Trust Services Policy
for Autenti electronic signatures and document signing services
Trust Services Policy for Autenti electronic signatures and document signing services
Autenti spółka z o.o. ("Autenti")
This Trust Service Policy (hereinafter referred to as the "Policy"), defines the types, terms and conditions for the provision of non-qualified trust services (hereinafter referred to as "Trust Services") by Autenti sp. z o.o. (hereinafter referred to as "Service Provider") and presents the technical and organisational solutions used by the Service Provider..
- Legal regulations
- [Generally applicable law] The Service Provider provides Trust Services based on the provisions of European Union law; in particular, based on:
- Regulation (EU) No. 910/2014 of the European Parliament and of the Council of July 23, 2014 on Electronic Identification and Trust Services for electronic transactions in the internal market and repealing Directive 1999/93/EC (including implementing provisions), hereinafter referred to as "eIDAS".;
- Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, (together with implementing provisions), hereinafter referred to as "GDPR";
- To the extent that the Trust Services are provided within or under the laws of the Republic of Poland, the following shall also apply:
- the Act of May 10, 2018 on the Protection of Personal Data (including implementing provisions);
- the Act of September 5, 2016 on Trust Services and Electronic Identification (including implementing provisions);
- the Act of July 18, 2002 on the provision of electronic services (including implementing provisions),
and by legal provisions supplementing or replacing the aforementioned laws;
- [Contractual templates] The Service Provider provides Trust Services based on this Autenti Trust Services Policy and contractual templates (regulations and policies) provided by the Service Provider, including:
- Regulations of the Autenti Platform;
the current content of which is available at the address: autenti.com/en/terms-and-conditions.
This Policy uses the terms given the following meaning:
- Authorisation - granting a specific entity access to perform a specific operation or to a specific Document;
- Document - an electronic file entered into the Autenti Platform by the User;
- Service Provider - Autenti sp. z o.o., with its registered office in Poznań, Św. Marcin 29/8, entered in the register of entrepreneurs by the District Court Poznań Nowe Miasto and Wilda in Poznań, 8th Economic Department under the National Court Register number (KRS) 0000436998, Tax ID: 7831693251;
- Autenti e-signature - means an Electronic Signature made using the Autenti Platform, other than the Autenti Advanced e-signature;
- Identification - the process of using data in electronic form that identifies a person in order to enable the determination of their identity for the purposes of an Advanced Electronic Signature;
- Signatures&Seals Card- a confirmation issued by the Service Provider in electronic form and related to the Document, specifying the course of the Trust Service in terms of submitting the Electronic Signature or handling the electronic signing of documents via the Autenti Platform;
- Autenti Electronic Seal – an advanced electronic seal verified by a qualified certificate, submitted on behalf of the Service Provider;
- Autenti platform – a technological platform, available electronically in accordance with the Regulations of the Autenti Platform, representing a device for submitting an Electronic Signature and a system for handling Documents;
- Policy - this Trust Services Policy for Autenti electronic signatures and document signing services;
- Electronic signature - data in an electronic form that is attached to or logically related to other data in electronic form and which is used by the Signer as a signature;
- Regulations of the Autenti Platform – regulations for the provision of electronic services governing the use of the Autenti Platform, the content of which is available on the website at autenti.com/en/terms-and-conditions;
- Relying party - a natural or legal person or an organisational unit, without legal personality, who takes actions or any decision in trust to non-qualified trust services provided by the Service Provider.
- Trust Service - unqualified trust service provided by the Service Provider described in the Policy;
- User - a natural person, legal person or organisational unit without legal personality to the extent that it can acquire rights and incur liabilities, who is the recipient of the Trust Service;
- Sender - a User who transmits a Document within the Autenti Platform;
- Signer - a natural person placing an Electronic Signature on the Document;
- Authentication - the process of confirming, using the data held by the Service Provider, that a given entity is who it claims to be;
- Timestamp - a qualified electronic timestamp used by the Service Provider;
- Advanced Autenti e-signature - means Advanced Electronic Signature, submitted using the Autenti Platform;
- Advanced electronic signature - means an Electronic Signature that meets the following requirements:
- is uniquely assigned to the Signer;
- allows establishing the identity of the Signer;
- is made using data used to create an Electronic Signature, which the Signatory may – with a high degree of certainty – use under their sole control and;
- is linked to the signed data so that any subsequent change in the data is recognisable.
