GENERAL INFORMATION
Document Control
Security classification: Public
Version: 1.0
Date: 6 March 2026

Document Review
Prepared by: Audea — 6 March 2026
Reviewed by: Security Officer — 9 March 2026
Approved by: Security Committee — 9 March 2026

Version Control

1. INTRODUCTION
1.1. Overview
This document sets out the service practices of the non-qualified trust service Ommnio Sign, provided by The Ommnio Communications, S.L. (hereinafter OMMNIO).
Ommnio Sign is an advanced electronic signature service for documents that allows users to request, manage, and execute the signing of documents in electronic format through the OMMNIO platform.
The service integrates document management functionalities that enable users to submit documents for signature, track the status of each signature request, store signed documents in the cloud, and send reminders to signers who have not yet completed the signing process.

1.2. Document Name and Identification
This document establishes the Service Practice Statement (“DPS”, from its Spanish initials: Declaración de Prácticas del Servicio) for the non-qualified trust service Ommnio Sign.

1.3. Service Participants
1.3.1. Trust Service Provider
The electronic trust service provider is the natural or legal person that directly provides the service. OMMNIO is the non-qualified trust service provider.

1.3.2. End Entities
End entities are the natural persons or organisations that use or benefit from the Ommnio Sign service for the generation, management, or verification of electronic signatures on electronic documents.
The following are end entities of the Ommnio Sign service: 

• Service clients
• Users or signers
• Relying parties

Service Clients
Service clients of OMMNIO Sign are the companies, entities, organisations, or professionals that contract the service with OMMNIO for the electronic management and execution of documents through electronic signatures.
Clients use the platform to send documents to one or more signers, manage the electronic signature process, and retain signed documents and the associated evidence.
The service client acts as the requester of signature operations and is responsible for using the service within the scope of their professional, business, or organisational activity, as well as for determining the documents submitted for signature and the signers participating in the process.

Users or Signers
Users or signers are the natural persons who use the Ommnio Sign platform to electronically sign documents submitted through the service.
Signers may act in their own name or on behalf of an organisation, depending on the context of the document submitted for signature.
The signer’s identity is linked to the signing process through the identification and authentication mechanisms implemented by the service, generating the corresponding electronic evidence of the signing process.
Signers are responsible for the proper use of the service and the accuracy of the information provided during the signing process.

Relying Parties
Relying parties are the natural persons or organisations that receive documents electronically signed through the Ommnio Sign service and may rely on such electronic signatures to assess the authenticity and integrity of the document.
Before relying on an electronic signature generated through the service, relying parties must verify the integrity of the document and the available signature evidence using the verification mechanisms provided or accepted by the service.

1.3.3. Suppliers
The provision of OMMNIO’s services relies on various services offered by third parties, identified below:

Time Stamping Authority
The Time Stamping Authority (TSA) is a trusted third party that provides the qualified service of issuing electronic timestamps. The TSA is responsible for issuing timestamps to prove that certain data existed and has not been altered from a specific point in time.
OMMNIO uses services from qualified Trust Service Providers that comply with the policies and requirements established in standard ETSI EN 319 421 or equivalent applicable regulations.

Electronic Certification Service Provider
The Electronic Certification Service Provider is the natural or legal person that issues and manages qualified electronic certificates for end entities, using a qualified Certification Authority (CA), and/or that provides other services related to electronic signatures.
OMMNIO uses services from qualified Trust Service Providers that comply with the policies and requirements established in standard ETSI EN 319 411-2 or equivalent applicable regulations.

1.4. Service Usage Limits
The Service Practice Statement and the Terms and Conditions (T&C) constitute the documents that determine the uses and limitations of each service, which are published at: https://www.ommnio.com/terms.html

1.4.1. Permitted Uses of the Service
Users and clients of the Ommnio Sign service may use the platform exclusively for requesting, managing, and executing advanced electronic signatures on electronic documents, within the framework of lawful activities and in accordance with this Service Practice Statement and the Terms and Conditions published by OMMNIO.
In particular, users are permitted to:
Submit documents to one or more signers for electronic signature.
Track the status of each signature request.
Store signed documents and associated electronic evidence on the platform, ensuring the integrity and traceability of the signature.
Send reminders to signers who have not yet completed the signing process.
Verify document integrity and the validity of electronic signatures using the verification mechanisms provided by the service.

