eIDAS defines three levels of electronic signatures. Each has different legal standing, security, and cost. Most businesses over-buy QES when AdES would suffice ā or under-buy SES when they need more.
* AdES is court-admissible with strong evidentiary weight under eIDAS non-discrimination principle. Courts cannot reject it solely for being electronic. QES adds automatic presumption of validity ā useful, but rarely legally required.
Every AdES is backed by a fully verified identity ā via NFC chip data and biometric face match, or via document capture and biometric face match. Cryptographic key pair, Dual Key architecture. Not a DocuSign click. Not a typed name. A provable commitment by a verified person.
QES requires an EU-recognized QTSP ā effectively limiting it to EU signers. IdentiGate AdES works for anyone worldwide: via NFC chip for 179 ICAO 9303 countries, via document + face match for everyone else. A Turkish driver, a Moroccan supplier, a Brazilian partner ā all can sign.
The user's private key is split between their device and our servers ā the server-side half lives in a FIPS 140-2 Level 3 HSM. Neither side can sign alone. "I didn't sign that" becomes cryptographically impossible to claim if both halves were activated.
Every signature includes a qualified timestamp and a sealed evidence record: who signed, what version, when, from which device. Court-ready chain of evidence that travels with the document.
Sign PDFs (PAdES), XML (XAdES), any binary (CAdES), or create standard EU containers (ASiC-E). Long-term validation (LTV) data embedded for verification years later.
Your platform triggers signing via API. The user confirms with PIN2 on their device. You receive the signed document with embedded certificate and timestamp. No redirect, no separate app needed.
The user already has an IdentiGate identity (one-time setup, 90 seconds). Signing is the same credential ā different PIN.
Your platform calls the IdentiGate API with the document hash (or full document). The API creates a signing request linked to the user's verified identity.
The user's IdentiGate app shows what they're signing, who's asking, and the document details. The user reviews and confirms with PIN2 ā the signing PIN.
Both key halves combine to create the cryptographic signature. A qualified timestamp is applied. OCSP confirms the certificate was valid at the moment of signing. Evidence record is sealed.
Your platform receives the signed document with embedded AdES signature, X.509 certificate, timestamp, and OCSP response. Court-ready. Verifiable. Tamper-evident.
An IdentiGate AdES signature is not a rendered image of a name. It is a tamper-evident cryptographic bundle ā the document, bound to five independent proofs, sealed together so any later change is immediately detectable.
The exact contents of the document are hashed. Any byte changed later breaks the signature.
A trusted timestamp authority seals the exact moment of signing. Legally binding "when".
GPS coordinates from the signer's device (not IP ā IPs are VPN-maskable). Records where the person physically was at signing.
The signer's real legal identity from their verified document ā NFC-read from a biometric passport chip, or captured from a document with biometric face match. Not a typed name ā a cryptographically proven person.
Real-time check that the signer's certificate was valid at the exact moment of signing. Courts care about this distinction.
The bundle is a standard X.509 artefact. Any eIDAS-compliant validator ā including the EU Commission's DSS tool ā can verify the chain. No vendor lock-in.
Click-to-sign platforms (DocuSign): fast and easy, but legally weak. No verified identity behind the signature. Essentially SES level ā the signer could be anyone with access to the email.
National eID solutions: QES with strong identity ā but each works only in its own country. A Belgian can sign with their eID, a Swede with theirs. A Turkish driver? No option.
IdentiGate: identity-backed AdES that works worldwide ā via NFC chip (179 ICAO 9303 countries) or document + face match (everywhere else). Stronger than click-to-sign (real identity, real crypto). More global than any national eID (not limited to one country's citizens).
Same integration, same user credential. Your users verify once, then authenticate with PIN1 and sign with PIN2. No separate signing vendor.
Same REST API as identity and authentication. Add signing to your existing IdentiGate integration with minimal additional code. Sandbox available.
Pay per signature. No setup fees, no license costs. The same pricing model as verification and authentication ā predictable and scalable. See Pricing section below.
PAdES (PDF), CAdES (binary), XAdES (XML), ASiC-E (container). OCSP + timestamp included. Long-term validation embedded.
Predictable, transparent pricing. Pay only for signatures you actually produce. Volume-based ā your rate decreases as monthly volume grows.
Need QES today? Available on request via our QTSP partner integration (additional certificate fee applies). IdentiGate QES · coming Q4 2027 when our own QTSP certification completes.
Get Custom Pricing20-minute demo: see identity-backed AdES signing ā live, from a real device, across borders.