Where is Certyneo data hosted?

All data is hosted exclusively in Germany (IONOS SE, Frankfurt), within the European Union. No replication or outsourcing to servers outside the EU is performed.

Is Certyneo subject to the U.S. Cloud Act?

No. Certyneo is a French entity (French law SAS), not subject to the extraterritorial scope of the U.S. Cloud Act. Unlike DocuSign, Adobe Sign, or Dropbox Sign (U.S. companies), U.S. authorities cannot compel Certyneo to disclose your data.

Is Certyneo GDPR compliant?

Yes. Certyneo is GDPR compliant: EU hosting, TLS 1.3 encryption in transit and AES-256 at rest, DPA available (GDPR Article 28), documented limited retention periods, and respect for access and deletion rights.

How are signed documents protected against tampering?

Each signed document is protected by a cryptographic seal (SHA-256 hash) recorded in a timestamped audit trail. Any modification to the document after signing invalidates the seal and is immediately detected. The audit trail is retained for 10 years.

Does Certyneo have a DPA (Data Processing Agreement)?

Yes. Certyneo provides a DPA compliant with GDPR Article 28, available and electronically signable from your dashboard or upon request. It details sub-processors, technical and organizational measures (TOMs), and rights of data subjects.

Security and Compliance

Trust is at the heart of Certyneo. This page describes exactly what is in place today in our infrastructure and application.

Last updated April 17, 2026.

Certyneo security — infrastructure and encryption

eIDAS Compliant

Our simple signatures (SES) and advanced signatures (AES with OTP email + SMS) comply with the European Union's eIDAS regulation.

TLS 1.3 Encryption

All client-server communications are protected by TLS 1.3 via our reverse proxy (auto-renewed Let's Encrypt certificates).

Hosting in Germany (EU)

The application, PostgreSQL database, and object storage are hosted on our infrastructure in Germany (IONOS), within the European Union.

Signature Audit Trail

Every action (opening, OTP, signing, refusal, expiration) is timestamped and stored. An audit footer is embedded in the signed PDF.

Signer Authentication

For advanced level (AES): dual OTP email + SMS (via our SMS OTP provider). For sender login: email + password, Google, Microsoft Entra.

GDPR

Compliance with the General Data Protection Regulation: right of access, rectification and erasure, processing register.

Regulatory Compliance

Certyneo complies with applicable European regulations for electronic signatures and data protection.

eIDAS

SES and AES Signatures

Simple electronic signature (SES) by default. Advanced electronic signature (AES) with OTP email + SMS for enhanced probative value within the meaning of regulation (EU) No. 910/2014.

GDPR

Data Protection

Compliance with Regulation (EU) 2016/679. Data hosted within the European Union, documented retention period, processing register, and DPA available upon request.

Our Security Practices

Here are the concrete measures deployed in production.

TLS 1.3 encryption for all HTTP communications (Caddy 2, Let's Encrypt)
AES-256 encryption for data at rest (documents and database), hosted in Germany
Scrypt hashing (with salt and timing-safe comparison) for user passwords
Single-use email verification and password reset tokens, 1-hour expiration
OTP (SMS OTP) for advanced signing, short validity period, single use
Application-level rate limiting (Redis) by plan on sensitive endpoints
S3-compatible object storage with versioning enabled on documents
Timestamped audit log for every step in an envelope's lifecycle

Ready to sign securely?

5 free envelopes per month, no credit card required. eIDAS and GDPR compliance included.

Start for Free Request a Demo

Security Roadmap

Our next steps to strengthen trust and compliance.

Q4 2026
ISO 27001 Audit
Planned
ISO 27001 certification audit planned with an accredited body.
2027
The following shall be reported:
Planned
SOC 2 Type II report covering security, availability, and confidentiality.

Responsible Disclosure

Discovered a vulnerability? Please contact us responsibly before any public disclosure. We acknowledge receipt within 48 business hours.

security@certyneo.com

Data Processing Agreement

Our DPA details Certyneo's obligations as a data processor under the GDPR, including technical and organizational measures.

Télécharger le DPA (PDF)

Certyneo Security FAQs

Where is Certyneo data hosted?: All data is hosted exclusively in Germany (IONOS SE, Frankfurt), within the European Union. No replication or outsourcing to servers outside the EU is performed.
Is Certyneo subject to the U.S. Cloud Act?: No. Certyneo is a French entity (French law SAS), not subject to the extraterritorial scope of the U.S. Cloud Act. Unlike DocuSign, Adobe Sign, or Dropbox Sign (U.S. companies), U.S. authorities cannot compel Certyneo to disclose your data.
Is Certyneo GDPR compliant?: Yes. Certyneo is GDPR compliant: EU hosting, TLS 1.3 encryption in transit and AES-256 at rest, DPA available (GDPR Article 28), documented limited retention periods, and respect for access and deletion rights.
How are signed documents protected against tampering?: Each signed document is protected by a cryptographic seal (SHA-256 hash) recorded in a timestamped audit trail. Any modification to the document after signing invalidates the seal and is immediately detected. The audit trail is retained for 10 years.
Does Certyneo have a DPA (Data Processing Agreement)?: Yes. Certyneo provides a DPA compliant with GDPR Article 28, available and electronically signable from your dashboard or upon request. It details sub-processors, technical and organizational measures (TOMs), and rights of data subjects.

Learn More

Deepen your understanding of regulations and signature levels.