1.4.2. Usage Limits and Prohibitions
The Ommnio Sign service shall be used exclusively for the function and purpose established in this document and the applicable terms and conditions, in compliance with current regulations at all times.
Any use that contravenes the provisions of this Service Practice Statement shall be considered misuse for the appropriate legal purposes, thereby exempting OMMNIO, in accordance with applicable legislation, from all liabilities arising from such misuse, whether carried out directly or indirectly by end entities.

1.5. Document Administration
1.5.1. Organisation Administering the Document
The Ommnio Communications, S.L.
Tax ID (NIF): B67351460
Registered office: Sant Francesc, 4 – Cerdanyola del Vallès 08290 Barcelona, Spain

1.5.2. Organisation Contact Details
Contact email: hello@ommnio.com
Website: https://www.ommnio.com

1.5.3. Document Management Procedures
This Service Practice Statement is managed through internal procedures designed to ensure its updating, integrity, and traceability. Final authority over the Statement rests with the OMMNIO Security Committee, which acts as the management body and is responsible for approving, reviewing, and maintaining this document.
The Statement is periodically reviewed by the Security Committee with the aim of keeping it aligned with current regulations, internal requirements, and best practices in service provision. Each modification or update is recorded in the change control section, indicating the date, description of the modification, and the area or person responsible, so that a complete history of the document’s evolution is maintained and traceability of changes is ensured.
When changes are planned that may affect the rights and obligations of clients, users, or relying parties, OMMNIO will notify the affected parties in advance through the usual communication channels, in addition to publishing the updated version on the official website.
Updated versions of the Statement will be published on the official OMMNIO website as soon as possible after internal review and approval, ensuring that users and interested third parties can always access the current version. Internal records of all previous versions of the document are also maintained, ensuring their availability for audit and historical consultation purposes, and demonstrating formal control over document management and its proper application in the provision of the service.
The OMMNIO Service Practice Statement shall be reviewed at least once per year.

2. PUBLIC DECLARATION
2.1. Repository
A public repository is maintained in which information relating to the Ommnio Sign service is published. The repository is available at https://www.ommnio.com.
The repository is available 24 hours a day, 7 days a week, and in the event of system failure, best efforts will be made to restore the service as soon as possible.

2.2. Publication Frequency
The following information shall be published in the repository:
Service Practice Statement.
Terms and Conditions.
Privacy Policy.

2.3. Update Frequency
Service information, including the Service Practice Statement and Terms and Conditions, is published as soon as it becomes available.
Changes to documents are governed by the provisions of Section 1.5.3 of this document.

2.4. Repository Security
OMMNIO does not restrict read access to the information published in the service repository, but establishes controls to prevent unauthorised persons from adding, modifying, or deleting records in the repository, in order to protect the integrity and authenticity of the information.
Reliable systems are employed for the repository, such that:
Only authorised persons can make entries and modifications.
The authenticity of the information can be verified.
Any technical change affecting security requirements can be detected.

3. OMMNIO SIGN SERVICE
The Ommnio Sign service is designed to enable the generation of advanced electronic signatures (AdES) on electronic documents, ensuring the integrity, authenticity, and traceability of the signing process. This procedure ensures that clients requesting signatures, users or signers, and relying parties have reliable mechanisms to verify the validity and consistency of electronically signed documents.
The operational flow of the service is structured in consecutive stages covering the entire lifecycle of the signature, from the creation of the request to the preservation of evidence and daily integrity sealing. Each stage incorporates technical and organisational controls that ensure the unequivocal identification of the signer, the capture of informed consent, the cryptographic execution of the signature, and the preservation of audit records, in compliance with the trust principles required by an advanced electronic signature service.
The steps that make up the functional procedure of the service are detailed below:

1. Signature Request Creation
A service client submits an electronic document to the platform for signature.
The document is securely stored in AWS S3.
A unique request identifier (requestId) and a 256-bit signerToken are generated for each signer.
The request is recorded in the MongoDB database with an initial status of “draft”, ensuring traceability from the start of the process.

