Frequently Asked Questions

General / About Services

Who is Trusted Signatures?

Trusted Signatures is the document-trust layer that connects cybersecurity controls to legal rigor and financial protection. We apply PKI-based, standards-compliant PDF seals that are tamper-evident and auditable, so critical files hold up in reviews, audits, and cash-flow processes. (Built on ISO 32000 PDF signatures with DocMDP permissions, legal attestation, timestamping, OCSP/CRL, and version-comparison capabilities.)

Our mission: Make verifiable documents the default for business — simple, affordable, and ubiquitous.

What is Publisher — Trusted PDF Sealing?

Publisher applies an organizational cryptographic seal to your PDFs so recipients can confirm origin and detect any tampering directly in Adobe Acrobat/Reader and other PAdES-aware viewers. Your documents never leave your environment—we sign a cryptographic digest, not your file.

What recipients see:

  • A certificate-based signature that validates in Acrobat/Reader (blue ceritified experience).
  • Clear signer/certificate details; optional restrictions on what can change after sealing
  • Document is tamper-evident with clear signer details.

Built-in assurances:

  • PAdES-compliant sealing with Long-Term Validation (LTV) options (configurable)
  • RFC 3161 timestamping plus embedded OCSP/CRL data for offline verification (configurable)
  • Non-exportable keys protected by FIPS 140-2/140-3 Level 3 HSMs
  • DocMDP/Certification profiles to limit post-seal edits (e.g., form-fill only)

How it fits your workflow:

  • Integrate via API, CLI, Web sealing, or Zapier; no uploads required and browser-based sealing keeps the PDF on the local device
  • Ideal for invoices, statements, reports, and any PDF that must be provably authentic outside an e-signature flow

See Pricing to learn more about our pay-as-you-go, no license fees model and use an estimator to predict your costs.

View Pricing
What is Publisher Identity - AATL OrgID and EU Advanced OrgID

An annual add-on that issues a dedicated organizational certificate in your organization’s name from an Adobe Approved Trust List (AATL) provider, so your sealed PDFs show your organization as the signer in Acrobat/Reader.

EU Advanced OrgID is an annual add-on that issues your business name appear in the seal using an organizational certificate from an EU Trusted Lists (EUTL) Certificate Authority.

What recipients see:

  • In Acrobat/Reader (and other PAdES-aware viewers), recipients see the blue certified signature indicator with your organization listed as the signer.

See Pricing to learn more about Identity.

View Identity Pricing
How is using an Identity add-on different from Publisher - Trusted PDF Sealing?

Publisher sealing uses our default certificate (OrgID). Identity add-ons put your organization’s identity on the seal while keeping the same API/CLI/Web sealing/Zapier integration.

Trust path note: PDFs sealed using Publisher, without an Identity add-on, support eIDAS Advanced electronic seals (AdES) and validate in Acrobat/Reader and other PAdES-aware viewers.

Compliance & Trust

Do you store our PDFs?
No. Trusted Signatures does not ingest or store document content or filenames. Our service operates on non-reversible SHA-256 digests and certificate status data (OCSP/CRL, timestamps). Details: Trust and Security
Security Details
What encryption and key protections do you use?
TLS in transit; encryption at rest where applicable; SSO/MFA and RBAC for access control; audit logging via AWS CloudWatch. Signing key material is protected by FIPS 140–validated HSMs (Level 3 where applicable). Controls: Trust and Security
Security Controls
Where are you hosted?
We run on AWS U.S. (Central). See hosting and regional details here: Trust and Security.
Does Publisher Identity - EU Advanced OrgID meet Qualified seals standards?
We support Advanced Electronic Seals (AdES) with Publisher and Publisher Identity - EU Advanced Org ID services. Qualified Electronic Seals (QSeal) are not available
Do you comply with PCI DSS?
Yes. Trusted Signatures processes payments through Stripe, a PCI DSS Level 1–certified provider. We never store or transmit cardholder data on our own systems. Our focus is on securing your digital documents, not your payment credentials.
What data do you retain?
Account/billing data, API/service logs, SHA-256 digests, and certificate/validation status data necessary to operate the Service. Current retention windows are published in our Privacy Policy
Privacy Policy
Do you have a DPA?
Yes. Our Data Processing Addendum (DPA) defines roles, security measures, transfers (SCCs/UK addendum), and subprocessor governance. Find it here: Data Processing Addendum
View DPA
Where can I see your subprocessors?
We maintain a live Subprocessor List with vendor purposes, regions, and safeguards. Updates to that page constitute notice under our DPA. Subprocessors
View Subprocessors
Do you support HIPAA? Can you sign a BAA?
The Service is not designed to receive PHI. Customers must not send PHI in PDFs, filenames, or support materials. If required, we can execute a limited BAA covering narrowly defined operational metadata (e.g., logs, digests, certificate status), expressly excluding document content. Overview: Trust and Security Contact us for more details.
HIPAA Details
What’s the difference between AATL OrgID and EU Advanced OrgID?
AATL OrgID uses a CA recognized on Adobe’s AATL for global Acrobat/Reader trust.
EU Advanced OrgID uses an EUTL-listed provider aligned to eIDAS Advanced (AdES) for PAdES. Many recipients will see both validate in Acrobat; on-screen banners depend on the viewer’s trust store and configuration. See validation context in Trust and Security. Contact us for more details.
Trust Details
Do you have SOC 2?
Our cloud provider (AWS) maintains SOC 2 Type II and related certifications. We complement this with internal controls (MFA/RBAC, monitoring, SDLC, incident response). Summary: Trust and Security
Security Summary
Are you responsible for Certificate Authority or trust-program decisions?
Certificate Authorities and trust programs (e.g., AATL, EUTL) make independent issuance/revocation and inclusion decisions. TS does not control those decisions; our Terms clarify risk allocation and no refunds/credits for third-party trust-program actions. See Terms §7 and §15: Terms
View Terms
How do we report a security issue?
Email privacy@trusted-signatures.com with steps to reproduce. Legal notices: Michelle@trusted-signatures.com and Brad@trusted-signatures.com Our security posture and responsible disclosure notes: Trust and Security
Report Issue

