diff --git a/lib/Db/File.php b/lib/Db/File.php
index 856df3dc3e..07c112f51c 100644
--- a/lib/Db/File.php
+++ b/lib/Db/File.php
@@ -41,6 +41,8 @@
  * @method int getModificationStatus()
  * @method void setSignatureFlow(int $signatureFlow)
  * @method int getSignatureFlow()
+ * @method void setDocmdpLevel(int $docmdpLevel)
+ * @method int getDocmdpLevel()
  */
 class File extends Entity {
 	protected int $nodeId = 0;
@@ -56,6 +58,7 @@ class File extends Entity {
 	protected ?array $metadata = null;
 	protected int $modificationStatus = 0;
 	protected int $signatureFlow = SignatureFlow::NUMERIC_PARALLEL;
+	protected int $docmdpLevel = 0;
 	public const STATUS_NOT_LIBRESIGN_FILE = -1;
 	public const STATUS_DRAFT = 0;
 	public const STATUS_ABLE_TO_SIGN = 1;
@@ -83,6 +86,7 @@ public function __construct() {
 		$this->addType('metadata', Types::JSON);
 		$this->addType('modificationStatus', Types::SMALLINT);
 		$this->addType('signatureFlow', Types::SMALLINT);
+		$this->addType('docmdpLevel', Types::SMALLINT);
 	}
 
 	public function isDeletedAccount(): bool {
@@ -102,4 +106,12 @@ public function getSignatureFlowEnum(): \OCA\Libresign\Enum\SignatureFlow {
 	public function setSignatureFlowEnum(\OCA\Libresign\Enum\SignatureFlow $flow): void {
 		$this->setSignatureFlow($flow->toNumeric());
 	}
+
+	public function getDocmdpLevelEnum(): \OCA\Libresign\Enum\DocMdpLevel {
+		return \OCA\Libresign\Enum\DocMdpLevel::tryFrom($this->docmdpLevel) ?? \OCA\Libresign\Enum\DocMdpLevel::NOT_CERTIFIED;
+	}
+
+	public function setDocmdpLevelEnum(\OCA\Libresign\Enum\DocMdpLevel $level): void {
+		$this->setDocmdpLevel($level->value);
+	}
 }
diff --git a/lib/Db/SignRequestMapper.php b/lib/Db/SignRequestMapper.php
index 8fddbebe17..30745d6ec2 100644
--- a/lib/Db/SignRequestMapper.php
+++ b/lib/Db/SignRequestMapper.php
@@ -501,6 +501,7 @@ private function getFilesAssociatedFilesWithMeQueryBuilder(string $userId, array
 				'f.metadata',
 				'f.created_at',
 				'f.signature_flow',
+				'f.docmdp_level',
 			)
 				->groupBy(
 					'f.id',
@@ -512,6 +513,7 @@ private function getFilesAssociatedFilesWithMeQueryBuilder(string $userId, array
 					'f.status',
 					'f.created_at',
 					'f.signature_flow',
+					'f.docmdp_level',
 				);
 			// metadata is a json column, the right way is to use f.metadata::text
 			// when the database is PostgreSQL. The problem is that the command
@@ -623,12 +625,14 @@ private function formatListRow(array $row): array {
 
 		$row['name'] = $this->removeExtensionFromName($row['name'], $row['metadata']);
 		$row['signatureFlow'] = SignatureFlow::fromNumeric((int)($row['signature_flow']))->value;
+		$row['docmdpLevel'] = (int)($row['docmdp_level'] ?? 0);
 
