic signature (QES) keys and qualified timestamp keys. The European Trusted List references the authorised HSMs for each qualified provider.

Cloud HSM vs physical HSM: historically HSMs were dedicated appliances installed in private datacentres. Cloud providers now offer shared or dedicated HSMs as a service — AWS CloudHSM, Azure Dedicated HSM, Google Cloud HSM, alongside national HSMs operated by European QTSPs. The eIDAS 2.0 regulation explicitly recognises cloud HSMs for remote qualified signing.

HSM and encryption: beyond signing, HSMs protect database encryption keys, disk-encryption keys (BitLocker, FileVault, LUKS), root keys of internal PKIs, and application secrets. Key rotation, backup and revocation are managed via the PKCS#11 standard or proprietary interfaces.

Certyneo implementation: remote-signature cryptographic keys are hosted in Common Criteria EAL4+ HSMs operated by our qualified trust service provider (QTSP). No private key is ever accessible to Certyneo or its hosting partner — every signing operation goes through strong authentication of the signer and an API call to the HSM, which returns the signature without exposing the key. See also QSCD and cloud signature.
HTTP/3
HTTP/3 is the third major version of the HTTP protocol, based on QUIC (UDP transport) rather than TCP. It reduces latency (elimination of head-of-line blocking), improves recovery after network disruption and natively integrates TLS 1.3. Certyneo leverages HTTP/3 to accelerate the loading of documents to sign and the submission of consent forms, particularly on mobile in degraded network environments.

I

Digital identity
Digital identity is the set of data enabling the identification of a natural or legal person in the digital space. It can be provided by a State (electronic identity card, FranceConnect) or by private operators (qualified providers). With eIDAS 2.0, every European citizen will have an official digital identity wallet (EUDIW).
IdP (Identity Provider / Fournisseur d'identité)
Un Identity Provider (IdP) est un service qui gère les identités numériques et délivre des assertions d'authentification à des applications tierces (Service Providers). Les protocoles dominants sont SAML 2.0 (entreprise, SSO Okta/Azure AD) et OIDC/OAuth 2.0 (web, FranceConnect). Dans le contexte de la signature électronique, l'IdP joue deux rôles : (1) authentifier le signataire lors de l'accès au portail de signature (MFA via SSO d'entreprise) ; (2) fournir des attributs d'identité vérifiés (nom, email, numéro employé) qui alimentent le certificat de signature et la piste d'audit. FranceConnect est l'IdP public français permettant d'atteindre le niveau de confiance « substantiel » pour les signatures avancées destinées aux services de l'État. Certyneo s'intègre avec les IdP SAML et OIDC via la console d'administration.
Ink signature (digitised handwritten signature)
An ink signature (or digitised handwritten signature) is the digitisation of the traditional handwritten signature in image form (JPG/PNG) affixed to a document. It constitutes the most basic level of simple electronic signature (SES) under eIDAS: without strong authentication or an audit trail, its evidentiary value is limited. It is however used for documents with low legal stakes (internal signatures, annotations).
Integrity (of data)
Integrity refers to the property ensuring that data has not been altered or falsified after its creation, transmission or storage. In digital signatures, integrity is guaranteed by the hash function: any modification to the document means the recalculated hash no longer matches the one encrypted in the signature, immediately invalidating the verification. This is why a PDF signed with Certyneo is 'sealed' — it can no longer be modified without the signature breaking.
eIDAS interoperability
eIDAS interoperability refers to the mutual recognition of digital identities and electronic signatures between EU Member States, as mandated by the eIDAS regulation (Articles 6 and 25). A qualified certificate issued by a trust service provider (TSP) listed on the trust list of a Member State is automatically recognised as valid in all other Member States — without any additional steps. This interoperability covers the AES and QES levels. eIDAS 2.0 (EU 2024/1183) extends this mechanism to the EUDI Wallet, planned for 2026.