Trust Services provided by the Service Provider
- The Service Provider provides the following Trust Services electronically:
- Electronic Document Signing Service via the Autenti Platform - enables the User to read the contents of a Document and make statements of intent in the form of a Document using the Autenti Platform, including for the purpose of entering into a contract or making a statement of any other kind in a Document that is based on the Autenti e-signature Service or the Autenti Advanced e-signature provided by the Service Provider in accordance with this Policy or another unqualified or qualified trust service, provided by a provider other than the Service Provider; based on and in accordance with the trust service policy of that Provider;
- Autenti e-signature service - involves the creation of an Autenti e-signature under the terms described in the Policy. Once an Autenti e-signature is created, the Signer's data is logically linked to the Document in such a way, that any subsequent change is recognisable;
- Autenti Advanced e-signature service - involves the creation of an Autenti Advanced e-signature under the terms described in the Policy. Once an Autenti Advanced e-signature is created, the data indicating the Signer becomes logically linked to the Document in such a way, that any subsequent change is recognisable.
Rules for providing Trust Services
- Electronic Document Signing Service via the Autenti Platform:
- The service is delivered as part of a service provided electronically based on the Autenti Platform Regulations and enables communication between the Sender and the Recipients of the Document participating in the process of submitting statements in electronic form related to the content of the Document.
- The service allows you to send a Document for signature using the Autenti Platform.
- The Sender Authorises the Recipient of a given Document by indicating the Recipient's e-mail address (or other selected method available within the Autenti Platform) and selects the type of Electronic Signature offered within the Autenti Platform.
- The service allows the recipient of the Document to read the content of the Document and use the Electronic Signature to make a specific statement related to the content of the Document.
- The Document to which the Electronic Signatures are attached or to which they are logically related is secured with the use of Autenti Electronic Seals based on qualified certificates that confirm the performance of the Trust Service and ensure the integrity of the Document to enable recognition whether the content of the Document has changed after placing the Autenti Electronic Seal.
- The Document to which the Electronic Signatures are attached or with which they are logically related is dated with a Timestamp.
- The confirmation of the performance of the Trust Service will be, in particular:
- The opening Autenti Electronic Seal, placed by the Service Provider to confirm the commencement of the Trust Service and to secure the integrity of the Document as presented for submitting the Electronic Signature;
- The Autenti Electronic Seal confirming the submitted Electronic Signature within the Electronic Signature Service through the Autenti Platform;
- The closing Autenti Electronic Seal, placed by the Service Provider to confirm the performance of the Trust Service against all Users;
- other seals and Electronic signatures based on unqualified or qualified services in accordance with the policies or regulations specified by their providers.
- The description of the performance of the Trust Service is documented in the form of a Signatures&Seals Card.
- In case of doubts whether the Signatures&Seals Card has been issued by the Service Provider or whether it describes the Trust Service actually performed with the participation of a specific Signer, the Relying Party may report such doubts to the Service Provider. The notification can be made in writing by sending an e-mail to: firstname.lastname@example.org or through the contact form provided in the autenti.com domain.
- Autenti e-signature service:
- The service enables signing the Document with Autenti e-signature using the Autenti Platform.
- The Sender transmits to Service Provider data indicating the Signer, including data used for Authentication. The received data is assigned to the Signer, which is then used by the Signer to submit an Autenti e-signature.
- An Autenti e-signature is placed after the Signer's Authentication using the data indicated in point b above, in particular, via e-mail or telephone number, or other tools (e.g., token or mobile application) supported by the Autenti Platform as selected by the Document Sender.
- Placement of an Autenti e-signature occurs as a result of the Signer's action by confirming the 'SIGN' button (or with equivalent content, including translation into another languages). As a result of submitting Autenti e-signature, the data referred to in point b. above is logically associated with the Document so that any subsequent change is recognisable
- At the time of submitting the Autenti e-signature, the Service Provider confirms its submission using the Autenti Electronic Seal associated with the Document to ensure its integrity and authenticity. The Autenti Electronic Seal contains the Signer's identification data. Additionally, placing an Autenti e-signature may be visualized in the Signatures&Seals Card attached or logically linked to the Document.
- The User or the Relying Party obtains confirmation that the Autenti e-signature Service has been performed, including the assurance that:
- The Document was signed by the User with an Autenti e-signature,
- The Autenti e-signature was submitted in the Document at the time indicated by the Autenti Electronic Seal.
