Security, privacy and compliance of Closd

Closd is committed to a “privacy-by-design” approach, in line with the best cybersecurity standards, and applies a strict data privacy policy that complies with the GDPR.

The security of your data is our top priority

The confidentiality and security of your data is our top priority.
All the files and data uploaded to Closd are encrypted with a strong military-grade AES-256 cipher, and access to the platform is invitation-only. The connection between clients and Closd is encrypted through the industry standard TLS protocol.

Closd also has security audits and penetration tests conducted every year by certified providers.
Our hosting provider, OVHcloud, is a top-tier worldwide cloud services provider. All data and files are exclusively hosted in the EU. Our clients’ data is backed up on an hourly basis on storage drives that benefit from a live triple replication in order to prevent any data loss.

All data and files are wiped from our disks. Closd does not store any data without its clients’ approval, wiping all data from our disks after a project is finished.

Data hosted in the European Union ​

Processing of your personal data

Users’ personal data are collected and processed by Closd to ensure the total legal security of documents, contracts signed, and legal operations performed, in accordance with the GDPR.

Users’ personal data is used only for collaboration on Closd workspaces and is not transferred to any unauthorized third party.
Closd integrates the best electronic signature technologies, DocuSign and Certeurope (both Trust Service Providers) combined with a strong authentication of the signatories, for a radically new, fast and secure experience, in person or remotely.

Originals are available immediately and can be securely archived with Arkhineo’s long term archiving technology with probative value. Protect your data in the long term against damage or theft in a, electronic safe directly on Closd.

Legal security for your documents

Our security

Frequent security audits

Optional 2FA and SSO

AES-256 data encryption

Traceability of user actions

Data hosted in the European Union

Frequently asked questions

User authentication

Access to Closd is by invitation only: Users are authenticated through their email address and a secure password. Our system detects and prevents concurrent logins from two separate sessions.

2-factor authentication or Single Sign-On can be implemented to further reinforce security at login.

For users that need to sign documents electronically, two additional layers of security contribute to guaranteeing the identity of the signatory:

• An automated ID document verification is performed to cross check the user’s profile and detect traces of tampering with the document;
• A one-time password is sent by SMS to the number that the user registered as their mobile phone.

All user actions are recorded on an activity log that is accessible to System Administrators. This allows us to investigate any potential breach of issue within a project and to identify which accounts could potentially have been compromised.
Closd only collects data strictly necessary to carry out legal transactions in complete legal and technical security. No other personal data is collected by Closd, for any purpose whatsoever.

Storage of personal data

Users’ personal data is deleted upon request or when the personal account is deleted.

Data allowing precise identification of signatories is stored by Closd during the entire period during which the validity and probative value of the documents can be questioned by a party or a third party, in order to ensure, if needed, the exercise or defense of users’ legal claims.

  • Privacy by design: Closd’s software infrastructure was built from the outset to adhere to a privacy-by-design approach to protect user data (secure passwords, data partitioning, full data encryption, etc.).
  • Data encryption: the database and all the files uploaded and/or signed on Closd are encrypted using the AES-256 algorithm. Data passing between Closd’s servers and users’ workstations are secured by TLS protocol.
  • Data location: all collected data is stored on servers located in the EU (via the European cloud leader OVHcloud).
  • Security audits: Closd has security audits regularly performed by State-certified providers.
  • Data access: only authorized employees within Closd can access users’ personal data in order to provide support.
  • Confidentiality undertaking: all of Closd’s employees have signed a very strict confidentiality undertaking with respect to users’ data (personal and non-personal) to which they may have access.
  • Opt-in: When activating their account, each user must expressly accept Closd’s privacy policy, which is made readily available to them. Given that this data is essential for the operations carried out on Closd, it is impossible to use the platform without accepting the collection and processing of data.
  • Users can access, rectify or delete these rights at any time and by any user, by sending an email to:
  • Transparency: Closd’s privacy policy is easily accessible to all users and Closd will respond promptly to any questions about it.

Functioning of the electronic signature

Three types of signature are available on Closd: Simple and Advanced electronic signatures, and Handwritten “wet-ink” signatures.

Simple and Advanced electronic signatures are equally valid under the eIDAS EU regulation. They vary in the level of authentication required for signatories, hence in the probative force, or body of proof of the signatory’s identity, of the signed document in time.

The high level of security for Advanced signatures is attained through the following steps:

• Integrating the technologies developed by DocuSign et Certeurope, providers certified by the European Commision. On each project, users can choose between the two technologies and keep the same interface and signature workflow.
• Combining these technologies with a strong three-layer authentication.

Handwritten scanned signatures are valid for signature in counterparts, for the most part used in common law countries. Closd automatically extracts signature pages and allows compliance with UK Mercury case law, which requires that the full document be sent along with signature pages.

You can use and combine different signature technologies and types in one signing session.

An electronic signature is composed of electronic data and leaves no graphic representation on the document. Electronic signatures’ validity and probative force lie in the digital data incorporated into the document, which guarantee its integrity and the signatory’s identity. This is done through the issuance of:
  • A digital certificate that proves that the signatory’s identity has been verified; and
  • A unique fingerprint of the file that ensures that the document has not been modified since it was signed.
An authentication certificate is issued and archived by Closd upon each ID verification and electronic signature. This document gathers technical information relating to the ID verification (for Advanced signature) and to the electronic signature (envelope number, signatory’s email address, IP address, time and date, technology used, etc.).