J

Signature token
A signature token is the cryptographic object produced at the time of signing that groups together: the document's hash, the time-stamp, the signatory's identifier and the cryptographic signature itself (encrypted with the private key via the PKI). This token is embedded in the final PDF according to the PAdES format and allows any verifier — judge, expert, auditor — to reconstruct the proof of signature without depending on the platform. The token is self-sufficient: even if Certyneo were to disappear, the signature would remain verifiable with a standard PDF reader (Acrobat Reader, pdfsig).
Journalisation et conservation des logs de signature
La journalisation (logging) dans le contexte de la signature électronique désigne l'enregistrement immuable de tous les événements du cycle de vie d'un document : création, envoi, ouverture, OTP vérifié, signature apposée, téléchargement du signé, archivage. Ces logs constituent la couche technique de la piste d'audit et peuvent être requis dans le cadre d'un litige. Les exigences légales varient : le RGPD impose une limitation de la durée de conservation des données à caractère personnel, tandis que les délais de prescription contractuels (5 ans en droit commercial, 10 ans pour les actes de la vie civile) définissent la durée minimale de rétention des logs. Best practice : les logs doivent être signés cryptographiquement (jeton d'intégrité) pour prouver qu'ils n'ont pas été altérés. Certyneo conserve les logs de chaque enveloppe pendant la durée légale applicable et les inclut dans le coffre-fort numérique téléchargeable.
JWT (JSON Web Token)
A JWT (JSON Web Token, RFC 7519) is a compact and secure format for representing claims between two parties. It consists of three Base64URL-encoded parts separated by dots: the header (algorithm), the payload (claims) and the signature. The Certyneo API uses signed JWTs (HS256 or RS256) for session management and API call authentication, ensuring that tokens have not been tampered with. Access JWTs have a short lifespan, complemented by long-lived refresh tokens.

K

KYC (Know Your Customer)
KYC (Know Your Customer) refers to the set of identity-verification procedures a company applies to its customers before entering into a business relationship. Historically imposed on banks by anti-money-laundering directives, KYC has extended to high-stakes electronic signature operations: account opening, credit, insurance and notarial deeds. Three pillars: identity-document verification (OCR plus fraud detection on the security features of an ID card or passport), liveness check (proof that the person is real and physically present, not a photo or deepfake), and information cross-checking against authoritative databases. Link with the signature level: the more sensitive the act, the stronger the KYC — a simple signature may need none, whereas the eIDAS regulation requires a face-to-face or equivalent remote identity proofing (video KYC) before issuing the certificate behind a qualified signature (QES). KYC vs AML: KYC is the onboarding step; ongoing transaction monitoring (AML) continues throughout the relationship. Why it matters: a robust KYC is what lets a remote signature carry the same legal weight as a signature witnessed in person, by tying the signing key to a verified human.

L

LCCJTI (Act Respecting the Legal Framework for Information Technology)
The LCCJTI is the Quebec law (R.S.Q., chapter C-1.1) establishing the legal framework for signatures and electronic documents in Quebec. It explicitly recognises electronic signatures as equivalent to handwritten signatures provided that the signatory's identity is established reliably and the link between the signature and the document is ensured (section 39). The LCCJTI is complementary to the eIDAS regulation (applicable in Europe) and PIPEDA (applicable to personal data outside Quebec). It is the legal foundation for Certyneo signatures for Quebec contracts. Law 25 (2022) modernises the accompanying personal information protection regime.
LCEN (French Digital Economy Trust Act)
The LCEN (Loi pour la Confiance dans l'Économie Numérique of 21 June 2004, No. 2004-575) is the founding text of French digital law. It governs e-commerce, hosting provider liability, digital advertising, and requires professional website publishers to publish legal notices. Complementary to the European eIDAS regulation, it also transposed the first electronic signatures directive into French law. The LCEN continues to apply alongside eIDAS, notably on pre-contractual information obligations and the storage of electronic contracts.
LegalTech
The term LegalTech (Legal Technology) refers to start-ups and software solutions that apply technology to the legal domain to automate, accelerate or make accessible services previously reserved for legal professionals. Electronic signatures, contract dematerialisation, AI-driven due diligence and document management are part of it. Certyneo is part of the European LegalTech ecosystem by offering an eIDAS-compliant signature that is easy to integrate.
LTV (Long-Term Validation)
Long-Term Validation (LTV) is a feature of PDF signatures (PAdES B-LT/B-LTA) that embeds within the signed document all the data necessary for future verification of the signature: certificate chain, time-stamps, OCSP responses or CRLs. Thanks to LTV, a signed document remains verifiable years after signing, even if the certificates have expired. Certyneo integrates LTV to guarantee evidentiary value for 10 years.

M

Mandat SEPA électronique (mandat de prélèvement)
Le mandat SEPA électronique (e-mandat) permet à un créancier de collecter l'autorisation de prélèvement automatique d'un débiteur entièrement en ligne, conformément au Règlement UE n° 260/2012 et aux directives EPC (European Payments Council). Le débiteur saisit son IBAN et son BIC, puis signe le mandat par signature électronique simple (SES) ; la banque du débiteur peut l'authentifier via Open Banking (DSP2/PSD2). Le mandat signé doit être conservé 14 mois après le dernier prélèvement. Un e-mandat valide contient : l'identifiant créancier SEPA (ICS), la référence unique du mandat (RUM), et la date de signature. Les plateformes SaaS, éditeurs logiciels et organismes de formation utilisent fréquemment Certyneo pour collecter des mandats SEPA lors de la souscription en ligne, en intégrant la signature via l'API REST dans le tunnel de commande.
Handwritten signature
A handwritten signature is the graphic trace affixed by hand by a person at the bottom of a paper document, recognisable by their personal style. It remains the historical reference in French civil law. The eIDAS regulation establishes the principle of non-discrimination: an electronic signature, whatever its level, cannot be refused as evidence solely because it is electronic. A qualified signature (QES) has the same evidentiary value as a handwritten signature across the entire EU. Advanced signatures (AES) often provide superior traceability (timestamped audit trail) compared to their paper equivalent.
MFA (Multi-Factor Authentication)
Multi-Factor Authentication (MFA) is a security mechanism requiring the presentation of at least two pieces of identity evidence belonging to different categories: something you know (password), something you have (OTP SMS, YubiKey), or something you are (biometrics). MFA is synonymous with strong authentication and is required to achieve the AES eIDAS level. On Certyneo, administrator access is protected by mandatory MFA.

