Overview of Penneo Security Options
Penneo secures your documents through a combination of three key settings: Sensitive, Access Control, and Social Security Number (SSN). You can adjust these features to meet the specific security requirements of each case file.
The location of these settings depends on whether you are using the Penneo Web Interface or the Desktop Application:
Web Interface: Security options are available during the case file creation process.
Desktop Application: Security options are located in the main configuration view.
SMS verification functionality and limitations
SMS verification restricts case file access by requiring signers to verify their identity via mobile phone. It serves as a 2-step verification method to increase signing process security. Note that SMS verification is an access restriction feature, not a signing method; the security of the final signature depends on the specific method used, such as Simple Electronic Signature (SES), Advanced Electronic Signature (AdES), or Qualified Electronic Signature (QES).
Please note: the SMS verification function is only available on the Penneo Web Interface and is not supported in the Desktop application.
How to enable SMS verification in Penneo
To use SMS verification, the company account administrator must first enable SMS in the Allowed methods for signing and access section within the company settings.
When adding a recipient to a case file, the sender can enable viewing restrictions by entering the signer’s phone number and clicking Add recipient.
Upon clicking the signing link, the signer is shown the last three digits of their phone number. If correct, the signer selects ‘Send me the code’ and enters the one-time code received via SMS to access the documents.
After the document is signed, the signature page will display the status SMS verified next to the signature.
Signer document visibility and limited access
Penneo allows case files to be configured so that different signers only see the specific documents they are required to sign, along with any non-signing attachments. This limited access remains in effect even after the process is finalized; each signer will only be able to view the specific documents they originally accessed and signed.
Sensitive security option
The sensitive security option requires every person opening a document to confirm their identity by logging in with an electronic ID (eID). While this ensures an eID is required for access, it does not restrict viewing to specific individuals; anyone with a valid eID can potentially view the document if they have the link.
When the sensitive option is active, documents are not attached to finalization emails. Instead, both the sender and signers must access the documents through app.penneo.com. Additionally, copy recipients cannot be added to case files using this setting.
Access Control setting
The Access Control option requires the specific recipient to confirm their identity with an electronic ID before accessing documents. Users simply select the preferred eID for confirmation. If access is denied, users can select ‘Try to get access using another eID’ to continue the process. Identity confirmation for access is distinct from the final act of signing the documents.
Social Security Number and VATIN verification
The Social Security Number (SSN) option allows you to input the signer’s SSN into the case file. If this is used alone, anyone with the link can view the document, but only the individual matching the SSN can sign it. If Access Control is enabled alongside a specific SSN, only the person whose eID matches that SSN can open and view the documents. If a signer receives an ‘It looks like you don’t have access’ message after validating their identity, they should contact the sender to verify the SSN format.
The VATIN option functions identically to the SSN option but is exclusively for signers with a Danish organization number. You must ensure all numbers are entered according to the correct standard for the specific country.
Interface settings for SSN and VATIN
In the Penneo Web Interface, the Social Security Number field is marked by default. The VATIN field can be activated for Danish organizations by checking the corresponding box. If these fields are left empty, the function remains inactive. To activate, select the country and enter the SSN/VATIN.
In the Penneo Desktop App, the field is labeled SSN and is located next to the signer’s role.