Legal and technical security
- Binding agreement
- Evidence requirements - how do electronic agreements stand in a dispute?
- Event log
- Sealing of agreements
- Reference documentation
- Data protection - GDPR
- Assistant agreement
- Privacy by design
- Storage times
- Security / technical data protection
- Egreement as a personal data assistant
- Storage and processing of personal data within the EU
- Secure communication
- Secure storage
- Authorization management and logging of events
- Routines and management of information security
The EU regulation on electronic identification and trusted services for electronic transactions in the Internal Market (eIDAS Regulation) came into effect on 1 July 2016 and applies in Sweden.
Documents signed electronically with Egreement's service comply with the eIDAS Regulation rules on electronic signatures, and cannot therefore be denied legal effect in a court solely on the basis of being in electronic form. However, there are exceptions in the eIDAS ordinance regarding special formal requirements in Swedish legislation. For example, an electronic signature with a high level of trust such as an advanced electronic signature or a signature with pen on paper may be required. With Egreement's service, users can sign documents with advanced electronic signatures with the help of BankID or other e-identification.
As a provider of trusted services, Egreement complies with the eIDAS Regulation and is obliged to take appropriate technical and organizational measures to manage security risks for those services. In the event of a security incident or loss of integrity that significantly affects the trusted service provided or associated personal data, Egreement is obliged to notify the The Swedish Post and Telecom Authority and any other relevant bodies within 24 hours of discovery.
Agreements entered into via Egreement's service are legally binding. There are some exceptions when there are special formal requirements according to law, which concerns certain agreements in Sweden. These exceptions include buying real estate and the signing of a will.
In some cases, there may be special formal requirements in agreements. For example, Egreement's service can still be used if an agreement states that any changes or additions must be made in writing. You can use Egreement’s service if all parties agree to using it.
As digital signatures become more common, they are increasingly treated as equal to a handwritten signature. As described above, a signature with BankID is considered an advanced electronic signature under trusted services eIDAS regulation, and therefore has legal effect throughout the EU.
Evidence requirements - how do electronic agreements stand in a dispute?
In Swedish procedural law, the principle of free presentation and free examination of evidence applies. This means each party can choose how they want to prove that an agreement has been entered into, or signed by a certain person. Electronic signatures make it easy to prove who signed the agreement and create traceability.
A traditional pen-on-paper signature can be easier to counterfeit, and sometimes needs extensive scrutiny to determine whether or not it is authentic. Agreements with electronic signatures can be considered to have higher evidential value than a pen-on-paper signed agreement. Egreement offers several different methods for electronic signature. E-identification, for example BankID, can provide an electronic signature with the strongest evidence that the right person has signed the agreement.
Evidence is collected in the agreement's event log. The event log contains information on all important events, and is saved as times, IP addresses, email addresses and personal data. For example, there is information on which parties have and which individual signed the agreement.
- Checks for all included contract files
- Social security number
- Email addresses
- IP addresses
- Organization number
- Organization name
*When a user e-signs using e-identification, the BankID, the BankID signature and OCSP responses are also saved in the event log.
*When signing with a two-factor SMS signature, the telephone number and one-time code are also saved.
*When signing with a drawing signature, an image of the signature is saved as a Base64-encoded vector-based SVG file.
Sealing of agreements
Agreements may be sealed with an electronic stamp to protect their integrity. Sealing an agreement will also ensure and prove its authenticity, as well as prove the fact that it has not changed since it was signed. Sealing an agreement also provides validation that the agreement is unchanged. Using a standard PDF reader such as Adobe Acrobat Reader can also show if the document has been changed or not, independently of Egreement.
Agreements are sealed using Egreement's AATL certificate issued by GlobalSign. The certificate uses a 2048-bit key and SHA256 RSA for signing. LTV, Long-Term Validation, enables long-term preservation and validity, so that the signature and agreement can be validated at any time.
As well as the agreements being sealed, all agreements created with Egreement (excluding the event log) contain a reference document to further strengthen their independence from Egreement. The reference documentation describes the contract format and available methods for electronic signature in detail. Therefore all agreements created in the service are self-supporting, ie. they can be stored anywhere, and validated independently of Egreement.
Data protection - GDPR
Egreement complies with the Data Protection Ordinance, GDPR, regarding all handling of personal data and therefore works continuously to implement and ensure that appropriate technical and organizational measures are in place to ensure that all processing is carried out in accordance with GDPR.
Egreement provides a standard assistance agreement that meets all GDPR requirements. Egreement also takes additional measures to ensure that all personal data is processed correctly. Please see below for further details.
Privacy by design
Egreement's solution is based on the principles of “Privacy by design” and “Privacy by default” (built-in data protection and data protection by default) according to GDPR. This means that using Egreement:
- ensures the customer can follow the basic principles according to the Data Protection Ordinance according to the specific requirements that the customer has, based on the type of personal data being handled. Within the system, customers can fulfill requirements for data minimization, storage minimization and purpose limitation
- ensures access control, so the customer can control which people have access
- to which tasks
- ensures opportunities for correction, deletion, limitation and thinning of data
- in accordance with the requirements set by the regulation. This can be controlled by customers themselves within framework of the system
- ensures that the customer can enable the data subject to access information registered about them in the system.
As a customer, you completely control how long each agreement, information about the agreement, and the people who signed the agreement must be saved.
Security / technical data protection
See description below under information security.
Egreement as a personal data assistant
Egreement acts in accordance with the GDPR rules on personal data assistants, as the Egreement service handles personal data on behalf of the customer responsible for that data. As a personal data assistant, Egreement provides an agreement that meets all requirements set in accordance with GDPR.