 		unset(
 			$row['user_id'],
 			$row['node_id'],
 			$row['signed_node_id'],
 			$row['signature_flow'],
+			$row['docmdp_level'],
 		);
 		return $row;
 	}
diff --git a/lib/Migration/Version15001Date20251214000000.php b/lib/Migration/Version15001Date20251214000000.php
new file mode 100644
index 0000000000..17f049940c
--- /dev/null
+++ b/lib/Migration/Version15001Date20251214000000.php
@@ -0,0 +1,46 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2025 LibreCode coop and contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\Libresign\Migration;
+
+use Closure;
+use OCP\DB\ISchemaWrapper;
+use OCP\DB\Types;
+use OCP\Migration\IOutput;
+use OCP\Migration\SimpleMigrationStep;
+
+/**
+ * Add DocMDP level support per file
+ * - Adds 'docmdp_level' column to libresign_file table to store DocMDP certification level per file
+ */
+class Version15001Date20251214000000 extends SimpleMigrationStep {
+	/**
+	 * @param IOutput $output
+	 * @param Closure(): ISchemaWrapper $schemaClosure
+	 * @param array $options
+	 * @return null|ISchemaWrapper
+	 */
+	#[\Override]
+	public function changeSchema(IOutput $output, Closure $schemaClosure, array $options): ?ISchemaWrapper {
+		/** @var ISchemaWrapper $schema */
+		$schema = $schemaClosure();
+
+		if ($schema->hasTable('libresign_file')) {
+			$tableFile = $schema->getTable('libresign_file');
+			if (!$tableFile->hasColumn('docmdp_level')) {
+				$tableFile->addColumn('docmdp_level', Types::SMALLINT, [
+					'notnull' => true,
+					'default' => 0,
+					'comment' => 'DocMDP permission level for this file: 0=none, 1=no changes, 2=form fill, 3=form fill + annotations',
+				]);
+			}
+		}
+
+		return $schema;
+	}
+}
diff --git a/lib/ResponseDefinitions.php b/lib/ResponseDefinitions.php
index 2b40542a06..a8b88477ff 100644
--- a/lib/ResponseDefinitions.php
+++ b/lib/ResponseDefinitions.php
@@ -187,6 +187,7 @@
  *     statusText: string,
  *     nodeId: non-negative-int,
  *     signatureFlow: int,
+ *     docmdpLevel: int,
  *     totalPages: non-negative-int,
  *     size: non-negative-int,
  *     pdfVersion: string,
diff --git a/lib/Service/FileService.php b/lib/Service/FileService.php
index e75cb9f845..1d0ed76c0b 100644
--- a/lib/Service/FileService.php
+++ b/lib/Service/FileService.php
@@ -712,6 +712,7 @@ private function loadLibreSignData(): void {
 		$this->fileData->statusText = $this->fileMapper->getTextOfStatus($this->file->getStatus());
 		$this->fileData->nodeId = $this->file->getNodeId();
 		$this->fileData->signatureFlow = $this->file->getSignatureFlow();
+		$this->fileData->docmdpLevel = $this->file->getDocmdpLevel();
 
 		$this->fileData->requested_by = [
 			'userId' => $this->file->getUserId(),
diff --git a/lib/Service/RequestSignatureService.php b/lib/Service/RequestSignatureService.php
index a57ec9b313..3308a1540a 100644
--- a/lib/Service/RequestSignatureService.php
+++ b/lib/Service/RequestSignatureService.php
@@ -56,6 +56,7 @@ public function __construct(
 		protected IEventDispatcher $eventDispatcher,
 		protected FileStatusService $fileStatusService,
 		protected SignRequestStatusService $signRequestStatusService,
+		protected DocMdpConfigService $docMdpConfigService,
 	) {
 	}
 
@@ -128,6 +129,8 @@ public function saveFile(array $data): FileEntity {
 			$this->setSignatureFlowFromGlobalConfig($file);
 		}
 
+		$this->setDocMdpLevelFromGlobalConfig($file);
+
 		$this->fileMapper->insert($file);
 		return $file;
 	}
@@ -138,6 +141,13 @@ private function setSignatureFlowFromGlobalConfig(FileEntity $file): void {
 		$file->setSignatureFlowEnum($globalFlow);
 	}
 
+	private function setDocMdpLevelFromGlobalConfig(FileEntity $file): void {
+		if ($this->docMdpConfigService->isEnabled()) {
+			$docmdpLevel = $this->docMdpConfigService->getLevel();
+			$file->setDocmdpLevelEnum($docmdpLevel);
+		}
+	}
+
 	private function getFileMetadata(\OCP\Files\Node $node): array {
 		$metadata = [];
 		if ($extension = strtolower($node->getExtension())) {
diff --git a/lib/Service/SignFileService.php b/lib/Service/SignFileService.php
index 5c167e7813..0d517059b3 100644
--- a/lib/Service/SignFileService.php
+++ b/lib/Service/SignFileService.php
@@ -338,17 +338,28 @@ public function sign(): File {
 	 * @throws LibresignException If the document has DocMDP level 1 (no changes allowed)
 	 */
 	protected function validateDocMdpAllowsSignatures(): void {
-		$resource = $this->getLibreSignFileAsResource();
+		$docmdpLevel = $this->libreSignFile->getDocmdpLevelEnum();
 
