Frequently asked questions and operational responses
In this section, we answer the most commonly asked questions about Transfer.legal.
Transfer.legal offers a wide range of tools to let you manage confidentiality and traceability of your voluminous data sending: timestamp service, data encryption, tracking, datalog function… To our knowledge, it is the only solution that offers so many services that comply with data governance regulation.
Transfer.legal relies on a set of French, European and International standards, the most important of which include:
- RGS (general security database drawn up by the French government)
- Common core PSCO (ETSI EN 319 401) ;
- Electronic archiving (NZ42-013) ;
- Timestamp service (ETSI TS 102-023).
Transfer.legal also relies on internal policies that describe the different services. Among these, the most important are:
- Encryption key and secret management policy
- Proof policy
- Archiving policy
We provide you with an API to be able to easily integrate Transfer.legal in your information system.
Two versions are available:
- A REST version that requires understanding of encryption mechanisms ;
- Ready-to-use libraries that can be embed directly in your projects.
If you are interested in using our API, please contact us directly.
A transaction can be of four types:
- Data sending for delivery;
- Data download;
- Request for data sending (solicitation);
- Response to solicitation and associated sending.
For each of these transactions, a set of technical information are collected to identity the parties: sender, recipient(s), date of sending and receipt, events linked to sending and to alerts (by sms and email).
These transactions are recorded in an unforgeable log.
Traceability allows you to know who had sent what, to whom and when. To ensure the relevance of the information, Transfer.legal uses techniques for purposes of proof: certified timestamp of the logs, cryptographic chaining…
A proof system provides technical procedures which will enable you to reliably know:
- The identity of the sender and the recipient;
- The date of sending and the existence of the data on that date;
- The date of receipt.
Proof may be produced in court to assert your rights.
A trusted service is more reliable if it is itself based on a group of certified actors.
This concept refers to a simple instruction: regain control upon your data! Most services are not very transparent on this issue or provide unpersuasive explanations on actual data location. Worse, data location often determines which law would apply and consequences for lawful rights holders can be considerable.
A timestamp service provider certifies the date of a data and its existence at this date. It undertakes, in addition to the reliability of the provided date, to store the proof of this date (timestamp token) over time.
A timestamp token is issued by a timestamp service provider. It contains:
- Data footprint (hash) that has been timestamped;
- Date and UTC time;
- The identifier of the certificate that generates the token.
The token ensures that a data (represented through a footprint or a hash) is associated with a time value.
Transfer.legal uses a portion of the blockchain technology, namely for the event log that uses a cryptographic chain between each transaction. The use of a trusted third-party for each transaction ensures its inviolability. It is of course possible to integrate Transfer.legal technology in a public (bitcoins or similar) or private blockchain.
Today, blockchain is presented as an alternative trust model to traditional models. From trust, considered as the capacity for another person to deliver information or a reliable service, results the concept of proof. The use of a third party is essential to date a document or certify its existence.
In a classical approach, the third party is said to be trusted as it derives its legitimacy from a legal or normative environment that it undertakes to comply with. An external audit ensures this compliance.
In a decentralized approach, trust relies on verification made by a consensus amongst players. Thus, the rule in place ensures trust without the need for regulation or external control. The system produces, endogamically and by construction, its own legitimacy.
Beyond theory, factual differences that may be pointed out are:
- Data storage: most of the time, blockchain services only store data footprint. It is up to the owner to ensure data sustainability and retention over time, which is often a more difficult task than expected. The archiving option in Transfer.legal ensures that data are retained over the long term;
- Contractual obligation and predictability: blockchain services do not have contractual obligation regarding successful completion of the transactions, long-term durability, data transfer and reversibility… With clear commitments, Transfer.legal really undertakes to provide a predictable service regarding the modalities of its implementation over time;
- Preserved anonymity: this aspect is ignored but blockchain, when it is public, provides no guarantee of anonymity. Our service is based on a private log that is only accessible to external auditors under certain conditions to be laid down by public authorities or by yourself;
- Data location: data are disseminated among interested parties that build the consensus. The archiving option enables to locate data in the country of your choice.
Usual services are often focused on a specific use:
- Large file transfer;
- Electronic registered mail for dematerialized letter;
- Collaboration and file sharing;
- Encryption of correspondence.
Transfer.legal provides, upon request, all these services to which it adds proof services.
This is a binding contractual agreement. If you choose the Business offer, you choose the location of your data within our archiving service.
The audit function is the guarantee of the control and of the complete and permanent traceability of events occurring in the system in order to trace transactions.
Transfer.legal uses encryption technology AES 256 CBC.
Data are encrypted on our servers and encryption keys are accessible only by you after having been authenticated.
You can recover encryption keys on request.
Authentication can be defined as a procedure to verify the identification of a natural person thanks to technical means, such as a password, a secret code, an answer to a question or a digital securing (for instance: a digital certificate).
Within Transfer.legal, you have access to different authentication modes according to the level of identification you expect from the recipient:
- Only by electronic mail system;
- By the use of an OTP;
- By the registration on Transfer.legal.