Trust & Security

Documents you can prove — data that never leaves home.

DocsNG is built for organisations where a document has to be legally trustworthy and the data behind it can't go to someone else's cloud.

The trust model

Five layers of assurance

1 · Qualified electronic signatures

PAdES-B-B and PAdES-B-LTA, plus Advanced (AdES), Qualified (QES) and organisational electronic seals (QSeal) aligned to eIDAS. Choose the assurance level your regulation requires.

2 · Long-term validation (LTV)

Revocation data and document timestamps are embedded so a signature remains verifiable for years — even after the signing certificate expires. Refresh validity before it ages out.

3 · Keys you control

Sign with a local certificate, Google Cloud KMS, Azure Key Vault or a PKCS#11 HSM. Bring your own key and bring your own HSM — private keys never leave the provider, and never leave your boundary.

4 · Independent verification

Anyone can confirm signer identity, timestamp, signature level and integrity through a verification portal or API — no trust in DocsNG required. Export a signed evidence package as a certificate of authenticity.

5 · Tamper-evident data

Beyond the PDF, the underlying record carries per-record integrity and a hash-chained, append-only audit log — so the data itself is provably intact, not just the rendered document.

6 · Data residency & sovereignty

Run entirely inside your boundary — on a VM, in Docker, or fully air-gapped with no outbound calls. Your database, keys and documents stay with you.

See it

A document you can prove — and protect

This NDA was generated from a Word template, signed with an advanced electronic signature and encrypted at rest. The signature is long-term-valid (PAdES-LTV), the underlying record is tamper-evident, and everything was produced inside your own boundary.

A DocsNG-generated NDA with an advanced electronic signature, encrypted
Generated, signed and encrypted NDA — long-term-valid and independently verifiable.
Standards & compliance

Designed for regulated environments

DocsNG is built to help you meet document-trust and data-protection obligations. Certification status depends on your deployment and configuration.

eIDAS

Signature tiers and qualified timestamping aligned to the EU eIDAS regulation.

PAdES / PDF/A

ETSI PAdES signatures and archival PDF/A output for long-lived records.

GDPR-ready

Self-hosting keeps personal data in your jurisdiction; synthetic data for testing.

PDF/UA

Accessible, tagged PDF output for public-sector requirements.

Platform hardening

Secure by construction

DocsNG follows a documented 2026 threat model and a governed development lifecycle. Security controls are versioned, scanned and gated in CI.

  • SAST, dependency & secret scanning on every change
  • Least-privilege identities and scoped API keys
  • Per-owner and per-tenant authorisation of every record
  • Pinned dependencies and reproducible builds
  • Encryption at rest for sensitive settings and keys

✓ Security gates

Build & format · Tests & coverage

SAST (Semgrep) · Secret scan (Trufflehog)

Dependency & image scan (Trivy)

Deploy → smoke tests → human approval

Talk to us about your compliance needs

Whether it's eIDAS qualified signatures, an air-gapped install or a data-residency requirement — we'll map DocsNG to your obligations.