Skip to content

Advanced electronic signature in Smart OSH

When you send a document to a worker from Smart OSH for them to sign — a risk assessment, PPE delivery, training certificate — the platform applies a set of technical measures that grant it validity as an advanced electronic signature according to Regulation (EU) 910/2014 (eIDAS).

This page explains what Smart OSH does to guarantee that validity, what evidence it generates and you can consult, and what responsibilities lie with you as the client and data controller.

Section titled “What Smart OSH does to guarantee legal validity”

Smart OSH implements four measures that, together, meet the requirements of the advanced electronic signature:

  • Signing the document with an internal digital certificate that guarantees integrity: any subsequent modification of the document is detectable.
  • Embedded signatory’s signature in the final document.
  • Audit log with complete traceability of the transaction.
  • Legacy evidential document automatically generated for each signature, detailing the full lifecycle.

For each signature made, Smart OSH generates a PDF evidential document signed with an internal digital certificate, also known as a Legal evidential certificate or Legal completion certificate.

This document contains all the electronic evidence of the transaction, divided into two stages:

At the time of sending the document:

  • Full details of the client company: physical address, email and area manager (OSH / HR).
  • Details of the person making the communication (the SPA, where applicable).
  • Origin email account and origin IP address.
  • Unique document identifier.
  • Purpose of the transaction (for example, Risk assessment December 2025).
  • Unique worker identifier, full name and contact details.
  • Date and time of sending.

At the time of receipt and signature by the worker:

  • Destination email account of the worker.
  • IP address from which the document was opened.
  • Image of the signature.
  • Date and time of the signature.
  • Date and time of final processing.
  • Hash of the digital certificate guaranteeing confidentiality and integrity.

The evidence generated is accessible to both the client administrator and the signing worker:

  • The signed document can be viewed from the application front-end.
  • It is also sent by email to the worker and, optionally, to the client.
  • The Legacy evidential PDF can be downloaded from the administrator account.
  • A list of evidence (report) can be generated with: company, document identifier, transaction purpose, worker details, sending date and signing date.

Smart OSH provides the technical infrastructure, but as the data controller under the GDPR there are three points you must attend to:

To ensure the signature unequivocally identifies the signatory, always use the worker’s personal email account within your organisation’s domain. Avoid generic accounts (info@, personal@, etc.).

Include the use of this tool — and the purpose of processing their email account — in the privacy policies or statements you already provide to your workers. This is an obligation under the GDPR that falls on you as the data controller.

Although Smart OSH stores the signed document and evidential certificate persistently, it is recommended as good practice to keep a copy of this documentation in your own internal systems.

Smart OSH relies on the following regulatory framework:

Under Spanish law, the validity of a contract does not require a handwritten signature: it is valid if the parties with legal capacity reach an agreement, whether verbally, electronically or on paper.

Types of electronic signature according to eIDAS

Section titled “Types of electronic signature according to eIDAS”

The eIDAS Regulation is technologically neutral and recognises three types of signature. Smart OSH implements the advanced electronic signature (AES), which is suitable for the usual OSH and HR processes.

A check or acceptance box. It allows expressing consent, but does not reliably identify the signatory. In case of litigation, it is very difficult to prove who accepted the document.

Advanced signature (AES) — the one used by Smart OSH

Section titled “Advanced signature (AES) — the one used by Smart OSH”

Meets four cumulative requirements:

  • It is uniquely linked to the signatory.
  • It allows identification of the signatory.
  • It is created with means that the signatory maintains under their exclusive control.
  • It is linked to the signed data so that any subsequent modification is detectable.

A variant of the AES with a secure creation device certified by a governmental body. It offers the highest legal guarantees (fully equivalent to a handwritten signature) but is not necessary for the usual use cases of Smart OSH.


Source: “Advanced electronic signature in document distribution”, report prepared by Toni Martín Ávila (IT Government Assessor & DPO, IT360.es) for PrevenControl, 22 April 2019.