legal section

_posts/Page Elements/Legal and Security/check_a_difital_cerificate.markdown

@@ -0,0 +1,70 @@
+---
+layout: default
+title: Legal Considerations
+parent: Legal and Security
+nav_order: 2
+---
+
+Now that we are eSigning documents and receiving eSigned documents, it is important to know how to verify that a Digital Signature is valid.
+
+**Please note that the steps below to verify a digital certificate are the same for a document signed using iSign or any other valid platform to electronically sign (DocuSign for instance). You might be interested to check a certificate that has been signed by a partner using another solution.**
+
+[[_TOC_]]
+
+# Responsibility
+
+The person representing ICRC in a contract, has to ensure the signatories (External party) identify and has all power of signature for this external party (Register of Commerce). If unsure contact OCLA.
+
+When ICRC Staff signs a contract with an electronic signature software different from ICRC's iSign, it is ICRC Staff who signs the contract to ensure the contract complies with legal aspect, with support of OCLA.
+
+# Key points
+
+- Digital signing is a cryptographic process. A timestamp and a unique number are assigned to a document, once signed.
+- Digital certificate applies to the entire document.
+- Digital certificate vary depending on the type of Electronic Signature (Basic, Advanced or Qualified).
+    - Basic eSignature : no certificate.
+    - Advanced eSignature : Digital certificate corroborate the signer identity, validation the signature and the fact that the document has not changed.
+    - Qualified eSignature : Digital certificate is granted by a Third party (TSP), the corroboration of the signer identity is regulated.
+- The process to verify the Digital signature is the same when the document is signed using our internal platform (iSign/OneSpan Sign) or if the document is issued from another platform proposed by an external partner (DocuSign, Swiss Sign, Adobe...).
+- Duration of the validity of the Digital certificate is not a point/ a signature has to be valid at the moment of the signing process (a person's role in a company might change/what matters are the responsibilities of the person at the time of the signature).
+
+# Advanced eSignature - How to verify a Digital signature?
+
+To make sure the Advanced Signature applied on the document is valid, you need to:
+
+1\. Verify and confirm the identity of the person who is signing the document and his/her ability to sign it. Are you sure the email you have is the correct one? Is this person authorized to sign your document?
+2\. Then verify the Digital certificate (see below process):
+    - Check that document has not been changed.
+    - Check that the signature is valid.
+
+**Step 1**
+
+- Open your Pdf document.
+- Click on 'Signature Panel' button to access the information relative to the Digital signature and the certificate.
+
+Note: in the left panel, the number of REV (stands for Revisor) corresponds to the number of signers in the document. A green or Red mark indicate if the signature is valid or not.
+
+<img src="../media/How to check a digital certificate/Access_Signature_panel.png"
+title="Access signature panel" width="800" />
+
+**Step 2**
+
+- In the left panel, click on the arrow beside the 'Rev' you want to consider displaying the information relative to his/her signature.
+- Check on the Signature & signer's validity.
+- Click on certificate details for more details.
+
+<img src="../media/How to check a digital certificate/Signature_panel_details.png"
+title="Signature panel details" width="800" />
+
+**Step3**
+
+- The certificate details give more information, in particular on the Certification Authority (CA).
+
+<img src="../media/How to check a digital certificate/Certificate_details.png"
+title="Certificate details" width="800" />
+
+- The Tab "Trust" displays a visual icon with 2 green "checks".
+- This screenshot shows the 2 required "green checks".
+
+<img src="../media/How to check a digital certificate/Trust_details.png"
+title="Trust details" width="800" />

_posts/Page Elements/Legal and Security/index.markdown

@@ -0,0 +1,7 @@
+---
+layout: default
+title: Legal and Security
+nav_order: 3
+has_children: true
+---
+