2. Signature Invitation Delivery (Multichannel)
The system distributes the signature link through the chosen channel: internal notification on the OMMNIO platform, email, SMS (both through qualified external providers), or direct link/QR.
Each invitation is uniquely associated with the signer and the document, and its validity is time-limited to prevent misuse.

3. Document Access and Review
The signer validates their access using the provided token and, in the case of internal channels, through the user session.
The signer’s status changes to “viewed” and the date and time are recorded.
The system tracks the signer’s progression through the entire document, recording the reading duration and interaction with visual fields, widgets, mandatory fields, or hand-drawn signatures.

4. Signer Authentication
The signer is authenticated using WebAuthn/FIDO2 (biometrics or device PIN) or via SMS OTP, sent through a verified external provider, as a fallback method.
This ensures the unequivocal binding of the signer to the signature operation and the integrity of the process.

5. Consent Capture
The signer explicitly accepts the operation by clicking “Accept and Sign”.
The consent timestamp, reading duration, and confirmation that the document review has been completed are recorded.
This act constitutes the formal capture of informed consent and triggers the execution of the signature.

6. Cryptographic Signature Execution
The backend generates the technical signature using a qualified electronic seal certificate issued by Camerfirma on behalf of OMMNIO, securely stored in AWS Secrets Manager.
Each RSA-2048 signature is complemented by an individual qualified timestamp issued by the FNMT (Fábrica Nacional de Moneda y Timbre) as a qualified Time Stamping Authority (TSA), ensuring the temporal integrity of each signing operation independently.
The signature and timestamp are integrated into the document following the PAdES-LTA format, ensuring its long-term validity.

7. Evidence Generation and Preservation
A Signing Log in PDF format is generated summarising the audit trail.
An immutable Evidence Package in JSON format is created containing all hashes, authentication data, and consent records.
Both the signed document and the evidence are stored in S3 with Object Lock in Compliance mode, preventing deletion or modification for a minimum period of 10 years, configurable per organisation and document type according to applicable legal requirements.

8. Daily Integrity Sealing (Batch Process)
Each day, the hashes of all evidence generated the previous day are grouped into a Merkle Tree.
A new qualified timestamp is requested from the FNMT for the root of the tree, efficiently extending the legal validity of all generated signatures.
This functional procedure ensures that each advanced electronic signature generated through OMMNIO Sign complies with the principles of integrity, authenticity, traceability, and non-repudiation, providing clients, signers, and relying parties with the information and evidence necessary to verify and trust the validity of the electronic signatures.

4. OPERATIONAL SERVICE REQUIREMENTS
4.1. Formats and Standards
The OMMNIO Sign service is specifically designed to work with documents in PDF format, supporting the ISO 32000-2 (PDF 2.0) standard, ensuring compatibility and consistency in electronic document management.
Documents must be compatible with PAdES-LTA (PDF Advanced Electronic Signature – Long-Term Archival), which enables long-term validation of signatures, even after the expiration of the certificates used in the signing process.
To ensure signature integrity, the document must allow the insertion of a CMS/PKCS#7 signature container, ensuring that the ByteRange field covers the entirety of the document content except the signature itself, so that any subsequent modification can be immediately detected.

4.2. Electronic Sealing of Documents
In the provision of the Ommnio Sign service, all electronic documents or data objects managed shall be subjected to electronic sealing using OMMNIO’s qualified electronic seal certificate, regardless of whether the documents sent by clients have been previously electronically signed.
OMMNIO exclusively uses qualified electronic certificates issued by qualified Trust Service Providers that demonstrate compliance with standard ETSI EN 319 411-2; specifically, the qualified electronic seal certificate issued by Camerfirma (AC Camerfirma S.A.).

4.3. Electronic Time Stamping of Documents
In the provision of the OMMNIO Sign service, all electronic documents or data objects managed shall be subjected to qualified electronic time stamping, with the objective of guaranteeing the exact moment at which the document existed.
OMMNIO exclusively uses time stamping services provided by qualified Trust Service Providers that demonstrate compliance with standard ETSI EN 319 421; specifically, the FNMT (Fábrica Nacional de Moneda y Timbre) as the qualified Time Stamping Authority.
In this way, each advanced electronic signature operation performed through OMMNIO Sign is accompanied by verifiable temporal evidence, contributing to the traceability, integrity, and legal validity of the electronic document before relying parties.