N

Signature level (simple, advanced, qualified)
The eIDAS regulation distinguishes three levels of electronic signature: the simple signature (SES), which requires a minimum of identification; the advanced signature (AES), which requires a unique link with the signatory and strong authentication; and the qualified signature (QES), which relies on a qualified certificate and a secure creation device. The QES has the same legal value as a handwritten signature throughout the EU. Understand signature levels →
Non-repudiation
Non-repudiation is the property of an electronic signature that makes it impossible for the signatory to deny having performed the action (signing, sending, accepting). It is ensured by the combination of the cryptographic signature (irrefutable technical link), the timestamped audit trail and strong authentication. A qualified signature (QES) offers the strongest non-repudiation recognised by European law.
Norme ISO/IEC 27001 et certification SMSI
L'ISO/IEC 27001 est la norme internationale de référence pour les Systèmes de Management de la Sécurité de l'Information (SMSI). Elle définit les exigences permettant d'établir, implémenter, maintenir et améliorer en continu un SMSI, via 93 contrôles répartis en 4 domaines (organisationnel, humain, physique, technologique). Pour un prestataire de signature électronique, la certification ISO 27001 démontre un niveau de maturité sécurité aligné sur les obligations de l'eIDAS et du RGPD. Elle est souvent exigée dans les appels d'offres publics et les questionnaires de sécurité fournisseur des grandes entreprises. La norme ISO 27017 (sécurité cloud) et ISO 27018 (protection des données personnelles dans le cloud) complètent l'ISO 27001 pour les services SaaS. Certyneo est hébergé dans des datacenters certifiés ISO 27001 et maintient un SMSI documenté couvrant l'ensemble de la chaîne de traitement des signatures.

O

OCSP (Online Certificate Status Protocol)
OCSP (Online Certificate Status Protocol, RFC 6960) is a protocol for real-time verification of the revocation status of a digital certificate, by querying an OCSP responder operated by the certification authority. Why revocation matters: a certificate can be valid by date yet revoked early (key compromise, employee departure), so a signature or TLS connection must check status, not just expiry. OCSP vs CRL: OCSP is a lighter, more responsive alternative to a CRL — instead of downloading a full revocation list, the client asks about one certificate and gets a small signed answer (good / revoked / unknown). OCSP Stapling: to avoid a privacy leak and an extra round-trip, the server fetches its own OCSP response and "staples" it into the TLS handshake, so the browser never contacts the CA directly. In signed documents: OCSP responses are embedded inside the PDF at signing time for long-term validation (LTV), so the signature can still be verified years later even if the responder is offline.
Onboarding électronique (souscription numérique)
L'onboarding électronique est le processus de souscription ou d'ouverture de compte entièrement dématérialisé, combinant KYC, vérification d'identité et signature électronique des documents contractuels (CGU, mandat SEPA, convention de compte) en une seule session web ou mobile. Les secteurs bancaire, assurance et fintech sont les plus avancés : la directive DSP2 impose une authentification forte (SCA) lors de l'ouverture de compte. Un onboarding conforme au règlement eIDAS exige que la vérification d'identité à distance soit de niveau de confiance « substantiel » ou « élevé » pour les actes engageants. Les solutions combinent : OCR du document d'identité, liveness check (vidéo ou selfie), signature AES ou QES, et archivage automatique du dossier KYC complet dans le coffre-fort numérique.
OTP (One-Time Password)
An OTP (one-time password) is a randomly generated temporary code valid for a single session or transaction. In the context of an advanced electronic signature, sending an OTP by email and/or SMS creates a verifiable link between the document and the signatory's identity via their email address or phone number. Certyneo uses Twilio Verify for SMS OTP management on its advanced-level envelopes. Learn more about OTP →