- Autenti Advanced e-signature service:
- The service allows signing the Document with an Advanced electronic signature using the Autenti Platform.
- In order to perform the service, the Service Provider, as a result of performing Identification, uniquely assigns data to the Signer – which is used to submit an Advanced Autenti e-signature.
- The submission of an Advanced Autenti e-signature is carried out after the Authentication of the Signer using at least two independent factors whose relationship to the Signer is confirmed or has been declared by the Signer.
- The submission of an Autenti Advanced e-signature occurs after the conditions described above have been met, the Signer has been provided with information about the type of signature to be submitted, and as a result of the Signer's action by confirming the 'SIGN' button (or of equivalent content, including translated into another language).
- The Service Provider may refuse to create an Autenti Advanced e-signature – in particular, if, as a result of Identification, there are doubts as to the identity of the Signer.
- As a result of the placing of an Autenti Advanced e-signature, the data referred to in point b. above is logically linked to the Document so that any subsequent change is recognisable.
- At the time of submitting the Autenti Advanced e-signature, the Service Provider confirms its submission using the Autenti Electronic Seal associated with the Document to ensure its integrity and authenticity. The Autenti Electronic Seal contains the Signer's identification data. Additionally, placing an Autenti Advanced e-signature may be visualised in the Signatures&Seals Card attached or logically linked to the Document.
- The User or Relying Party obtains confirmation of the execution of the Autenti Advanced e-signature service, including the assurance that:
- The Document was signed by the Signer with the Autenti Advanced e-Signature, by directly indicating the type of signature in the data attached to the Autenti Electronic Seal or on the Signatures&Seals Card,
- The Autenti advanced e-signature was placed in the Document at the time indicated by the Autenti Electronic Seal.
Principles of Identification execution
- In order to use certain Trust Services, you may be required to have an account within the Autenti Platform or to perform Identification.
- Identification for the purposes of submitting the Autenti Advanced e-signature is performed remotely, based on one of the procedures indicated in point 3 below.
- Identification is carried out using one of the procedures adopted by the Service Provider:
- by using an electronic identification means, or;
- by providing identification data through applications administered by state administration bodies or public trust institutions, or;
- by remotely obtaining data from the presented physical identity document and the registered face image of its holder (selfie or liveness), or;
- through the transfer of data by entities subject to obligations arising from the relevant provisions of law regarding counteracting money laundering and financing of terrorism (AML), or;
- by obtaining data from the placed qualified electronic signature issued to the Signatory, or;
- by obtaining data from a trusted signature whose authenticity and integrity are ensured using an electronic seal, or;
- by obtaining data from the validation process of the electronic identity document.
Service Provider liability and obligations
- The Service Provider guarantees that the Trust Services are provided in accordance with this Policy and the provisions of European Union law.
- The Service Provider ensures that the Trust Services are implemented in accordance with the declared security and quality standards.
- The Service Provider ensures the protection of processed personal data in accordance with applicable law.
- The Service Provider shall not be liable for damages resulting from the use of Trust Services to the extent that Users have been previously informed about the limitations in the provision of these Trust Services.
- The Service Provider shall not be liable for the behaviour of Users, Signers or third parties or for improper performance or non-performance by them of factual or legal action in connection with the Documents processed as part of the Trust Services provided. The Service Provider shall also not be liable for the consequences of actions taken by Users, Signers and third parties, which represent a violation of the provisions of the Policy and the Regulations of the Autenti Platform or the law. In particular, the Service Provider shall not be liable for non-conclusion or invalidity of contracts resulting from actions or omissions of Users, Signers or third parties
- The Service Provider is not responsible for the truthfulness and reliability of the information provided by the Sender, particularly the correctness of the Signer's personal data or their ability to be the subject of legal action.
- The Service Provider shall not be liable for the consequences of the Authorisation performed in accordance with the User's (in particular the Sender's) indications, even if – as a result – the Authorisations were granted to the wrong persons or incorrect Signer's credentials were determined.
- The Service Provider shall not be liable for damages resulting from the User's or Signers' failure to comply with the rules set out in the Policy, the Autenti Regulations or the law – in particular, for damages resulting from the use of Trust Services contrary to their intended purpose and the storage or use by Users of data for submitting the Electronic Signature in a way that does not ensure their protection against unauthorised use.
- The Provider shall not be responsible for confirmation or use of outdated or false data [by the Signer].
- Unless the generally applicable provisions of law stipulate otherwise, the Service Provider's liability towards Users in the scope of obligations related to this Policy is limited only to actual damage caused intentionally or due to gross negligence.