5. SECURITY CONTROLS
OMMNIO applies a comprehensive information security approach to protect documents, electronic signatures, and user data in the Ommnio Sign service. The measures adopted ensure the confidentiality, integrity, and availability of information and are organised under the following subsections:

5.1. Risk Management
OMMNIO periodically identifies, analyses, and evaluates risks associated with the information and systems supporting Ommnio Sign. Controls and mitigation measures are implemented based on the identified risk level, ensuring continuous review in the event of changes to the infrastructure, organisation, or operating environment.

5.2. Human Resources Security
All OMMNIO personnel are subject to confidentiality commitments and receive specific training in information security. Security roles and responsibilities are clearly defined, and access to systems and data is managed according to the principle of least privilege.

5.3. Application Security
The applications and systems used by OMMNIO include role-based access controls, segregation of duties, and structured permission management. Users can only access the information for which they are authorised, ensuring that operations are performed within the framework defined by the service.

5.4. Communications Security
All electronic communications are protected through encryption and secure protocols. The service uses HTTPS with a minimum of TLS 1.2, strong encryption of data in transit, and protection mechanisms against common attacks such as XSS, CSRF, and code injection.

5.5. Access Control
OMMNIO ensures that only authorised users can access the systems through robust authentication. Mechanisms such as WebAuthn/FIDO2 and OTP are used, with token expiry and remote device control. User and permission management is carried out under the principle of least privilege.

5.6. Cryptographic Protection
Data is encrypted in transit and at rest. Signed documents and their evidence are stored with AES-256-GCM encryption and securely managed keys, including periodic rotation and centralised control.

5.7. Infrastructure and Systems Security
The technology infrastructure is hosted in segregated and protected environments using firewalls, restricted access for authorised personnel, and centralised patching and update policies. Service availability is ensured through redundancy, failover, and periodic backups.

5.8. Logging and Monitoring
All user operations and relevant system events are recorded in centralised logs and continuously monitored, enabling incident detection, investigation, and full traceability of operations.

5.9. Business Continuity
OMMNIO implements measures to ensure service continuity, including replication of critical systems, automatic snapshots, and disaster recovery procedures with defined RPO and RTO targets.

5.10. Data Centre Security
Data is hosted in certified data centres (ISO 27001:2013), with restricted physical access and exclusive location within the European Union. OMMNIO and its clients maintain full control over the location and protection of information.

5.11. Secure Development
Application development follows security best practices, with separate development, testing, and production environments, automated and manual testing, and code review to prevent vulnerabilities.

5.12. Audits and Testing
Service security is periodically assessed through internal audits and external penetration testing, ensuring that access controls, authentication, and data protection measures remain effective.

5.13. Security Incident Management
OMMNIO maintains documented procedures for the detection, analysis, containment, and recovery from security incidents, including the notification of personal data breaches in accordance with applicable regulations.

5.14. Cessation of Operations
OMMNIO establishes procedures for the termination of its trust services in the event of foreseen or unforeseen causes, ensuring reliable communication to the supervisory body and clients at least three months in advance, the transfer of all records and evidence to a qualified third-party custodian for retention for ten years, and the maintenance of independent verification capability for electronic signatures.

5.15. Regulatory Compliance
The service is provided in compliance with applicable regulations, including Regulation (EU) 2016/679 (GDPR), ensuring the protection of personal data and the proper handling of access requests, rectification, and incident notification by competent authorities.

6. OPERATIONAL AND LEGAL REQUIREMENTS
6.1. Organisational Reliability
OMMNIO has a solid organisational structure with clearly defined roles and responsibilities, documented processes, and control procedures that ensure the proper management of services. The organisation has qualified personnel, redundant systems, and continuous monitoring processes that guarantee the secure and reliable provision of the service to its clients and users.