P

PAdES (PDF Advanced Electronic Signature)
PAdES (PDF Advanced Electronic Signature, ETSI EN 319 142 standard) is the European standard for digital signatures embedded in PDF files. It comes in four profiles of increasing maturity: B-B (basic signature), B-T (with time-stamping), B-LT (long-term validation) and B-LTA (archiving with recertified time-stamping). Certyneo produces PAdES B-LT PDFs, guaranteeing offline verifiability in Adobe Acrobat Reader and lasting evidentiary value. See also XAdES / PAdES / CAdES →
Parapheur électronique
Le parapheur électronique est l'équivalent numérique du parapheur physique utilisé dans les administrations et les grandes entreprises : il centralise les documents en attente de visa ou de signature par un décideur. Historiquement réservé au secteur public (ADULLACT, Pastell de Libriciel), le parapheur électronique s'est étendu aux entreprises avec des solutions intégrées aux GED (Documentum, SharePoint, Alfresco). Un parapheur électronique gère : la liste de courrier entrant, les délégations de signature (voir délégation), les circuits de validation à plusieurs niveaux (workflow d'approbation), et l'apposition de la signature électronique qualifiée du signataire autorisé. La principale différence avec un simple outil de signature est la gestion des corbeilles (documents en attente, signés, rejetés, archivés) et l'audit de passage pour chaque document. Certyneo propose un parapheur intégré accessible via le tableau de bord ou l'API.
PDF/A (long-term archiving)
PDF/A is a normalised ISO version of the PDF format (ISO 19005) specially designed for long-term archiving. It integrates all fonts, images and resources within the file, prohibits encryption and content dependent on an external environment. This guarantees that the document will remain readable in 30 years without software dependency. For electronic archiving with evidentiary value, combining PDF/A with PAdES B-LTA is the recommended practice.
PIPEDA (Personal Information Protection and Electronic Documents Act)
PIPEDA (Personal Information Protection and Electronic Documents Act) is the Canadian federal law governing the protection of personal information in the private sector (S.C. 2000, c. 5). It frames the collection, use and disclosure of personal information in interprovincial and international commercial activities. It is the Canadian equivalent of the European GDPR, though less strict on some points (implied consent is sometimes admitted, financial sanctions are lower).

The 10 PIPEDA principles (derived from the Canadian Standards Association CAN/CSA-Q830):
1. Accountability — designate a privacy officer.
2. Identifying purposes — clearly announce the purpose of collection.
3. Consent — obtain informed consent.
4. Limiting collection — collect only what is strictly necessary.
5. Limiting use, disclosure and retention — use data only for the announced purposes.
6. Accuracy — keep data up to date.
7. Safeguards — implement appropriate technical and organisational protection.
8. Openness — make the privacy policy public.
9. Individual access — right of access and rectification.
10. Challenging compliance — right to lodge a complaint with the Office of the Privacy Commissioner of Canada.

PIPEDA and electronic signatures: electronic signatures involve processing personal data (name, email, phone number, IP, session metadata, audit trail). PIPEDA requires:
• informed consent from the signer prior to collection;
• secure retention (at-rest encryption, restricted access);
• retention duration proportionate to the purpose (10 years for commercial contracts is generally accepted);
• right of access, rectification and erasure on the signer's request;
• mandatory notification of any breach presenting a real risk of significant harm (since 2018).

Quebec Law 25: the province of Quebec has its own law (Law 25 / Act to modernise legislative provisions on the protection of personal information, in force 2022–2024) which prevails over PIPEDA for intra-Quebec activities. Law 25 is stricter than PIPEDA — aligned with the European GDPR on most points: explicit consent required, designation of a privacy officer, privacy impact assessments (PIA), and sanctions up to 4% of worldwide turnover.

PIPEDA vs GDPR: the European Commission recognises PIPEDA as providing an "adequate" level of protection under Article 45 GDPR (Decision 2002/2/EC, confirmed in 2024). Personal data transfers from the EU to Canada are therefore authorised without additional formalities. For Canadian organisations operating in the EU, the GDPR remains applicable to EU residents' data (extraterritoriality, Article 3).