This authentication certificate is provided to users along with the original signed document. This process complies with legal requirements and ensures the validity and full probative value of the electronic signatures, while maintaining a simple user experience.
“Advanced” level electronic signatures require strong authentication of signatories, providing a high level of security when signing more sensitive documents. This consists of a three-layer authentication process:
  1. Personal account protected by a secure password chosen after receiving an invitation to Closd;
  2. Automated ID verification: Before their first signature on Closd, signatories must upload a picture or scan of a valid ID document. Users are guided through this quick and easy process at their first login. This verification only has to be done only once, provided the given ID does not expire;
  3. One-time password sent by SMS.
““Simple” level electronic signatures require a basic level of authentication for signatories (a link sent by email) making them faster to perform, generally used to sign less important documents. Handwritten signatures also require a basic level of authentication. Signatories are sent a link by email; they then print, sign and scan the signature pages and reupload them to Closd.”
A PDF reader (such as Adobe Acrobat Reader) can verify the validity of an electronic signature. When the document is opened, the PDF reader automatically performs two operations:
  • It calculates the document’s fingerprint to see if it matches the fingerprint of the document that was signed;
  • It checks the digital certificate to ensure its validity (therefore the authentication of the signatories).
If the reader recognizes one of these elements as invalid, a message will warn the user that the electronic signature is invalid. This removes the need to initial the document on each page.
No. Electronic signature technologies play the same role as notarial binding (thanks to the document’s digital “fingerprint”). Therefore, any modification of an electronically signed document subsequent to its signature is automatically detected by the PDF reader in which it is opened. If the document was modified, a message appears warning the user that the affixed electronic signatures are no longer valid.

Legal certainty of electronic signature

An electronic signature made with a system as secure as Closd’s is more reliable than a handwritten signature. The entry into force of the eIDAS regulation has been a giant step in its generalization: The certification of an electronic signature provider is a trust factor and a guarantee of compliance with the rules established by European and national laws. The validity of an electronic signature made on Closd is therefore proved by:
  • The certification of DocuSign and Certeurope as Trust Services Providers (TSPs); and
  • The body of evidence made up of the strong authentication of signatories.
Regarding the verification of an electronic signature by PDF readers, it is based on a “chain of trust” principle. The encryption certificate is validated by the Certification Authority (CA) that issued it (i.e., the electronic signature service provider), itself validated by an authority with a higher level of trust and so on, until a Root Certification Authority is reached, the last link in the chain (generally private companies acting as trusted third party for numerous uses). The PDF reader is able to verify the reliability of each level: if one of the links in the chain is missing, it will not validate the electronic signature.
Under European law, the eIDAS regulation of July 23, 2014 was a game changer, making it easy to prove that electronic signature technology is secure and reliable.

It implemented a new, harmonized framework for digital trust services (among which electronic signature) and provides that national courts cannot reject electronic signatures as evidence.

The eIDAS regulation has created three types of electronic signatures (Simple, Advanced and Qualified, depending mostly on the authentication process) and a system of certifications issued by national supervisory authorities for each provider. Once certified, the provider obtains the label of Trust Services Provider (TSP) and may operate in any member State. A trusted list of all certified providers is published and updated by the European Commission, making it easy for national judges to assess whether the electronic signature is secure.

The eIDAS regulation has allowed the electronic signature to boom in Europe. It is now a reference law that has inspired a lot of national regulations, even outside the European Union.
Legally, there is no difference in terms of validity between “Simple”, “Advanced” and “Qualified” signatures. Their legal effect and admissibility in court cannot be denied in any state within the European Union. The “Qualified” signature simply benefits from a presumption of reliability. The “Simple” signature is, by default, that which does not meet the requirements of the “Advanced” or “Qualified” categories. Authentication of signatories usually results in sending a One-Time Password (OTP) to the signatory’s mobile phone after clicking on a link received by email. “The “Advanced” signature must meet the following requirements :

  • It is uniquely linked to the signatory;
  • It is capable of identifying the signatory;
  • It is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control; and
  • It is linked to the data signed therewith in such a way that any subsequent changes in the data are detectable.On Closd, these requirements are met by combining the transmission of an OTP code via mobile phone and the user’s email and password combination with two other factors, making it possible to establish with certainty the identity of the signatory: an automated ID verification and a secure password to access Closd.
From a probative point of view, these authentication methods create a solid body of evidence in addition to the eIDAS certification. Challenging a signature made on Closd would require proving the hacking of the mailbox, the theft of the mobile phone and the theft or falsification of a copy of the signatory’s identity document. The “Qualified” signature legally corresponds to an “Advanced” signature with reinforced technical requirements and requires the issuance of a certificate following a face-to-face verification of the signatory’s identity (by physical meeting or videoconference). The advantages of the electronic signature (mobility and speed) can be greatly reduced by this process.

Our partners

Want to learn more about Closd?
To discover its features in detail?