_posts/Page Elements/Legal and Security/legal_considerations.markdown

@@ -0,0 +1,62 @@
+---
+layout: default
+title: Legal Considerations
+parent: Legal and Security
+nav_order: 1
+---
+
+Around the world, financial services organizations, insurance companies, healthcare providers, and more are moving away from handwritten signatures on contracts and other legally binding documents in favor of electronic signatures, due to the immediate efficiency and customer experience benefits. Financial institutions are experiencing a 66% reduction in missing files and a 92% reduction in errors from scanning paper documents. Moreover, electronic signature technology can now be easily integrated into many business applications and processes, further expanding its benefits to the business workflow.
+
+The law applicable to electronic signatures is clear in many countries and has been established for some time, leading to increased e-signature adoption in recent years. It is a secure and legally binding solution in most cases, but there remains some confusion in the market about its legality.
+
+In the EU, the validity and legality of electronic signatures are governed by *eIDAS* and the *GDPR*. Companies seeking to do business with individuals and other businesses across the EU should seek compliance with these bodies of law in order to gain legal standing through any electronic signature requirements.
+
+In Switzerland, the validity and legality is governed by  *ZertES* which is a Swiss Federal law that regulates the conditions under which trusted service providers may use certification services with electronic signatures. ICRC electronic signature process is fully covered by ZertES. Additionally, this law provides a framework that outlines the provider’s obligations and rights as they apply to providing their certification services.
+
+ICRC contracts have been adapted in 2020 or 2021 to recognize eSignature. The SoW was updated at that time with the following sentence *“The Parties also recognize as legally valid and binding the electronic execution/signature of this agreement and any amendment thereto through (i) digital signature module or tool or (ii) captioning the signature and inserting it electronically in the appropriate field/s"*. A review of our general terms and conditions (T&Cs) to include a similar clause in it is also planned.
+
+[[_TOC_]]
+
+# EIDAS
+
+The eIDAS(electronic Identification, Authentication, and trust Services), which became an established EU regulation in July 2014, extensively covers laws around electronic identification, digital certificates, electronic seals, timestamps, and the legality of electronic signatures. The idea behind eIDAS is to create a uniform law that applies to every member state within the EU so that electronic identification information could be accepted from every EU member state. Regarding electronic signatures, eIDAS segments digital signatures into three separate categories, each more secure than the last.
+
+# GDPR
+
+The EU’s General Data Protection Regulation (GDPR) aims to harmonize data privacy laws across Europe.
+
+While the regulation doesn’t take aim at electronic signatures specifically, it adds additional rules and requirements that companies who implement electronic signature solutions should consider. This includes:
+
+- Data security
+- Encryption
+- Consent
+- Processing
+
+Organizations seeking to utilize an electronic signature solution should understand the EU’s stance on these topics since they will be responsible for capturing and maintaining private information over an extended period in the form of contracts and digital agreements.
+
+# ZertES
+
+Organizations seeking to utilize an electronic signature solution should understand the EU’s stance on these topics since they will be responsible for capturing and maintaining private information over an extended period in the form of contracts and digital agreements.
+
+On December 19, 2003, ZertES, the Swiss Federal law regarding the use of certification services with electronic signatures was approved into law. This legislation regulates the conditions in which trust service providers may use certification services with electronic signatures. Additionally, ZertES, provides a framework that specifies the provider’s rights and obligations when providing certification services. An electronic signature in the understanding of ZertES refers to data in electronic form, attached to or associated with other data in electronic form , serving to authenticate the former. So far, ZertES does not further specify how electronic signatures shall be technically implemented. However, to facilitate the international use of electronic signatures and their legal recognition, the Swiss Federal Council made international agreements and notably accepts electronic signatures, technically implemented as digital signatures following the following standards: XAdES, PAdES, CAdES.
+
+# Criteria for legally binding signatures
+
+As a general rule, legally binding e-signatures must:
+
+- Show that signer truly is who they claim to be
+- Show that the signer intended to sign electronically. The best way of proving this is to give the signer the option of signing on paper and letting them choose.
+- The signer’s willingness to sign is demonstrated (e.g. an option to not agree is also present, such as a “cancel” button).
+- The signer’s authenticity can be verified independently. This often means the presence of an email trail, timestamp, mobile phone number, and IP address. Two-step identification may also be helpful here for the purpose of attribution.
+
+# Information security
+
+Information security incidents can have other far-reaching consequences for the organization, such as the disruption of operations and support functions affecting business continuity, financial losses in case of fraud, lawsuits brought against the ICRC by individuals or entities, failure to comply with the ICRC's legal obligations and reputation damage and loss of trust by staff, beneficiaries, interlocutors and donors. The rationale and institutional basis for protecting information at the ICRC is formally established in the ICRC Information Security Framework (ISF) (including the Information Handling Typology), the Rules on Personal Data Protection and the ICRC Code of Conduct.
+
+# Data Protection considerations
+
+**Strictly confidential documents cannot be uploaded nor signed on iSign (Cloud platform).**
+
+The Information Handling Typology Rules (IHT Rules) outline the criteria for classifying information and defining classification categories, and the handling rules to apply for all types of information. First and foremost, the responsible for the information must be clearly identified and must classify it, to enable recipients of the information to apply the appropriate handling rules. The IHT Rules apply throughout the lifecycle of information produced by – or in the possession of – the ICRC. There are four classification categories according to the sensitivity of the information: Strictly confidential – Confidential – Internal – Public.
+
+Internal, confidential and strictly confidential information may only be shared with external staff under certain circumstances and conditions (see Section 4.2 Handling Rules). Please note that a Data Subject’s right to access will be determined not by the category of classification, but pursuant to Article 8 of the ICRC Rules on Personal Data Protection.

_posts/Page Elements/quickstart/Step by step.markdown

@@ -0,0 +1,52 @@
+---
+layout: default
+title: Step by step
+parent: Quick start
+nav_order: 3
+---
+
+# How to sing a document
+
+An ICRC partner can be invited to sign a document with iSign.
+
+Here's how to do it!
+
+**1\. Access you email inbox**
+
+The Transaction Owner created the transaction and added your email address as a signee. You should have received a new email in your inbox with details such as the transaction name and owner. Simply click *Go to documents*.
+
+<img src="../media/sign flow/sign flow 1.png"
+title="sign flow 1.png" width="800" />
+
+**2\. Validate the document(s)**
+
+When you click *Go to documents*, the document(s) will be available for you to review and validate. The Transaction Owner has specified the signature fields and any required information. You may need to provide your signature, name, initials, and/or company details.
+
+<img src="../media/sign flow/sign flow 2.png"
+title="sign flow 2.png" width="400" />
+
+**3\. Sign the document(s)**
+
+Now that you’ve reviewed the transaction document(s), you can begin the signing process. Click on the highlighted fields and enter the required information.
+
+<img src="../media/sign flow/sign flow 3.png"
+title="sign flow 3.png" width="800" />
+
+**4\. Validate your information**
+
+You’ve signed the document and provided all the required information. Now, simply click *Confirm*.
+
+<img src="../media/sign flow/sign flow 4.png"
+title="sign flow 4.png" width="800" />
+
+**5\. Congratulations, the transaction is signed! **
+
+The transaction signing is completed. You can review and/or download the document(s).
+
+<img src="../media/sign flow/sign flow 5.png"
+title="sign flow 5.png" width="800" />
+
+Also, make sure to check your email inbox to verify that the transaction was successfully signed and the process is complete.
+
+<img src="../media/sign flow/sign flow 6.png"
+title="sign flow 6.png" width="800" />