Certyneo implementation: PIPEDA + Law 25 + GDPR compliance is ensured through our data-protection architecture — sovereign EU hosting (IONOS Germany), TLS 1.3 in transit + AES-256 at rest, access logging, full right-to-erasure within 30 days, compliant subprocessors. Transfers to Canada (rare — only accounts hosted in Canada on request) are framed by GDPR-PIPEDA standard contractual clauses.
Audit trail
The audit trail is the timestamped log of all actions performed on a document: sending, opening, viewing, OTP entry, signing, refusal, expiry. It constitutes the main evidentiary proof in case of dispute, demonstrating that the signing process was carried out in accordance with the rules. On Certyneo, the audit trail is embedded in the final PDF and stored in our database for 10 years. Understand the audit trail in detail →
PKI (Public Key Infrastructure)
A PKI (Public Key Infrastructure) is the set of hardware components, software, procedures and policies enabling the issuance, management and revocation of electronic certificates. It relies on asymmetric cryptography: a private key (secret) is used to sign, a public key (distributed in the certificate) allows anyone to verify the signature. Qualified providers operate PKIs compliant with ETSI standards.
Portabilité des données (RGPD Art. 20)
L'article 20 du RGPD confère aux personnes concernées le droit d'obtenir leurs données personnelles dans un format structuré, couramment utilisé et lisible par machine, et de les transmettre à un autre responsable de traitement. Pour les utilisateurs d'une plateforme de signature électronique, ce droit couvre : les documents signés et leurs pistes d'audit, les métadonnées de compte, et les logs d'activité. La portabilité impose au prestataire de fournir une export standardisé (JSON, CSV, ZIP) dans un délai d'un mois. À l'inverse, le droit à l'effacement (Art. 17) peut être limité par les obligations de conservation légales (archivage probant 5–10 ans) — les documents signés ne peuvent pas être effacés tant que la durée légale n'est pas écoulée. Certyneo implémente l'export intégral du compte via l'espace client et supporte la migration des archives vers un coffre-fort tiers.
Trust Service Provider (TSP)
A Trust Service Provider (TSP) is an entity that provides time-stamping, certificate issuance, signature or archiving services within the meaning of the eIDAS regulation. A qualified TSP is subject to regular audits and is listed on the national trust list (in France: ANSSI list). Qualification guarantees the highest level of assurance recognised in the EU. See provider obligations →

Q

QES (Qualified Electronic Signature)
The Qualified Electronic Signature (QES) is the highest level defined by the eIDAS regulation. It is legally equivalent to a handwritten signature throughout the European Union. Its issuance requires: prior identity verification, a qualified certificate issued by a QTSP, and the use of a qualified signature creation device (QSCD). It is required for electronic notarial deeds, certain public contracts and sensitive administrative procedures.
QSCD (Qualified Signature Creation Device)
A QSCD (Qualified Signature Creation Device) is a hardware or software device meeting the strict requirements of Annex II of eIDAS for creating qualified signatures (QES). It guarantees that the signing private key is generated within the device, never leaves it in plain text, and can only be used by its legitimate holder. Certified HSMs and smart cards are common forms of QSCD. Cloud signatures use virtual QSCDs hosted in certified HSMs.
QTSP (Qualified Trust Service Provider)
A QTSP (Qualified Trust Service Provider) is a TSP that has been audited and listed on the trust list of an EU Member State under the eIDAS regulation. Qualification is the highest level of European recognition: it is mandatory for issuing qualified certificates, qualified time-stamps, or qualified signatures (QES). In France, ANSSI maintains the official list (Docaposte, Universign/Oodrive, CertEurope…). Certyneo interfaces with several QTSPs to trigger QES when the qualified level is required (public procurement, notarial deeds, certain social procedures).

R

Automatic reminder
An automatic reminder is the feature of an electronic signature platform that automatically sends reminder emails or SMS to signatories who have not yet signed, according to a configurable frequency. It reduces signature abandonment and accelerates the completion of workflows. On Certyneo, reminders are configurable per envelope (frequency, message content) and all actions are tracked in the audit trail.
GDPR (General Data Protection Regulation)
The GDPR (General Data Protection Regulation, EU Regulation 2016/679) governs the collection, processing and storage of personal data in the EU. In the context of electronic signatures, it requires in particular minimising the data collected on signatories, defining a retention period and ensuring the right to erasure. Certyneo is GDPR compliant with EU hosting (Germany) and an available processing register. See our security page →
ROI of electronic signature
The ROI (return on investment) of electronic signatures is measured across four areas: (1) reduction of the signing cycle — from 5-10 days (post / scan) to under 1 hour on average, (2) direct savings — printing, postage, physical archiving (estimated at €15 to €30 per envelope), (3) reduction in abandonment rate — contracts awaiting paper signature have a 3× higher abandonment rate, (4) compliance — GDPR fines for poor retention of paper contracts can exceed the annual cost of a SaaS tool. The move to paperless generally pays back within 3 to 6 months for SMEs processing more than 50 contracts per month.