6.2. Accessibility and Non-Discrimination
OMMNIO’s services are accessible to all natural and legal persons whose activity falls within the operational scope declared by the TSP and who agree to comply with the terms and conditions of the service.
OMMNIO does not discriminate in access to its services and ensures that acceptance criteria and user obligations are applied uniformly to all applicants, guaranteeing equal treatment and transparency in service provision.

6.3. Financial Resources and Stability
OMMNIO maintains sufficient financial resources to guarantee the continuity of its operations and to fulfil the obligations arising from the provision of the service.
The organisation ensures coverage of potential liabilities through the management of its resources and, where applicable, through professional liability insurance policies or similar instruments, in compliance with applicable regulations in each jurisdiction.

6.4. Personal Data Protection
OMMNIO guarantees that the processing of personal data managed within the framework of its services is carried out in strict compliance with Regulation (EU) 2016/679 (GDPR) and applicable national data protection legislation.
The organisation applies appropriate technical and organisational measures to protect the confidentiality, integrity, and availability of personal data, and to ensure that the rights of data subjects can be effectively exercised.
OMMNIO has established a Personal Data Protection Policy, available at: https://www.ommnio.com/privacy
Additionally, OMMNIO has appointed a Data Protection Officer (DPO) responsible for overseeing compliance with applicable regulations and acting as a point of contact for data subjects and competent supervisory authorities. Data Protection Officer contact email: privacy@ommnio.com.

6.5. Intellectual Property Rights
The industrial and intellectual property rights relating to the Ommnio Sign service, including but not limited to texts, photographs, images, trademarks, source code, design, structure, databases, and all information and elements contained therein, are owned by OMMNIO, which holds the exclusive right to exploit them in any form, and in particular the rights of reproduction, distribution, public communication, and transformation.
Acceptance of the terms and conditions and/or the signing of a service provision agreement does not imply, in any way, directly or indirectly, any transfer, assignment, licence, or right whatsoever with respect to the industrial and intellectual property rights owned by OMMNIO.

6.6. Obligations of Participants
6.6.1. Obligations of OMMNIO
OMMNIO guarantees, under its full responsibility, that it complies with all requirements established in this Service Practice Statement, being responsible for compliance with the procedures described, in accordance with the indications contained in this document.
OMMNIO, as provider of the Ommnio Sign service, is obligated to:
Provide the service reliably, securely, and in accordance with this Service Practice Statement and the applicable terms and conditions.
Inform the subscriber of the terms and conditions relating to the service.
Use qualified electronic certificates from a qualified Trust Service Provider.
Use qualified time stamping services from a qualified Trust Service Provider.
Ensure procedures for generating and safeguarding electronic documents in the aforementioned tasks, guaranteeing their protection against loss, damage, or improper manipulation.
Ensure the confidentiality of electronic documents managed by the service.
Maintain, update, and publish the current and valid version of this document.

6.6.2. Obligations of Service Clients
Service clients of OMMNIO Sign, as entities that contract and use the platform, are obligated to:
Use the platform solely for lawful purposes and within the scope of their professional, business, or organisational activity.
Responsibly determine the documents submitted for electronic signature and the signers participating in the process.
Ensure they possess the necessary rights over the documents, content, and information sent for signature, including intellectual and industrial property rights.
Comply with the terms and conditions of the service and with applicable regulations, assuming responsibility for any damages arising from non-compliance.

6.6.3. Obligations of Users and/or Signers
Users or signers, as natural persons executing the electronic signature on documents, shall:
Act diligently and responsibly when using the platform, ensuring the accuracy of the information provided during the signing process.
Comply with the authentication and consent mechanisms established by the service, including the complete review of the document and explicit acceptance before signing.
Protect their authentication credentials (passkeys, OTP codes) and associated devices, being responsible for any misuse thereof.
Sign only documents over which they have authorisation or responsibility, avoiding the use of the platform for illegal, immoral, or otherwise unacceptable purposes.

6.6.4. Obligations of Relying Parties
Relying parties that receive documents electronically signed through OMMNIO Sign are obligated to:
Verify the integrity of the document and the validity of the electronic signature using the verification mechanisms provided by the service.
Act with due diligence when relying on the electronic signature for the acceptance of documents, considering the available technical and legal information.
Not use the documents or associated information in a manner contrary to law, the rights of document holders, or the purposes envisaged by the service.