Technical Details

What formats do you support?
PDF today. XML/JSON and other formats are on our roadmap. Contact us if you have questions about future services.
How does your system detect tampering?
Any byte-level change breaks the signature. Validators compare the sealed digest and embedded trust data to detect alterations instantly.
Can I integrate via API?
Yes. We offer a REST API, cross-platform CLI, Web sealing for browser-based local signing, and a Zapier integration for no-code workflows and CI/CD.
API Documentation CLI Documentation
What about timestamping and LTV?
We support RFC 3161 timestamping and Long-Term Validation (LTV). Enabling –ltv in the CLI embeds revocation/timestamp data so documents remain verifiable even after certificate expiry.
CLI Documentation
What happens if a certificate expires or is revoked?

Expiry: With LTV (--ltv) enabled, previously sealed PDFs remain verifiable after certificate expiry because the timestamp and revocation evidence are embedded. We renew/rotate our default EUTL/AATL organizational certificate ahead of expiry; new seals use the renewed certificate. No action is required on your side, and existing documents remain valid.

Revocation (hypothetical): If our default certificate were ever revoked, PDFs sealed before the revocation and sealed with LTV would continue to validate based on their time-of-signing evidence. Viewers may indicate the certificate is currently revoked while still showing that the signature was valid at signing time. Documents sealed without LTV may display warnings depending on the viewer and network availability.

Are there rate limits or file size limits?

PDF size: No imposed limit—Publisher only receives a 256-bit digest regardless of the file size. However, the CLI and Zap process the PDF in memory within your environment, which may create de facto limits based on your system or automation constraints.

Rate limiting: None currently on API keys; we may introduce fair-use rate limits at any time to protect service stability.

How do you keep cryptographic keys secure?

We generate and keep signing keys inside certified Hardware Security Modules (HSMs) validated to FIPS 140-3 Level 3. Private keys are non-exportable and all signing occurs inside the HSM boundary. Production access is controlled by role-based IAM, least privilege, and dual control for sensitive operations; credentials are encrypted and rotated, and every key operation is audited and monitored. (Where applicable, our HSMs also carry Common Criteria evaluations, e.g., EAL4+.)

Your documents never leave your environment—we sign a cryptographic digest, not your file.

Security Details
How many API keys can I create under a single subscription?
There is currently no limit.

Pricing & Plans

How is pricing structured?

Publisher (sealing) is a usage-based monthly subscription. Identity (OrgID)—AATL or EU Advanced—is an annual add-on with rate breaks for multi-year terms. Identity can only be used with a Publisher service.

Use our pricing calculator for an estimate or to learn more about Identity Add-on pricing.