-		try {
-			if (!$this->docMdpHandler->allowsAdditionalSignatures($resource)) {
-				throw new LibresignException(
-					$this->l10n->t('This document has been certified with no changes allowed, so no additional signatures can be added.'),
-					AppFrameworkHttp::STATUS_UNPROCESSABLE_ENTITY
-				);
+		if ($docmdpLevel === \OCA\Libresign\Enum\DocMdpLevel::CERTIFIED_NO_CHANGES_ALLOWED) {
+			throw new LibresignException(
+				$this->l10n->t('This document has been certified with no changes allowed. You cannot add more signers to this document.'),
+				AppFrameworkHttp::STATUS_UNPROCESSABLE_ENTITY
+			);
+		}
+
+		if ($docmdpLevel === \OCA\Libresign\Enum\DocMdpLevel::NOT_CERTIFIED) {
+			$resource = $this->getLibreSignFileAsResource();
+
+			try {
+				if (!$this->docMdpHandler->allowsAdditionalSignatures($resource)) {
+					throw new LibresignException(
+						$this->l10n->t('This document has been certified with no changes allowed. You cannot add more signers to this document.'),
+						AppFrameworkHttp::STATUS_UNPROCESSABLE_ENTITY
+					);
+				}
+			} finally {
+				fclose($resource);
 			}
-		} finally {
-			fclose($resource);
 		}
 	}
 
diff --git a/openapi-full.json b/openapi-full.json
index 3aaf844a4b..de9ee08dc6 100644
--- a/openapi-full.json
+++ b/openapi-full.json
@@ -1013,6 +1013,7 @@
                     "statusText",
                     "nodeId",
                     "signatureFlow",
+                    "docmdpLevel",
                     "totalPages",
                     "size",
                     "pdfVersion",
@@ -1050,6 +1051,10 @@
                         "type": "integer",
                         "format": "int64"
                     },
+                    "docmdpLevel": {
+                        "type": "integer",
+                        "format": "int64"
+                    },
                     "totalPages": {
                         "type": "integer",
                         "format": "int64",
diff --git a/openapi.json b/openapi.json
index ae39e7a0b4..217121894d 100644
--- a/openapi.json
+++ b/openapi.json
@@ -863,6 +863,7 @@
                     "statusText",
                     "nodeId",
                     "signatureFlow",
+                    "docmdpLevel",
                     "totalPages",
                     "size",
                     "pdfVersion",
@@ -900,6 +901,10 @@
                         "type": "integer",
                         "format": "int64"
                     },
+                    "docmdpLevel": {
+                        "type": "integer",
+                        "format": "int64"
+                    },
                     "totalPages": {
                         "type": "integer",
                         "format": "int64",
diff --git a/src/Components/RightSidebar/RequestSignatureTab.vue b/src/Components/RightSidebar/RequestSignatureTab.vue
index 3391749c23..e8ea7a1a83 100644
--- a/src/Components/RightSidebar/RequestSignatureTab.vue
+++ b/src/Components/RightSidebar/RequestSignatureTab.vue
@@ -4,6 +4,9 @@
 -->
 <template>
 	<div id="request-signature-tab">
+		<NcNoteCard v-if="showDocMdpWarning" type="warning">
+			{{ t('libresign', 'This document has been certified with no changes allowed. You cannot add more signers to this document.') }}
+		</NcNoteCard>
 		<NcButton v-if="filesStore.canAddSigner()"
 			:variant="hasSigners ? 'secondary' : 'primary'"
 			@click="addSigner">
@@ -209,6 +212,7 @@ import NcDialog from '@nextcloud/vue/components/NcDialog'
 import NcIconSvgWrapper from '@nextcloud/vue/components/NcIconSvgWrapper'
 import NcLoadingIcon from '@nextcloud/vue/components/NcLoadingIcon'
 import NcModal from '@nextcloud/vue/components/NcModal'
+import NcNoteCard from '@nextcloud/vue/components/NcNoteCard'
 