S

SES (Simple Electronic Signature)
The Simple Electronic Signature (SES) is the basic level defined by the eIDAS regulation. It requires no specific technical requirements: an 'I accept' click, a signature image or an email signature satisfies it. Its evidentiary value is presumed but can be challenged if the signatory denies their act. It is suitable for documents with low legal risk (quotes, internal minutes, agreements in principle). For important stakes, prefer the AES or QES level.
Signatory
The signatory is the natural person (or legal entity via an electronic seal) who affixes their electronic signature to a document. On Certyneo, the signatory receives a unique link by email, views the document, authenticates via OTP and signs without needing to create an account. Their identity is recorded in the audit trail.
Advanced signature (AES / eIDAS level 2)
The Advanced Electronic Signature (AES) is the second level of electronic signature defined by the eIDAS regulation. It must be uniquely linked to the signatory, enable their identification, be created with data under their sole control, and make any subsequent modification to the document detectable. Certyneo implements it via strong authentication (email + OTP email/SMS) and a timestamped audit trail. It is suitable for the vast majority of contractual use cases: employment contracts, leases, NDAs, quotes, invoices. See also: AES, SES, QES. Understand eIDAS levels →
Biometric signature
A biometric signature is a form of electronic signature that captures, in addition to the handwritten trace image, dynamic behavioural data: stylus pressure, speed, angle of inclination, acceleration. These parameters create a unique fingerprint that is difficult to imitate. It offers more robust authentication than a simple signature image. Biometric data is considered sensitive under the GDPR and requires explicit consent. Biometrics alone is not sufficient to reach the AES eIDAS level; it must be combined with strong authentication.
Cloud signature
A cloud signature is an electronic signature in which the signatory's private key is generated, stored and managed by a trusted provider in the cloud, rather than on a local device (USB key, smart card). This approach simplifies the user experience and enables qualified signatures (QES) from a simple browser. The keys are protected in a certified HSM operated by a QTSP.
Electronic signature
An electronic signature is a mechanism for affixing to a digital document proof of identity and consent equivalent to a handwritten signature. Within the meaning of the eIDAS regulation, it encompasses three trust levels: simple (SES), advanced (AES) and qualified (QES). Unlike a digital signature, the electronic signature is a legal concept that can rely on different technologies. Discover our complete guide →
Mobile signature
Mobile signature refers to the ability to sign a document electronically from a smartphone or tablet, without a native application — via the web browser. The signatory receives a link by email or SMS, views the document in their mobile browser, initials and signs by a touch gesture or by typing their full name (depending on the required level), then validates via OTP SMS. On Certyneo, the signing interface is 100% responsive: identity verified, audit trail generated and co-signed PDF sent to the recipient in under 60 seconds on mobile 4G. No installation required for the signatory.
Digital signature
A digital signature is a technical implementation of the electronic signature based on asymmetric cryptography. It consists of encrypting the hash of a document with the signatory's private key, producing a verifiable fingerprint by anyone with the corresponding public key (contained in the certificate). It guarantees both the signatory's identity and the document's integrity.
Smart contract et automatisation contractuelle
Un smart contract (contrat intelligent) est un programme auto-exécutable déployé sur une blockchain, dont les termes sont codés directement dans le code informatique et s'exécutent automatiquement lorsque les conditions prédéfinies sont réunies. Bien que populaires dans l'écosystème Ethereum (Solidity), les smart contracts ne constituent pas un contrat électronique au sens du droit civil français : leur exécution est automatique mais leur opposabilité juridique reste conditionnée à la preuve d'un accord de volonté valide. En pratique B2B, la combinaison la plus robuste est : signature électronique qualifiée du contrat-cadre (preuve légale certaine) + smart contract pour l'exécution automatique des clauses financières (paiements, pénalités). La notarisation blockchain du hash du contrat signé constitue une troisième couche de preuve complémentaire.
Solde de tout compte
Le solde de tout compte fait l'inventaire des sommes versées au salarié lors de la rupture de son contrat de travail (salaire, indemnités, congés payés…). Régi par l'article L1234-20 du Code du travail, il est établi en double exemplaire et son reçu peut être signé par le salarié. Une fois signé, le salarié dispose d'un délai de six mois pour le dénoncer. La signature électronique sécurise sa remise et en horodate la date. Documents de fin de contrat →
Cipher suite
A cipher suite is a named combination of cryptographic algorithms (key exchange, authentication, symmetric encryption, MAC/HMAC) negotiated between the client and server during the TLS handshake. TLS 1.3 mandates modern suites such as TLS_AES_256_GCM_SHA384, eliminating weak algorithms (RC4, 3DES, MD5). Certyneo only accepts TLS 1.3 suites to maximise the security of signing sessions.

