Login
Terms and Conditions and LicencesPrivacy Policy
FIPS 140-3
Common Criteria EAL5+

Products

  • ProvenHSM
  • Qualified Signature Creation Device (QSCD)
  • Software Developer Kit (SDK)
  • Security Applications
  • ProvenCore OS and TEE

Use Cases

  • Data Protection
  • PQC Migration
  • Key Management & Cloud KMS
  • Confidential Computing
  • Finance Innovation
  • eIDAS Signature and Identity Wallet
  • Multi-Party Computation (MPC)

Resources

  • Blog and Whitepapers
  • Security and Certifications
  • Integrations

Company

  • Careers
  • About

eIDAS v1 Qualified Signature Application

This application supports qualified remote electronic signatures under Regulation EU 910/2014. It runs inside the ProvenHSM network-attached HSM on top of the ProvenCore formally proven trusted execution environment.

Controlled auditable execution environment

Flexible deployment for QTSPs

Get Started
eidas 1/0

CAPABILITIES

What This Application Does

The eIDAS v1 Qualified Signature Application provides a secure runtime environment for qualified remote signature workflows, where regulatory control is enforced independently from business applications and identity services.

Signature Activation Module (SAM) Logic

Enforcement of Signer Sole Control and Intent

Validation of Signature Activation Data (SAD)

Separation between regulatory enforcement and cryptographic operations

The application does not replace existing SAM or SSA products. It provides a trusted execution environment in which those products can run.

ARCHITECTURE

How It Runs on ProvenHSM

The application runs as an isolated workload inside ProvenHSM, protected by the ProvenCore TEE operating system.

Isolated Security Domain

The SAM runs in its own isolated security domain within ProvenCore TEE OS.

Optional HSM Alongside

Cryptographic HSM functionality can run alongside it, in a separate isolated domain.

Explicit & Auditable

All interactions between components are explicit and auditable.

Controlled Exposure

No generic cryptographic interface is exposed unless explicitly required by the deployment model.

DEPLOYMENT

Deployment Options

The application supports deployment models commonly used by QTSPs and ISVs.

Bundled SAM + HSM

SAM and cryptographic HSM applications run on the same ProvenHSM appliance.

  • Strong isolation enforced by ProvenCore

  • No external PKCS#11 exposure required

  • Simplified integration and operational footprint

SAM-only + External HSM

SAM and cryptographic HSM applications run on the same ProvenHSM appliance.

  • External HSM: another ProvenHSM or third-party CC-certified HSM

  • Suitable for reusing existing HSM infrastructure

  • Adopt ProvenHSM without disrupting established architectures

CERTIFICATION

Certification Status & Roadmap

Certification is typically driven by the ISV providing the SAM software, with ProvenRun supporting integration and evaluated configurations.

By isolating applications and minimizing shared trusted code, ProvenHSM helps reduce evaluation scope and timelines compared to monolithic designs.

Pending certifications 2026

Certification FIPS

Certification FIPS

EAL 5+ Common

EAL 5+ Common

Current Status

An MVP is available today for demonstration, evaluation, and early integration. The current implementation is not yet Common Criteria certified.

Target Assurance

EAL5+ — following EN 419 241-2 for the SAM and EN 419 221-5 for cryptographic modules, where applicable.

AUDIENCE

Who This Is For

Designed for professionals operating qualified trust infrastructures.

Qualified Trust Service Providers (QTSPs)

Deploying or modernizing qualified remote signature services.

Independent Software Vendors (ISVs)

Developing SAM or SSA products and looking for a certification-oriented execution platform.

Security Architects & CTOs

Responsible for long-term maintainability, auditability, and regulatory alignment.