⚖️ Legal Framework & Privacy
Last updated: March 30, 2026 — V6.4
📋 What SBIX Certify Proves
✅ We DO prove
- Existence — The data existed at a specific point in time
- Integrity — The data has not been modified since certification
- Timestamp — The exact date and time of certification (RFC-3161)
- Authenticity — The certificate was issued by SBIX Certify™
❌ We do NOT prove
- Authorship — Who created the content
- Ownership — Who owns the intellectual property
- Accuracy — Whether the content is true or correct
- Consent — Any contractual agreement
This distinction is crucial for legal proceedings. Our certificates are evidence of existence, not declarations of rights. Additional documentation may be required to establish ownership or authorship.
🔐 Technical Standards
SBIX Certify follows internationally recognized standards:
| Standard | Description | Recognition |
|---|---|---|
| SHA-256 | Cryptographic hashing (FIPS 180-4) | NIST, ISO, worldwide |
| RFC-3161 | Trusted timestamping protocol | IETF, ETSI, courts worldwide |
| eIDAS | EU Regulation 910/2014 — Qualified timestamps | 27 EU member states |
| PAdES-B | PDF digital signatures (ETSI EN 319 142-1) | Adobe, ISO 32000 |
| Merkle Tree | Hash tree structure (RFC 6962) | Blockchain, Git, CT Logs |
| Ed25519 | Digital signature algorithm | IETF, OpenSSH, Signal |
🇪🇺 eIDAS Qualified Timestamps
Electronic Identification and Trust Services
Our Pro+ Legal plan includes eIDAS Qualified Timestamps from a Qualified Trust Service Provider (QTSP) on the EU Trusted List.
Article 41 — Legal Effect
"A qualified electronic time stamp shall enjoy the presumption of the accuracy of the date and the time it indicates and the integrity of the data to which the date and time are bound."
eIDAS-qualified timestamps benefit from a legal presumption of accuracy under EU law (Art. 41), unless proven otherwise
Designed for use in EU legal contexts — recognition in all 27 EU member states under the eIDAS framework
Cryptographically binds the timestamp to the data — any modification after certification is detectable
🌍 International Recognition
Our certificates can serve as supporting evidence in common law jurisdictions:
Full legal framework under eIDAS. Qualified timestamps benefit from a legal presumption of accuracy under Art. 41 — designed for use in EU legal contexts.
eIDAS QualifiedPost-Brexit UK retained eIDAS-equivalent rules. May be considered under Civil Evidence Act 1995. Recognition depends on the jurisdiction and the court.
Common LawCryptographic timestamps may support evidentiary use under Federal Rules of Evidence (Rule 901). Admissibility depends on the court and circumstances.
Federal RulesGoverned by the Canada Evidence Act. Cryptographic timestamps may support evidentiary use in commercial disputes. Recognition depends on the jurisdiction and the court.
Common LawElectronic Transactions Act 1999 provides a framework for electronic evidence. Evidentiary weight depends on the specific court and circumstances.
Common LawValuable for patent priority claims and prior art documentation worldwide.
IP Documentation✍️ PAdES Digital Signature
Every SBIX Certify certificate is digitally signed using PAdES-B (PDF Advanced Electronic Signature), ensuring:
- ✅ Authenticity — Certificate issued by SBIX Certify™ / GLABTECH SARL
- ✅ Integrity — PDF has not been modified since signing
- ✅ Verifiable — Check signature in any PDF reader (Adobe, Foxit, etc.)
- ✅ Tamper-evident — Any modification invalidates the signature
Standard: ETSI EN 319 142-1 (PAdES Baseline B-Level)
🏢 Certificate Issuer
| Issuer | GLABTECH SARL |
| Product | SBIX Certify™ v6.4 |
| Location | St-Barthélemy, FR (EU jurisdiction) |
| Infrastructure | EU-based, ASN 30077 |
| Contact | founder@glabtech.com |
🔍 Independent Verification
All SBIX Certify proofs can be verified independently, without trusting us:
Open in Adobe Reader → Signature Panel → "Signature is valid"
Search transaction hash on tzkt.io
Search message hash on explorer.aleph.im
Verify .tsr file with OpenSSL or any RFC-3161 tool
Recalculate SHA-256 of your file and compare
Recompute from leaves using standard algorithm
Even if SBIX disappears, your certificates remain verifiable forever on the blockchain.
