QES Security: A Checklist for Sole Proprietors and Companies

A Qualified Electronic Signature (QES) is often perceived as a technical detail. A file, a password, a “Sign” button. Something you need for reporting, contracts, or HR documents—and preferably something you don’t want to think about too much.

And that’s actually a good thing. This is exactly how using a QES should feel: calm and routine, without the constant sense that every action hides a risk. But this convenience comes with one critical condition: the key must remain under control.

Because everything signed with a QES is legally considered the decision of its owner—regardless of who actually clicked the sign button or under what circumstances it happened.

That’s why QES owners often have the same questions:

Could someone sign a document without me?
Is it safe to give my key to an accountant?
What should I do if I lose my phone or suspect that someone else knows my password?

In this article, we take a detailed look at why QES security is basic business hygiene, where weak points most often appear, and what practical steps sole proprietors and companies can take to reduce risks.

Why QES security is not “paranoia” but basic business hygiene

The risks associated with a QES are often underestimated. It may seem like problems only happen in large companies or as a result of sophisticated cyberattacks. In reality, most incidents occur in ordinary, everyday situations — without hackers or complex schemes.

Typical consequences of poor QES security look like this:

• a document appears that you don’t remember, but it is formally signed by you;
• a dispute arises over a contract, order, or HR decision;
• liability falls on the QES owner, even if the accountant or contractor acted;
• fines or claims appear retroactively.

For a sole proprietor, a normal level of security means that only the owner has access to the QES, the key and password are not shared, and signing is done only from personal devices. The person knows where the key is stored, can check which documents were signed, and understands what to do if a device is lost or a compromise is suspected.

For a company, this is no longer enough. A system is required: separate QESs for signatories, clearly defined roles, access control, and a transparent document signing process.

Types of key storage and which are more secure

The level of QES security directly depends on where and how the key is stored. There is no universally perfect option, but different storage methods come with different levels of risk. Below is a brief comparison of the most common options.

The order in this table reflects how manageable access to the key is. That’s why a key file on a flash drive is the riskiest option, while a cloud-based or secure application solution is the most stable in terms of control, roles, and access recovery.

For businesses, QES security is primarily about access management, not the physical format of the key.

In the Vchasno.QES dashboard, you can manage issued signatures and see who they belong to. And document signing can be conveniently organized in Vchasno.EDO — with a transparent process and clearly defined roles.

QES storage checklist for sole proprietors: 12 ✓

Most sole proprietors are confident that everything is fine. But when you look at the details, a few weak spots often appear—and they are easy to fix.

We created a basic checklist—not the maximum level of protection, but the minimum that significantly reduces risks.

1. Do not store your QES in messengers, email, or open notes.
2. Do not share your QES password in chats, emails, or voice messages.
3. Create a separate, strong password specifically for your QES and do not reuse it elsewhere.
4. Do not give your QES to an accountant or contractor, even temporarily.
5. If an accountant prepares documents, sign them personally with your own QES instead of delegating the signature.
6. Make a backup copy of the key and keep access to it only for yourself.
7. Protect your laptop with a password and enable automatic screen locking.
8. Enable screen lock on the phone you use to sign documents.
9. Regularly update the operating system and applications on all devices.
10. Sign documents only from your own devices, not from someone else’s or public ones.
11. Review the document content before signing, even if someone else prepared it.
12. Make sure you know where and how to quickly block or revoke your QES if needed.

Company checklist: how to organize employee QESs and access

In companies, QES risks usually arise not from malicious intent but from organizational shortcuts. One signature is used by several people, both the accountant and manager know the password, documents are signed on behalf of the executive when they are unavailable. For tax authorities and counterparties, such signatures look exactly like actions of the QES owner.

A healthy model works differently:

• each signatory has their own QES;
• signatures are not shared, even within the team;
• document preparation is delegated, not the signing itself;
• roles are separated: who prepares, who approves, who signs.

In practice, this is simple: a manager prepares the document, a department head approves it, and the responsible person signs it with their own QES. No file transfers or password sharing.

Approving and signing documents is convenient in Vchasno.EDO, where everyone acts according to their role in the company, and Vchasno.QES allows you to centrally issue and manage employee QESs—without shared keys or access confusion.

Access policy

Even a large company doesn’t need multi-page instructions. One document that defines the rules is enough. Such a policy usually specifies:

• where and how QESs are stored;
• who has signing rights and within what authority;
• a ban on sharing passwords and keys;
• steps to take in case of an incident;
• tracking who signed what and when;
• who is responsible for access administration.

Take this list and create a one-page internal policy. For a start, this is enough—as long as the rules are actually followed.

QES compromise: how to recognize it and what to do

A QES compromise is not always a confirmed hack. More often, it’s the moment when you are no longer sure that only you had access to the key.

Typical warning signs:

• a document appears that you don’t remember signing;
• the QES was used by an accountant or contractor;
• there were suspicious emails or messages.

In such situations, the sequence of actions is critical.

If the QES was used by an accountant or contractor, review all documents from the period of access separately and change the working model going forward.

Common mistakes and how to avoid them

Problems with QESs usually don’t come from complex schemes or deliberate violations. Most often, they are the result of everyday work decisions: giving access to an accountant, keeping the file close at hand. At the moment, this seems logical and convenient—but over time, these decisions create risks.

📌 Mistake 1. More than one person knows the QES password
The correct model is simple: no one except the QES owner should know the password or have access to the key. Document preparation can be delegated; signing cannot.

📌 Mistake 2. The QES or password is stored in messengers or email
The file or password ends up in a chat “so it doesn’t get lost.” But messengers are often connected to multiple devices, backups, or third-party services. In a secure model, the QES and password are stored only in a protected environment, accessible to one specific person.

📌 Mistake 3. There are no written rules for working with QESs in the team
Everyone relies on verbal agreements. When roles change, someone goes on leave, or an employee leaves, confusion arises: who had signing rights and from when.

📌 Mistake 4. One QES is used by multiple people
This happens in small teams: one executive or accountant QES “for everyone.” As a result, it’s impossible to determine who signed a document and under what circumstances. The correct model is a separate QES for each signatory according to their authority.

📌 Mistake 5. Documents are signed from someone else’s or random devices
Signing from a colleague’s computer or a public device may seem trivial, but it means losing control over the environment. A secure model means signing only from your own protected devices.

📌 Mistake 6. Incidents are not documented or analyzed
Even if something goes wrong, it’s treated as a one-off. Without documenting incidents and having a simple action plan, the same mistakes repeat.

📌 Mistake 7. No one is responsible for access
Even in a small company, there should be a person who understands who has which QES and what authority comes with it.

Summary

QES security starts with how work is organized, not with technical settings. It’s important to understand who signs documents, where the key is stored, and how access is controlled. Simple rules are enough: each QES has one responsible person, signing is not delegated along with the key, and actions in case of loss or compromise are defined in advance.

What to do starting tomorrow:

• check where your QES is stored and who has access to it;
• fix weak points using the QES security checklist above;
• document a simple incident response algorithm.