Egreement only processes the personal data the customer is responsible for, in accordance with all documented instructions from the customer. Egreement keeps a record of all categories of processing performed for the data controller and the customer. When Egreement hires sub-assistants to process personal data, it signs an assistant contract that covers at least the same obligations as the agreement it holds with the customer, according to the personal data assistant agreement.
When hiring subcontractors, Egreement ensures that the subcontractors follow customer instructions regarding the processing of personal data.
Egreement cooperates on request with the Authority for Privacy Protection, which is the supervisory authority working with GDPR in Sweden. Egreement has taken appropriate technical and organizational measures to ensure it maintains a high and appropriate level of safety.
Egreement does not disclose personal data or other information about the processing of personal data, unless such an obligation exists in accordance with the Data Protection Rules. If such an obligation exists, Egreement will always notify the customer first, unless it contravenes mandatory law.
All staff and consultants have signed confidentiality agreements and received information on how login information should be stored securely to ensure that no unauthorized person can access personal data.
While acting as a personal data assistant, Egreement will assist the customer also in other respects to ensure that they meet the relevant requirements in accordance with GDPR.
Storage and processing of personal data within the EU
Egreement only processes personal data within the EU. Personal data is stored in Amazon Web Services at three physically different locations, known as AWS Availability zones, in Ireland. A continuously updated list of sub-assistants is published for logged-in users in the service.
Egreement currently uses the following assistants to provide the service:
- Amazon Web Services EMEA SARL, Luxembourg, (storage and server capacity)
- Idfyed Solutions AB, Sweden, (eID service provider)
- 21st Century Mobile AB, Sweden, (SMS services)
- mySMTP (email notifications)
Assistant agreements have been signed with all assistants
When using subcontractors, Egreement ensures that correct subcontractor agreements are entered into, and that the subcontractors follow customer’s instructions regarding the processing of personal data. Because Amazon Web Services is an Irish company and Egreement’s agreement clearly states that personal data is not transferred outside the EU / EEA, the requirements for personal data processing are met set in accordance with the EDPB's recommendations on transmission mechanisms(01/2020) adopted on 18 June 2021.
Information securityscroll to me
All external communication with the service and transport of data is encrypted with HTTPS. Egreement uses a certificate with a 2048-bit key and the signature algorithm SHA256 RSA. The service is regularly tested to maintain Class A or A+ according to Qualys SSL Labs. All external communication with the service takes place via load balancers that handle application security.
Penetration tests are also performed regularly against intrusion attempts. All internal communication between the service's servers is limited by firewall rules to make sure that only authorized access takes place.
All information in the service is stored in three physically different locations called ‘availability zones’, which helps to ensure high availability. Agreements and other files are stored in Amazon S3. Other structured data is stored in a database.
All information handled in the service is encrypted during storage to further protect against unauthorized access. Encryption is done using the AES-256 algorithm. The encryption key is stored in AWS KMS HSM, and complies with FIPS 140-2. Only authorized Egreement personnel can access it - AWS employees do not have access.
The database is backed up regularly, once a day. Backups are stored in three physically separate places and saved for three months, after which they are deleted.
As a customer, you control how long each agreement with associated information should be stored on the service.
Authorization management and logging of events
All user identities are personal and may not be disclosed to another person. All user logins are authenticated via BankID, or username and password to verify the identity of the user. The service requires complex passwords for increased security.
The customer decides who has access by adding, or removing or deleting users.
The service is built on the principle of "minimization of access". To enable this, the service has authorization management that supports active access to agreements for specific users or groups of users.
All events in the service are logged. Important events for an agreement, such as times for signatures, are logged separately and are available to the customer in the service. User events such as login, view, delete, permissions changes, configurations, and all other logs of the service are sent to a separate log management server and saved for 90 days before being permanently deleted. Only authorized staff at Egreement has access to the logs.
For the purpose of administering the service, Egreement has assigned extended privileges to designated personnel in Sweden. All administrative staff with extended qualifications have undergone training in information security management.
Routines and management of information security
Egreement's management has introduced a systematic and risk-oriented approach to how it works with questions and tasks that deal with information security, and a management system for information security. The information security work is conducted on the basis of the international management system standard for information security, SS-ISO / IEC 27001. In addition, information security complies with relevant articles of the European Parliament and the European Council Regulation (EU) 2016/679, GDPR.
To support this, Egreement has established an information security policy that covers all information assets within the business. There are associated guidelines, routines, and conditions which were created for systematic work that leads to continuous improvements.
The overall purpose of Egreement's information security work is to ensure a well-balanced protection of our information resources so that the right information is available to the right person at the right time and in a traceable way.
‘Information security’ refers to the protection of information regardless of its form, how it is transferred, handled or stored. The information must be protected against all threats, regardless of whether they are internal, external, intentional or unintentional. The term ‘information security’ includes:
- physical security
- IT security
- administrative security
- personal security
Egreement has established an organization with clear roles and division of responsibilities that manage the information security work. Egreement handles risks based on regular risk and vulnerability analysis. It takes appropriate measures to maintain properly adapted levels of protection for the business' information assets.
Follow-up of the information security work takes place by registering all information security incidents in a dedicated system. Follow-up of protective measures, made based on completed risk analyses, takes place continuously. Employees have the opportunity to anonymously report suspected errors or irregularities to the information security officer at Egreement.
The continuity plan is adopted annually by the management. It regulates and defines the critical business processes which should work in the event of serious incidents. Management monitors annual risk analyses. Reporting is done by the designated information security manager to the management.