SBIX Verify API — In addition to certification, SBIX operates a visual origin engine that detects image copies across 5.4M indexed images. Perceptual hashes only — no images stored. Enterprise POC available under NDA at contact@sbix.io.
🔑 Key Points
Files Not Stored
Your original files are not stored. SBIX works from cryptographic fingerprints — only the SHA-256 hash is kept.
Hash Only
We store only the SHA-256 hash — a 64-character string that cannot reveal your file contents.
No Tracking
No analytics, no advertising trackers, no third-party cookies. Your privacy is respected.
Right to Erasure
Request deletion of your account and associated data at any time.
1. Data Controller
The data controller for SBIX Certify is:
2. Data We Collect
| Data Type | Purpose | Retention |
|---|---|---|
| Email address | Account creation, notifications | Until account deletion |
| Password (hashed) | Authentication | Until account deletion |
| File hash (SHA-256) | Certificate generation | Permanent (blockchain) |
| Filename | Certificate display | Until certificate deletion |
| Client Reference | Certificate identification | Until certificate deletion |
| Requester Identity (optional) | Certificate attribution | Until certificate deletion |
| Timestamp | Proof of existence | Permanent |
| IP address | Security, rate limiting | 7 days (logs) |
3. Data We Do NOT Collect
- ❌ Your actual files or documents
- ❌ File contents in any form
- ❌ Browsing history
- ❌ Device fingerprints
- ❌ Third-party tracking data
- ❌ Marketing profiles
4. How We Use Your Data
- ✅ Generate cryptographic certificates
- ✅ Anchor proofs on blockchain
- ✅ Send email notifications (optional)
- ✅ Process payments (via Stripe)
- ✅ Provide customer support
- ✅ Prevent fraud and abuse
5. Legal Basis (GDPR Art. 6)
| Processing | Legal Basis |
|---|---|
| Account creation | Contract performance (Art. 6.1.b) |
| Certificate generation | Contract performance (Art. 6.1.b) |
| Email notifications | Consent (Art. 6.1.a) |
| Security logging | Legitimate interest (Art. 6.1.f) |
| Payment processing | Contract performance (Art. 6.1.b) |
6. Your Rights (GDPR)
Under GDPR, you have the following rights:
📋 Right of Access
Request a copy of all data we hold about you.
✏️ Right to Rectification
Correct any inaccurate personal data.
🗑️ Right to Erasure
Request deletion of your personal data.
⏸️ Right to Restrict
Limit how we process your data.
📦 Right to Portability
Receive your data in a portable format.
🚫 Right to Object
Object to certain types of processing.
7. Data Retention
- Account data: Retained until you delete your account
- Certificates: Permanent (blockchain is immutable)
- Server logs: 7 days
- Payment records: 7 years (legal requirement)
9. Third Parties
| Service | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Email, payment info |
| Tezos Network | Blockchain anchoring | Hash only (public) |
| Aleph Cloud | Decentralized storage | Hash only (public) |
| QTSP (Pro+) | eIDAS Timestamp | Hash only |
10. Security Measures
- ✅ TLS 1.3 encryption in transit
- ✅ Passwords hashed with bcrypt
- ✅ Ed25519 signatures for certificates
- ✅ PAdES digital signature on PDFs
- ✅ Rate limiting and DDoS protection
- ✅ Regular security audits
- ✅ Minimal data collection principle
11. Contact
For any privacy-related questions or to exercise your GDPR rights:
You also have the right to lodge a complaint with your local data protection authority.