6.7. Liability and Warranties
6.7.1. Disclaimer of Other Warranties
OMMNIO declares that the Ommnio Sign service is provided in accordance with this Service Practice Statement and the applicable terms and conditions, and disclaims any warranty not legally required, except those expressly provided for under applicable regulations.

6.7.2. Limitation of Liability
OMMNIO’s liability is limited exclusively to the proper provision of the Ommnio Sign service, under the terms established in the Statement and the T&C.
OMMNIO shall bear no liability in the following cases:
Fraudulent, negligent, wilful, or abusive use of the platform by the client, user, or signer.
Lack of truthfulness, integrity, or authenticity of the information, documents, or content managed through the service, particularly when supplied by clients or users.
Incorrect functioning of the service due to causes not attributable to OMMNIO, including force majeure, fortuitous events, or scheduled maintenance previously communicated.
Loss, destruction, or alteration of electronic documents outside the direct control of OMMNIO, once delivered to the client or signer, including documents previously signed by third parties or by the client themselves.
Attacks, unauthorised access, or damage caused by external third parties, provided OMMNIO has applied the security measures and due diligence set out in its security policies and practices.

6.7.3. Force Majeure and Fortuitous Events
OMMNIO shall not be liable under circumstances constituting fortuitous events or force majeure.
A fortuitous event is understood as any occurrence that is impossible to foresee, or that, even if foreseen, is unavoidable. Force majeure is understood as any extraordinary, unforeseeable, or unavoidable situation arising from an area external to OMMNIO that prevents or significantly hinders the provision of the service.
Accordingly, OMMNIO shall assume no liability whatsoever for situations such as: war, natural disasters, electrical service failures, interruptions in telecommunications networks, or dysfunctions in third-party IT infrastructure, provided such situations are not attributable to OMMNIO.

6.8. Legal Framework and Jurisdiction
6.8.1. Applicable Regulations
OMMNIO establishes, in this document and in the terms and conditions of use of the service, that the applicable legislation for the provision of Ommnio Sign is Spanish law.
Without prejudice to the above, among the main regulations directly applicable to electronic signature and trust services, OMMNIO declares its particular attention to compliance with the following applicable regulations:
Regulation (EU) 910/2014 (eIDAS) on electronic identification and trust services for electronic transactions in the internal market.
Regulation (EU) 2016/679 (GDPR) on the protection of personal data.
Law 6/2020, of 11 November, on certain aspects of trust services and electronic signatures in Spain.
Directive (EU) 2022/2555 (NIS2) on measures for a high common level of cybersecurity across the Union, applicable to OMMNIO as a trust service provider.
Regulation (EU) 2024/1183 (eIDAS2) amending Regulation (EU) 910/2014 as regards the establishment of the European Digital Identity Framework.
ETSI EN 319 401 — General Policy Requirements for Trust Service Providers.

6.8.2. Severability, Survival, Entire Agreement, and Notification Clauses
OMMNIO establishes, in the terms and conditions of the service and in this document, the following clauses:
Severability: The invalidity of any clause shall not affect the remainder of the document or the agreements between the parties.
Survival: Certain obligations shall remain in force after the termination of the service, particularly the requirements contained in the sections relating to: Personal Data Protection, Obligations of Participants, and Liability and Warranties.
Entire Agreement: This document and the terms and conditions of the service contain the complete will and all agreements between the parties.
Notification: Communications relating to the service shall be made through the means indicated in the terms and conditions or, failing that, as established in Section 1.5 of this document.

6.8.3. Jurisdiction Clause
OMMNIO establishes in the terms and conditions of the service and in this document that judicial competence shall correspond to the Spanish courts, without prejudice to the application of private international law and procedural law rules that may be relevant.

6.8.4. Dispute Resolution
OMMNIO has internal procedures for dispute management and conflict resolution related to the provision of Ommnio Sign.
The parties shall attempt to resolve any disagreement by mutual agreement. If a solution is not reached, disputes shall be submitted to the jurisdiction of the competent courts in Spain, with express waiver of any other jurisdiction that may apply.

ANNEX. ACRONYMS