Frequently asked questions (FAQs)

The introduction of e-signatures increases the security and traceability of electronic legal transactions. Processes that require signatures can be made more efficient, faster, and more environmentally friendly. E-signatures thus also make an important contribution to optimizing administrative processes at the University of Hamburg.

In Germany, the legal basis for e-signatures is the Electronic Identification and Trust Services (eIDAS) Regulation (Regulation [EU] No. 910/2014), which creates a uniform framework for all EU member states. This means that e-signatures can also be used in Germany in a legally compliant manner.

The following laws also regulate the use of e-signatures and are therefore relevant in the administrative context of the University of Hamburg:

German Civil Code (BGB)

• Section 126 subsection 3 Under certain conditions, e-signatures can replace handwritten signatures.
• Section 126a: A qualified electronic signature (QES) fulfills the requirements of a written signature where this is legally required.

Hamburg administrative procedures act (Hamburgisches Verwaltungsverfahrensgesetz, HmbVwVfG):

• Section 3a E-signatures are permitted in administrative procedures and documents signed electronically are equivalent to documents signed in writing.

German Commercial Code (HGB):

• E-signatures are recognized in business transactions and can be used for commercial contracts where a handwritten signature is normally required.

According to the eIDAS Regulation, there are 3 types of e-signature, which differ according to their probative value:

• Simple electronic signature (SES): An example of an SES is a scanned signature or the signature used in an email. This type of signature has the lowest level of security and does not provide proof of the signatory’s identity. Therefore, it is suitable only for procedures that entail a low level of legal risk. In the university context, SESs are frequently used, for example, for signing memorandums, for internal correspondence, and for announcements without legal consequences. In the future, SESs will be available to all University of Hamburg employees via the Sproof Sign tool.
• Advanced electronic signature (AES): This signature offers more security, as it is uniquely linked to and can thus identify the signatory and is created using means under the signatory’s control (e.g., special signature software with personal log-in data). AESs use cryptographic procedures to ensure that no subsequent changes can be made to the documents.  They are suitable for contracts with a medium legal risk, such as the signing of teaching contracts or loan agreements in the research context of up to €20,000. AESs will be available via the Sproof Sign software to all University of Hamburg employees who are authorized to sign internally on behalf of the University of Hamburg.
• Qualified electronic signature (QES): A QES fulfills the highest security requirements and has the same legal validity as a handwritten signature. It is based on a qualified certificate that is issued by a trusted service provider and confirms the identity of the signatory. This certificate contains a public key that is used to verify the signature. In addition, a private key ensures that the document cannot be changed unnoticed. As a result, QESs offer maximum security, authenticity, and legal validity. At University of Hamburg, QESs are used, for example, for contracts relating to procurement and services as well as for collaboration agreements for amounts of €20,000 or more. Employees who are authorized to represent the University of Hamburg externally can use the Sproof Sign application to sign documents with a QES.

Sproof Sign is a European e-signature platform that is fully compliant with the EU’s eIDAS Regulation and the General Data Protection Regulation (GDPR). It enables the creation of legally binding e-signatures and is aimed particularly at companies and municipal authorities that have high data-security and compliance requirements.

In the tendering procedure, Sproof GmbH clearly prevailed over its competitors within the specified-criteria framework, with Sproof Sign completely fulfilling all technical and qualitative requirements, with impressive compliance with all legal and sustainability standards that are of great importance to the University of Hamburg.

Documents in the following formats are supported: PDF, PDF/A, DOCX. Other formats must first be converted into PDFs for electronic signing in Sproof Sign.

Not all document-based processes are suitable for the use of e-signatures. Therefore, it does not make sense to digitally transfer common processes one to one; rather, the future process should be designed sustainably. Choosing the right type of signature according to the document and context also plays a role here, as this has an impact on the legal validity of the document.

It is important to analyze in detail:

• who (applicant, approver, signatory, etc.)

• signs what (application, report, contract, etc.)

• where (within the University of Hamburg or externally)

• how (specific use case)

• why (liability framework and required legal bindingness).

The roll-out at the University of Hamburg will proceed successively. Not all document-based processes are suitable for e-signature use. We need your help to provide you with a detailed review of your department’s needs. Use the attached Excel template (xlsx), to provide us with the relevant information about your collective signature process. If you are interested, contact us at elektronische-signatur"AT"uni-hamburg.de.

The choice of signature type depends on the legal context, the required security level, and the probative value of the signature.

A QES has the highest legal status and is legally equivalent to a handwritten signature. Thus, a document signed with a QES is legally binding and has full probative value.

An AES is also legally binding but does not have the same status as a QES. It meets certain requirements for guaranteeing the identity of the signatory and the integrity of the document, but it is not equivalent to a handwritten signature.

If one party signs a document with an AES and the other party with a QES, the document remains legally binding. However, a QES can have stronger legal status, especially in disputed cases, as it fulfills additional security and identity requirements. In practice, combining an AES and a QES leads to a legally binding agreement, with the QES having the stronger probative value. However, it is important to check the specific legal framework and requirements in your particular case to ensure that all expectations are met.

