Digital signatures in Costa Rica: what Law 8454 requires and how to comply

Digital signatures in Costa Rica are not a luxury or a future option: they are a legal standard regulated since 2005 by Law 8454 (the Law on Digital Certificates, Signatures and Electronic Documents). Yet most businesses still sign on paper because they never found a tool built for their reality.

What Law 8454 establishes

The law recognizes digital signatures as the legal equivalent of handwritten signatures, provided three requirements are met:

1. Certificate issued by a BCCR-authorized entity — in Costa Rica, the infrastructure is called SINPE and the signing system is GAUDI.
2. Document integrity — the file’s hash must not have changed since it was signed.
3. Non-repudiation — the signer cannot deny having signed.

When these three elements are present, the electronic document carries the same legal weight as a notarized paper document.

The BCCR token challenge

Costa Rican digital signatures require a physical token (USB key) issued by the BCCR or authorized entities (SINPE). The signing process happens locally on the user’s device: the private key never leaves the token.

This creates a technical challenge: applications that want to integrate digital signatures must communicate with the token through a local process (GAUDI Client), validate the certificate against the BCCR server, and build the signature envelope in the correct format.

Most international solutions (DocuSign, Adobe Sign) do not support this flow because it was designed specifically for Costa Rica’s PKI infrastructure.

Why businesses need a native solution

Using a foreign solution creates three concrete problems:

• No BCCR integration: the document lacks legal validity under Law 8454; it only has contractual validity, which can be challenged.
• Data stored abroad: sensitive documents are stored on servers in the US or Europe, which may conflict with Law 8968 (Personal Data Protection).
• Per-signature cost: international plans charge per envelope sent, making it unfeasible to sign purchase orders, employment contracts, and internal documents at volume.

How ArcaSign solves this

ArcaSign was built from the ground up to integrate with GAUDI. The flow is:

1. The user uploads or generates the document on the platform.
2. ArcaSign calculates the SHA-256 hash and sends it to the local GAUDI client.
3. GAUDI signs with the token and returns the signature.
4. ArcaSign embeds the signature in the PDF and records the event in the audit trail.

The resulting document is verifiable by any system compatible with the PAdES standard and is fully valid under Law 8454.

The result: Costa Rican companies that can sign contracts, purchase orders, and HR documents in seconds — with legal validity, no intermediaries, and without their documents leaving the country.