 import IdentifySigner from '../Request/IdentifySigner.vue'
 import VisibleElements from '../Request/VisibleElements.vue'
@@ -247,6 +251,7 @@ export default {
 		NcIconSvgWrapper,
 		NcLoadingIcon,
 		NcModal,
+		NcNoteCard,
 		NcDialog,
 		Delete,
 		Draw,
@@ -292,6 +297,9 @@ export default {
 		isOrderedNumeric() {
 			return this.signatureFlow === 'ordered_numeric'
 		},
+		showDocMdpWarning() {
+			return this.filesStore.isDocMdpNoChangesAllowed() && !this.filesStore.canAddSigner()
+		},
 		canEditSigningOrder() {
 			return (signer) => {
 				return this.isOrderedNumeric
diff --git a/src/store/files.js b/src/store/files.js
index 0b210bc129..c9efae2836 100644
--- a/src/store/files.js
+++ b/src/store/files.js
@@ -133,6 +133,11 @@ export const useFilesStore = function(...args) {
 			},
 			canAddSigner(file) {
 				file = this.getFile(file)
+
+				if (this.isDocMdpNoChangesAllowed(file)) {
+					return false
+				}
+
 				return this.canRequestSign
 					&& (
 						!Object.hasOwn(file, 'requested_by')
@@ -141,6 +146,10 @@ export const useFilesStore = function(...args) {
 					&& !this.isPartialSigned(file)
 					&& !this.isFullSigned(file)
 			},
+			isDocMdpNoChangesAllowed(file) {
+				file = this.getFile(file)
+				return file.docmdpLevel === 1 && file.signers && file.signers.length > 0
+			},
 			canSave(file) {
 				file = this.getFile(file)
 				return this.canRequestSign
diff --git a/src/types/openapi/openapi-full.ts b/src/types/openapi/openapi-full.ts
index 62aa3199dd..d62a0f5623 100644
--- a/src/types/openapi/openapi-full.ts
+++ b/src/types/openapi/openapi-full.ts
@@ -1759,6 +1759,8 @@ export type components = {
             /** Format: int64 */
             signatureFlow: number;
             /** Format: int64 */
+            docmdpLevel: number;
+            /** Format: int64 */
             totalPages: number;
             /** Format: int64 */
             size: number;
diff --git a/src/types/openapi/openapi.ts b/src/types/openapi/openapi.ts
index 89d12c914f..70783f69de 100644
--- a/src/types/openapi/openapi.ts
+++ b/src/types/openapi/openapi.ts
@@ -1281,6 +1281,8 @@ export type components = {
             /** Format: int64 */
             signatureFlow: number;
             /** Format: int64 */
+            docmdpLevel: number;
+            /** Format: int64 */
             totalPages: number;
             /** Format: int64 */
             size: number;
diff --git a/tests/php/Unit/Service/RequestSignatureServiceTest.php b/tests/php/Unit/Service/RequestSignatureServiceTest.php
index da78cc2579..414927c50b 100644
--- a/tests/php/Unit/Service/RequestSignatureServiceTest.php
+++ b/tests/php/Unit/Service/RequestSignatureServiceTest.php
@@ -13,6 +13,7 @@
 use OCA\Libresign\Db\SignRequestMapper;
 use OCA\Libresign\Handler\DocMdpHandler;
 use OCA\Libresign\Helper\ValidateHelper;
+use OCA\Libresign\Service\DocMdpConfigService;
 use OCA\Libresign\Service\FileElementService;
 use OCA\Libresign\Service\FileStatusService;
 use OCA\Libresign\Service\FolderService;
@@ -56,6 +57,7 @@ final class RequestSignatureServiceTest extends \OCA\Libresign\Tests\Unit\TestCa
 	private IEventDispatcher&MockObject $eventDispatcher;
 	private FileStatusService&MockObject $fileStatusService;
 	private SignRequestStatusService&MockObject $signRequestStatusService;
+	private DocMdpConfigService&MockObject $docMdpConfigService;
 
 	public function setUp(): void {
 		parent::setUp();
@@ -85,9 +87,10 @@ public function setUp(): void {
 		$this->eventDispatcher = $this->createMock(IEventDispatcher::class);
 		$this->fileStatusService = $this->createMock(FileStatusService::class);
 		$this->signRequestStatusService = $this->createMock(SignRequestStatusService::class);
+		$this->docMdpConfigService = $this->createMock(DocMdpConfigService::class);
 	}
 