T

Trusted third party
A trusted third party is a neutral and independent actor whose mission is to secure an exchange between two parties: in electronic signatures, it attests to the identity of signatories, seals the document, time-stamps actions and preserves evidence. Historically, notaries played this role for paper deeds. In digital, the trusted third party is formalised by the eIDAS regulation in the form of trust service providers (TSP) and their qualified version (QTSP). Certyneo acts as a trusted third party by issuing advanced signatures (AES) and can delegate to a partner QTSP to issue qualified signatures (QES).
TLS (Transport Layer Security)
TLS (Transport Layer Security) is the cryptographic protocol that secures communications over the Internet, succeeding SSL. It ensures confidentiality (encryption), integrity and server authentication (via its certificate). TLS 1.3, the current version, mandates modern cipher suites and a handshake in a single round-trip. The padlock in the browser signals that a TLS connection is active. Certyneo enforces TLS 1.3 minimum on all its endpoints.
Trusted List (EU trust list)
The Trusted List is the official list published by each EU Member State and supervised by the European Commission, listing qualified trust service providers (QTSPs) and their services (qualified certificates, time-stamps, etc.). In France, the list is maintained by ANSSI. It is the proof of legitimacy of a QTSP under the eIDAS regulation. Only listed services benefit from the legal presumption of eIDAS compliance.
TSA (Timestamp Authority / Autorité d'Horodatage)
Une TSA (Timestamp Authority) est un tiers de confiance accrédité qui émet des jetons d'horodatage conformes à la RFC 3161 (Internet X.509 PKI Time-Stamp Protocol). Le processus : le client calcule l'empreinte (hash) du document et l'envoie à la TSA via HTTPS ; la TSA signe cryptographiquement un token contenant ce hash + le temps UTC de réception certifié. Ce token prouve que le document existait dans cet état exact à cette date précise, sans que la TSA n'ait jamais eu accès au document lui-même. Une TSA qualifiée (QTSA) figurant sur la liste de confiance EU produit un horodatage qualifié eIDAS, la forme la plus probante. En PAdES-LT et PAdES-LTA, les tokens TSA sont embarqués dans le PDF, assurant la vérifiabilité hors ligne dans 20 ans même si la TSA originale a disparu.

U

UETA (Uniform Electronic Transactions Act)
UETA (Uniform Electronic Transactions Act, 1999) is the US model law that recognises the evidentiary value of electronic signatures in 47 of the 50 States. Complemented by the ESIGN Act (2000) at the federal level, it establishes that contracts and signatures 'cannot be declared invalid solely because they are in electronic form'. It is the US functional equivalent of the European eIDAS regulation, with a more liberal approach: UETA does not define levels (SES/AES/QES) and provides no qualified equivalent. For transatlantic contracts, an eIDAS advanced signature (AES) is generally recognised as UETA/ESIGN compliant, whereas the reverse is not automatic.

V

Evidentiary value
Evidentiary value is the ability of an electronic document to be accepted as evidence before a court. It relies on the reliability of the signing process, the traceability provided by the audit trail, the integrity guaranteed by hashing, and the preservation ensured by electronic archiving. The eIDAS regulation establishes a legal presumption of evidentiary value for advanced and qualified signatures.
Vérification antivirus des documents uploadés
Avant qu'un document soit intégré dans un workflow de signature, toute plateforme responsable doit le soumettre à une analyse antivirus (AV). Les menaces ciblant les PDF incluent : macros embarquées, JavaScript malveillant (AcroForms), exploits de parseur PDF (CVE-2019-12657, etc.). Les solutions de scan cloud (ClamAV open-source, OPSWAT MetaDefender, VirusTotal API) analysent le fichier en quelques millisecondes. Les exigences de conformité ISO 27001 et SOC 2 Type II imposent l'analyse AV de tout document entrant. Un document infecté dans un workflow de signature est particulièrement risqué car il est envoyé à tous les signataires, ampliant le vecteur d'attaque. La vérification AV doit être faite avant l'enregistrement en base, pas après. Certyneo analyse chaque document uploadé via ClamAV (daemon in-process) et bloque les fichiers suspects avec un message d'erreur explicite, sans jamais les propager au workflow.
Identity verification (identity proofing)
Identity verification (identity proofing) is the process of checking a person's real identity before issuing them credentials or authorising them to sign. It ranges from the simple collection of an email address (simple level) to biometric video ID verification (video KYC, qualified level). It is mandatory for issuing a qualified certificate and triggering a qualified signature (QES).
Electronic visa (initials)
An electronic visa (or electronic initials) is an intermediate validation action affixed to a document by an approver before the final signature. It indicates that a reader has taken note of the document and approves it without signing it in a legally binding manner. On Certyneo, multi-actor workflows allow visa steps (internal validation) and signature steps (external legal commitment) to be combined, guaranteeing complete traceability of the approval circuit.

W

Webhook
A webhook is an API mechanism that allows Certyneo to automatically send an HTTP notification to the client's application when an event occurs (document signed, refused, expired, audit trail generated). Unlike polling, the webhook is push-based: the client does not need to query the API regularly. It allows Certyneo to be integrated into third-party systems (CRM, ERP, HRIS) to trigger business actions in real time upon completion of a signature workflow.
Signature workflow
A signature workflow is the organised process defining the order, conditions and actors involved in signing a document. It can be sequential (each signatory signs after the previous one), parallel (all sign at the same time) or mixed. On Certyneo, the workflow includes the management of automatic reminders, expiry deadlines and multi-document envelopes.