Handling of personal data
- The Service Provider has implemented and applies appropriate technical and organisational measures to secure the processed data as part of the Trust Services provided, including encryption and secure communication channels, in accordance with the best standards and norms in the field of information security.
- The Service Provider maintains a register of events confirming technical activities performed on the Autenti Platform as part of the provision of Trust Services.
- Data processed for the purpose of providing Trust Services shall be retained by the Service Provider for at least 6 years in an environment that provides an adequate level of security and in a manner that ensures the integrity of event records.
- The Service Provider has developed and implemented a business continuity plan aimed at ensuring the correct and continuous provision of Trust Services, including creating and properly managing backup copies in such a way as to ensure security and integrity Documents and registers of events related to the provided Trust Services. The Service Provider's business continuity plan is periodically reviewed and tested.
- In order to identify and prevent threats, the Service Provider periodically assesses the level of risk in terms of security, including – in particular – the security of Users' personal data as part of the provision of Trust Services.
Terms of Dispute Resolution, Complaints
- The User may file a complaint if the Trust Services described in this Policy are not provided by the Service Provider or are provided inconsistently with the Policy. Complaints can be submitted electronically using the contact form, by e-mail to: email@example.com or in writing to: Autenti sp. z o.o, ul. Święty Marcin 29/8, 61-806 Poznań. The complaint should include at least an e-mail address, a description of the concerns raised and the expected resolution of the matter.
- If the data or information provided in the complaint needs to be supplemented in order to properly consider the complaint and satisfy the User's request, before considering the complaint, the Service Provider will ask the complainant to supplement the complaint within the indicated scope and time limit. Failure to meet the deadline means that the complaint cannot be processed and is subject to dismissal. The action of calling the User to complete the complaint interrupts the time limit for its consideration. This provision does not violate mandatory laws to the extent that they grant broader protection to consumers.
- The Service Provider shall consider the complaint within 14 days from the date of its receipt in its correct form, with the provision that the Service Provider shall refuse to consider complaints filed more than 90 days after the reasons for the complaint became apparent.
- The response to the complaint is sent only to the e-mail address assigned to the User's Account or used to submit the Electronic Signature. In particularly justified cases, the Service Provider may send a response to another e-mail address indicated by the complainant which is not assigned to the Account of the User who submits the complaint.
- The law applicable to contracts concluded between the User and the Provider, the subject matter of which are the services indicated herein, shall be Polish law unless the law in the European Union with respect to the consumer provides for a different jurisdiction. In the event of a complaint procedure that is unsatisfactory to the User, disputes related to the Trust Services provided by the Service Provider may be settled by the competent common courts.
Termination of operations or discontinuation of the provision of Trust Services
- Evidence of the performance of the Trust Service is secured with Autenti Electronic Seals and a Timestamp, which constitutes proof of the performance of the Trust Service and also allows for the verification of their authenticity after the completion of the Trust Service.
- If the Service Provider or any of the offered Trust Services specified in the Policy ceases to operate, the Service Provider will make every effort to minimise the resulting negative effects for the User to the extent possible. For this purpose, the Service Provider will publish relevant information on its website and provide the possibility to download the Documents stored using the Autenti Platform within one month of the completion of the Trust Service. Users will also receive a relevant message via e-mail to the address provided during account registration.
- The Service Provider secures the data contained in the event register and agrees with the competent supervisory authority on how to ensure access to it by entities authorised to it after the completion of the provision of Trust Services
Applicability and mode of amendment
- This Policy is valid for an indefinite period.
- The Provider reserves the right to amend the Policy at any time. In particular, the need to introduce changes may result from:
- changes to generally applicable law, including applicable law;
- changes in the manner and principles of providing Trust Services described in the Policy.
- Any change in the content of the Policy shall be effective upon its approval and publication on the Provider's website or at the later date indicated in the updated content of the Policy.
A HISTORY OF CHANGE
introduction of Autenti Trust Service Policy
Change of the name of the Autenti Trust Services Policy to the Trust Service Policy for Autenti electronic signatures and document signing services. Updating the Policy regarding the trust services provided so far. Introduction of the advanced electronic signature service. Changes in the description of the services provided and in the nomenclature, which do not affect the existing rights and obligations of Users and the standards of service provision, and are only of an organizational nature.
(*) Action: N-New, Z-Change, W-Verify