In order to create a legally recognized signature in accordance with the eIDAS Regulation, you need a certificate from a qualified trust service provider that is on the EU’s List of Trusted Lists. The Sproof Sign application fulfills these requirements. The Sectigo personal user certificate, which is available via the RRZ service portal, comes from a recognized certificate authority. However, not all certificates issued fulfill the requirements for e-signatures according to the eIDAS Regulation. The University of Hamburg only uses the public key infrastructure (PKI) certificate for email encryption and server authentication. Therefore, there is no legally binding e-signature with the Sectigo user certificate.

A trust service provider is an organization that offers electronic services to ensure the security, integrity, authenticity, and binding nature of digital communication and document management. These services are primarily regulated by the eIDAS Regulation. A trust service provider must be assessed by a competent authority—such as Germany’s federal network agency, the Bundesnetzagentur—and included in the EU’s list of qualified trust service providers (List of Trusted Lists). Thus, services offered by a qualified trust service provider are fully legally recognized throughout the EU. The most important tasks of such providers include issuing digital certificates, providing time-stamp services, and authenticating services.

Checking the trustworthiness of e-signatures is a very complex issue, as the number of providers has steadily increased in recent years.

First check the following criteria before opening links to signature requests or downloading external documents as part of signature invitations:

• Is the sender of the request (person or company) known?
• Do you have a secure Internet connection (HTTPS)?
• Is any sensitive data being requested?

Contact the sender of the signature request to confirm the choice of provider and its trustworthiness. ISO27001 certification and GDPR compliance (Article 28 GDPR) provide an indication of compliance with the necessary standards in terms of data protection and information security.

If in doubt, contact the information security officer at informationssicherheit"AT"uni-hamburg.de.

There are several ways to validate e-signatures. Software solutions such as Adobe Acrobat Reader or the Sproof Sign application show, for example, whether:

• the certificate was issued by a trustworthy certificate authority

• the certificate is still valid (has not expired or been revoked)

• the certificate matches the specific document.

However, the University of Hamburg recommends checking via official online services such as the eIDAS Dashboard. Compared to commercial software solutions, these offer Europe-wide recognition and the verification of e-signatures according to the highest standards.

In an international context—for example, for contract signatures involving German and US parties—it is important to ensure that the chosen type of e-signature is legally recognized in both countries.  

Contracts should contain specific clauses regulating the use of e-signatures to avoid misunderstandings. For example, it is advisable to make it clear that both parties agree to the use of e-signatures.

The security aspect should also be taken into account when using e-signatures. An AES or a QESA generally offers a higher level of security than simple e-signatures.

In both Germany and the United States, it is also important to have proof and records of the e-signature to be able to prove the validity of the signature in the event of a legal dispute.

In general, QESs are recommended for important or extensive documents. Overall, however, it is recommended to seek legal advice in order to clarify the specific requirements and risks in the context of signing an international contract.

Signed documents are automatically deleted after 30 days unless this setting is deactivated by the user in Sproof Sign. Users can download and delete documents individually at any time.

Sproof Sign uses appropriate transport layer security encryption (TLS 1.3) to transfer documents. The data is end-to-end encrypted between the client and the Sproof servers. In addition, the data is stored securely in Sproof GmbH’s European, ISO-certified, and GDPR-compliant data centers. To guarantee the highest level of data protection and IT security, an order processing agreement clearly defining the framework conditions for data processing and guaranteeing compliance with all necessary security standards was concluded with Sproof GmbH.

The TR-ESOR guideline from the German Federal Office for Information Security (BSI) applies particularly to the long-term archiving of electronically signed documents. To ensure the validity of these documents, the following points should be observed:

1. Integrity: The document must not be changed during archiving.
2. Qualified time stamp: This must be retained to prove the validity of the signature at a specific point in time.
3. Re-signing: It should be possible to renew the document if the original certificate has expired.

The use of special software, such as ELDORADO, is recommended for secure archiving.

No, e-signatures are not permitted for payments due to legal reasons. However, there is good news: a digitalization project is underway in the Department of Finance and Accounting to introduce a system for digital accounting in the administration (Digitales Rechnungswesen in der Verwaltung, DRiVe-IT). With DRiVe-IT, a financial administration system created by the Free and Hanseatic City of Hamburg, the University of Hamburg can digitally create payments that are legally compliant. The University of Hamburg can also use this system to receive and process invoices from the invoicing party in XRechnung format.

Selected invoicing parties are currently being connected to the system step by step. At the same time, some faculties have started as pilot areas to create digital payments for billing teaching contracts and library invoices. Contact Christina Semke at christina.semke"AT"uni-hamburg.de if you have any questions.

Proactively inform the administrators in your affected department at elektronische-signatur@uni-hamburg.de. This is necessary because signature authorizations may change when employees leave or staff changes. This has a direct impact on authorization management in Sproof Sign.

You can find further information on the application in the Sproof Sign FAQs.  

Do you have specific user questions? The Sproof Sign Academy provides a structured overview of the application examples and supports you with short videos.