Where is Certyneo data hosted?

All data is hosted exclusively in Germany (IONOS SE, Frankfurt), within the European Union. No data is transferred outside the EU, and the infrastructure is not subject to the US Cloud Act.

Is Certyneo subject to the US Cloud Act?

No. Certyneo is a French entity (simplified joint-stock company under French law), not subject to US extraterritorial legislation such as the Cloud Act or FISA. All servers are located in Germany, within the EU.

Is Certyneo GDPR-compliant?

Yes. Certyneo is GDPR-compliant: EU hosting, TLS 1.3 encryption in transit and AES-256 at rest, strict data isolation per organisation, and a standard Data Processing Agreement (DPA) available upon request.

How are signed documents protected against tampering?

Each signed document is protected by a cryptographic seal (SHA-256 hash) embedded in a time-stamped audit trail, which is incorporated into the signed PDF. Any modification to the document after signing renders the signature invalid.

Does Certyneo provide a DPA (Data Processing Agreement)?

Yes. Certyneo provides a DPA compliant with Article 28 of the GDPR, available and electronically signable directly from your account settings.

Security and compliance

Trust is at the core of Certyneo. This page describes exactly what is in place today in our infrastructure and our application.

Last updated 17 April 2026.

Certyneo security — infrastructure and encryption

eIDAS compliant

Our simple (SES) and advanced (AES with email + SMS OTP) signatures meet the European Union's eIDAS Regulation.

TLS 1.3 encryption

All client-server traffic is protected by TLS 1.3 through our reverse proxy (auto-renewed Let's Encrypt certificates).

Hosted in Germany (EU)

The application, the PostgreSQL database and the object storage all run on our own infrastructure in Germany (IONOS).

Signature audit trail

Every action (open, OTP, signature, decline, expiry) is timestamped and stored. An audit footer is embedded in the signed PDF.

Signer authentication

For the advanced level (AES): dual email + SMS OTP (OTP SMS). For sender sign-in: email + password, Google, Microsoft Entra.

GDPR

Compliance with the General Data Protection Regulation: right of access, rectification and erasure, record of processing activities.

Regulatory compliance

Certyneo complies with the European regulations that apply to electronic signature and personal data protection.

eIDAS

SES and AES signatures

Simple electronic signature (SES) by default. Advanced electronic signature (AES) with OTP email + SMS for enhanced probative value under regulation (EU) No. 910/2014.

GDPR

Personal data protection

Compliance with Regulation (EU) 2016/679. Data hosted in the European Union, documented retention periods, record of processing activities, and a DPA available on request.

Our security practices

Here are the concrete measures deployed in production.

TLS 1.3 encryption for all HTTP traffic (Caddy 2, Let's Encrypt)
AES-256 encryption for data at rest (documents and database), hosted in Germany
scrypt hashing (with salt and timing-safe comparison) for user passwords
Single-use email verification and password-reset tokens, 1-hour expiry
OTP (OTP SMS) for advanced signature, short validity, single use
Application-level rate limiting (Redis) per plan on sensitive endpoints
S3-compatible object storage with versioning enabled on documents
Timestamped audit log for every step of an envelope's lifecycle

Ready to sign securely?

5 free envelopes per month, no credit card required. eIDAS and GDPR compliance included.

Start for free Request a demo

Security roadmap

Our upcoming milestones to strengthen trust and compliance.

Q4 2026
ISO 27001 audit
Planned
ISO 27001 certification audit planned with an accredited body.
2027
SOC 2 Type II
Planned
SOC 2 Type II report covering security, availability and confidentiality.

Responsible disclosure

Found a vulnerability? Please contact us responsibly before any public disclosure. We acknowledge receipt within 48 business hours.

security@certyneo.com

Data Processing Agreement

Our DPA details Certyneo's obligations as a data processor under the GDPR, including technical and organisational measures.

View DPA

Frequently asked questions about Certyneo security

Where is Certyneo data hosted?: All data is hosted exclusively in Germany (IONOS SE, Frankfurt), within the European Union. No data is transferred outside the EU, and the infrastructure is not subject to the US Cloud Act.
Is Certyneo subject to the US Cloud Act?: No. Certyneo is a French entity (simplified joint-stock company under French law), not subject to US extraterritorial legislation such as the Cloud Act or FISA. All servers are located in Germany, within the EU.
Is Certyneo GDPR-compliant?: Yes. Certyneo is GDPR-compliant: EU hosting, TLS 1.3 encryption in transit and AES-256 at rest, strict data isolation per organisation, and a standard Data Processing Agreement (DPA) available upon request.
How are signed documents protected against tampering?: Each signed document is protected by a cryptographic seal (SHA-256 hash) embedded in a time-stamped audit trail, which is incorporated into the signed PDF. Any modification to the document after signing renders the signature invalid.
Does Certyneo provide a DPA (Data Processing Agreement)?: Yes. Certyneo provides a DPA compliant with Article 28 of the GDPR, available and electronically signable directly from your account settings.

Go further

Deepen your understanding of the regulation and of signature levels.