View Pricing
Is there a free demo for Publisher?
Yes. We offer a free test version of Publisher to try sealing in minutes. Just create an account and go to the Publisher page. It’s not billed, no credit card is required, and it isn’t a “free trial.” You can also use these test keys to configure and test your workflow without getting charged. When you’re ready, add a payment method and continue seamlessly.
Try Free Demo
When does billing start and how are invoices generated?
Your Publisher billing-cycle month starts on the date you add a verified payment method (your “subscriber” start date). Charges to your payment on file are issued monthly and reflect your usage in that cycle. Your Identity add-on services are billed immediately based on the length of term you selected. There are no refunds for Identity products once a certificate has been issued.
Are there minimums or long-term commitments?
Not for Publisher - Trusted PDF Sealing which is pay-as-you-go - no seat licenses, no monthly service fees, and no long-term commitments. Cancel anytime. Publisher Identity Add-ons offer annual options and are non-transferable and non-refundable after issuance.
Do you offer volume discounts?
Yes. Volume tiers are applied automatically based on your Publisher usage within each billing-cycle month. Your tier resets at the start of each new cycle. We offer multi-year rate discounts for Identity products.
Can I switch trust paths later?
Once a Publisher Identity OrgId (AATL or EU Advanced) is issued there is no refund. If you have multiple workflows you can add Identity services or use a single add-on with Publisher’s Trusted Signatures OrgID by creating and assigning keys. Contact Support for more.
How is Publisher usage measured?
Usage is measured by successful sealing operations on individual PDFs initiated via Web sealing, CLI, API, or Zapier. We don’t count pages, signer fields, or downloads. Copying or distributing a sealed PDF doesn’t affect usage. If a PDF changes and you seal the updated file, that’s a new sealing operation.
Are there taxes or additional fees?
Applicable taxes may be added based on your billing location. The pricing calculator provides estimates and may not include taxes.

Integration & Developer Experience

How do I get started?
Grab the API documentation, CLI documentation, and sample code to seal your first PDF in minutes. You can create a test API key to test without billing.
API Documentation CLI Documentation
What integration options are available?

We offer three ways to integrate:

  • CLI: Cross-platform command-line tool for sealing in scripts, CI/CD, and back-office jobs
  • REST API: Call from any language; our docs include sample requests and responses
  • REST API: Call from any language; our docs include sample requests and responses
  • CLI: Cross-platform command-line tool for sealing in scripts, CI/CD, and back-office jobs
  • Web sealing: Seal PDFs directly in the browser without uploading documents to Trusted Signatures
  • Zapier integration: No-code workflows; trigger sealing from tools you already use
  • Cloud Connector: Keep orchestration in your Azure, AWS, GCP, or Kubernetes environment
  • Power Automate: Trigger sealing from Microsoft workflows through Cloud Connector for Azure

Official SDKs: We don’t offer SDKs, and they’re not on our roadmap right now. You should use a PDF SDK (available for any number of languages) to apply the signature and DSS into your PDF, or use our CLI.

Can I use my own certificate?
No. Neither Adobe nor the EU permits keys generated outside our HSMs.
Do you have audit logs and a sandbox?

Testing/demos: You can create demo API keys against a self-signed certificate we provide so you can test your implementation without incurring usage charges; behavior mirrors production.

Audit & usage visibility: We maintain internal audit logs of sealing operations for security and billing. Once subscribed, you can access a customer-facing usage report in your account. If you need event-level exports, contact us.

How do I authenticate API requests?
Use your API key ID and generate an HMAC with your API key with each request as described in the API documentation (header-based authentication). The Zap and CLI do this for you automatically. Rotate API keys regularly and scope them per environment. You can limit keys so they only may be used from your network and expire up to a maximum of one year after creation.
API Documentation
Do you offer API versioning and deprecation notices?
Yes. We version the API and provide deprecation notices with advance timelines in the docs and changelog.
Where can I check service status and incident history?
Contact Support if you have questions or are experiencing a service outage.
Contact Support

Validation & Policy

How do recipients know a document is authentic?
In Adobe Acrobat/Reader—and other PAdES-aware PDF viewers—recipients see a blue seal with your organization and trust details. You can also point them to our web-based validator for a human-readable view.
PDF Validator
Do you provide a validator?
Yes. We provide a free web-based validator that checks the signature and trust data of a sealed PDF. It reviews signature metadata (certificate chain, timestamping, OCSP/CRL) and shows a human-readable result. We do not store your document or its signature metadata.
Try PDF Validator
What if Acrobat shows a yellow warning?
A yellow triangle usually indicates missing LTV/timestamp data or an offline revocation check. Re-seal with LTV enabled or open while online so trust data can refresh.
Can I define custom validation policies?
Not at this time. You can rely on the built-in behavior of PAdES-aware viewers (e.g., Adobe Acrobat/Reader) and our web-based validator for a human-readable view. If your organization requires policy enforcement (e.g., allowed CAs, timestamping/LTV rules, PAdES profiles), contact support to discuss enterprise options.
Contact Support
Do you support timestamping (RFC 3161 / LTV)?
Yes. Publisher supports RFC 3161 timestamping and Long-Term Validation (LTV). Enable --ltv in the CLI to embed timestamp and revocation data for long-term verification. Review CLI documentation
CLI Documentation
What happens if we stop using Trusted Signatures?
Previously sealed documents remain verifiable. No change to their trust status.

Customer Success

How do I get support?
Email or chat via Matrix, our support portal. See our support page for details.
Contact Support
Can you help with certificate procurement?
Yes—we work with multiple CAs and will guide you to the right option.
Can I white-label this for clients?
Yes—white-label and reseller programs are available. Contact support@trusted-signatures.com.
Contact Sales