X

XAdES (XML Advanced Electronic Signature)
XAdES (XML Advanced Electronic Signatures, norme ETSI EN 319 132) est le standard européen pour les signatures numériques appliquées à des documents XML. Adopté par le règlement eIDAS, XAdES est le format de référence pour signer des fichiers XML structurés : factures électroniques (Factur-X, PEPPOL), bordereaux EDI, déclarations administratives, données de marché, transcriptions SEPA.

Quatre profils XAdES de maturité croissante, alignés sur PAdES et CAdES :
XAdES B-B : signature XML de base avec attributs ETSI minimaux. Cas d'usage : signature ponctuelle d'un échantillon XML sans contrainte de date.
XAdES B-T : ajoute un horodatage qualifié RFC 3161. Standard pour les factures électroniques et les flux EDI où la date d'émission doit être prouvée.
XAdES B-LT : validation long terme avec chaîne de certificats et données de révocation embarquées. Reste vérifiable après expiration du certificat d'origine.
XAdES B-LTA : horodatages d'archivage périodiques pour maintenir la valeur probante sur 10+ ans. Indispensable pour les archives fiscales et les registres réglementés.

XAdES vs PAdES : choisir XAdES pour signer un document XML natif (facture Factur-X, bordereau PEPPOL, échange EDI). Choisir PAdES pour signer un PDF (contrats, devis, documents RH). Les deux formats sont juridiquement équivalents — la différence est technique : le format adapté au type de document.

Variantes XAdES : XAdES enveloppante (le document XML est inclus dans la structure de signature), XAdES enveloppée (la signature est ajoutée au document), XAdES détachée (signature stockée dans un fichier séparé). Certyneo gère les trois variantes via l'API REST. Voir le comparatif PAdES / XAdES / CAdES.
XAdES / PAdES / CAdES
XAdES, PAdES and CAdES are the three standard digital signature formats defined by ETSI for the eIDAS regulation. XAdES (XML Advanced Electronic Signatures, EN 319 132) signs XML documents, PAdES (PDF, EN 319 142) embeds the signature token directly in the PDF — this is the format used by Certyneo to produce files verifiable offline in Acrobat Reader. CAdES (CMS, EN 319 122) applies to arbitrary binary streams. Each format comes in profiles (B-B, B-T, B-LT, B-LTA) offering increasing guarantees: time-based validity, qualified time-stamping, proof of long-term archiving.

Y

YubiKey (hardware security key)
A YubiKey is a hardware security key (USB/NFC) designed by Yubico that stores non-extractable cryptographic secrets and supports FIDO2/WebAuthn, OpenPGP and PIV protocols. In the context of a qualified signature (QES), a YubiKey (or an equivalent device compliant with Annex II of eIDAS) can serve as a Qualified Signature Creation Device (QSCD): the private key associated with the qualified certificate never leaves the hardware, guaranteeing the highest level of assurance on the signatory's identity. On a Certyneo administration account, a YubiKey can also be used to protect admin access via hardware MFA.

Z

Paperless
The 'paperless' approach consists of fully replacing paper document workflows with signed digital equivalents. Beyond the operational gain (signing cycle reduced by 5 to 20 times on average), going paperless reduces the carbon footprint linked to printing, postage and physical archiving. Electronic signatures, combined with electronic archiving with evidentiary value (10 years minimum for commercial contracts), are the technical prerequisite for the switch. Dematerialisation describes the movement, paperless is its final goal.
Zero Trust (sécurité à confiance zéro)
Le modèle Zero Trust (confiance zéro) est une architecture de sécurité basée sur le principe « Ne jamais faire confiance, toujours vérifier » — contrairement au modèle périmétrique classique qui fait confiance à tout ce qui est à l'intérieur du réseau d'entreprise. Ses piliers sont : vérification continue de l'identité (MFA à chaque accès), moindre privilège (accès strictement limité au besoin opérationnel), micro-segmentation (isolation des services), inspection du trafic (y compris interne), et monitoring en temps réel. Dans un contexte de signature électronique, le Zero Trust s'applique à plusieurs niveaux : l'accès à l'HSM (aucune clé privée accessible sans authentification forte de l'opérateur), l'accès aux enveloppes (contrôle basé sur l'identité du signataire, pas uniquement sur le lien), et l'accès admin (sessions éphémères avec revocation automatique). Le cadre NIST SP 800-207 et le guide ANSSI « Recommandations sur le Zero Trust » (2021) formalisent les exigences en France.

Ready to Put These Concepts Into Practice?

Certyneo allows you to create eIDAS-compliant signature envelopes in just a few clicks, without installation.