-	private function getService(?SequentialSigningService $sequentialSigningService = null): RequestSignatureService {
+	private function getService(): RequestSignatureService {
 		return new RequestSignatureService(
 			$this->l10n,
 			$this->identifyMethodService,
@@ -104,11 +107,12 @@ private function getService(?SequentialSigningService $sequentialSigningService
 			$this->client,
 			$this->docMdpHandler,
 			$this->loggerInterface,
-			$sequentialSigningService ?? $this->sequentialSigningService,
+			$this->sequentialSigningService,
 			$this->appConfig,
 			$this->eventDispatcher,
 			$this->fileStatusService,
 			$this->signRequestStatusService,
+			$this->docMdpConfigService,
 		);
 	}
 
diff --git a/tests/php/Unit/Service/SignFileServiceTest.php b/tests/php/Unit/Service/SignFileServiceTest.php
index c18ebfeeaf..415f2a397a 100644
--- a/tests/php/Unit/Service/SignFileServiceTest.php
+++ b/tests/php/Unit/Service/SignFileServiceTest.php
@@ -278,11 +278,13 @@ public function testSignGenerateASha256OfSignedFile(string $signedContent):void
 			'getEngine',
 			'setNewStatusIfNecessary',
 			'getNextcloudFile',
+			'validateDocMdpAllowsSignatures',
 		]);
 
 		$nextcloudFile = $this->createMock(\OCP\Files\File::class);
 		$nextcloudFile->method('getContent')->willReturn($signedContent);
 		$service->method('getNextcloudFile')->willReturn($nextcloudFile);
+		$service->method('validateDocMdpAllowsSignatures');
 
 		$pkcs12Handler = $this->createMock(Pkcs12Handler::class);
 		$pkcs12Handler->method('sign')->willReturn($nextcloudFile);
@@ -301,6 +303,8 @@ public function testSignGenerateASha256OfSignedFile(string $signedContent):void
 					return 1;
 				case 'getSigningOrder':
 					return 1;
+				case 'getDocmdpLevelEnum':
+					return \OCA\Libresign\Enum\DocMdpLevel::NOT_CERTIFIED;
 				default: return null;
 			}
 		};
@@ -330,11 +334,13 @@ public function testUpdateDatabaseWhenSign(): void {
 			'setNewStatusIfNecessary',
 			'computeHash',
 			'getNextcloudFile',
+			'validateDocMdpAllowsSignatures',
 		]);
 
 		$nextcloudFile = $this->createMock(\OCP\Files\File::class);
 		$nextcloudFile->method('getContent')->willReturn('pdf content');
 		$service->method('getNextcloudFile')->willReturn($nextcloudFile);
+		$service->method('validateDocMdpAllowsSignatures');
 
 		$this->fileMapper->expects($this->once())->method('update');
 		$this->signRequestMapper->expects($this->once())->method('update');
@@ -350,6 +356,12 @@ public function testUpdateDatabaseWhenSign(): void {
 			}
 		});
 		$libreSignFile = $this->createMock(\OCA\Libresign\Db\File::class);
+		$libreSignFile->method('__call')->willReturnCallback(function ($method) {
+			if ($method === 'getDocmdpLevelEnum') {
+				return \OCA\Libresign\Enum\DocMdpLevel::NOT_CERTIFIED;
+			}
+			return null;
+		});
 
 		$service
 			->setSignRequest($signRequest)
@@ -363,11 +375,13 @@ public function testDispatchEventWhenSign(): void {
 			'setNewStatusIfNecessary',
 			'computeHash',
 			'getNextcloudFile',
+			'validateDocMdpAllowsSignatures',
 		]);
 
 		$nextcloudFile = $this->createMock(\OCP\Files\File::class);
 		$nextcloudFile->method('getContent')->willReturn('pdf content');
 		$service->method('getNextcloudFile')->willReturn($nextcloudFile);
+		$service->method('validateDocMdpAllowsSignatures');
 
 		$this->eventDispatcher
 			->expects($this->once())
@@ -385,6 +399,12 @@ public function testDispatchEventWhenSign(): void {
 			}
 		});
 		$libreSignFile = $this->createMock(\OCA\Libresign\Db\File::class);
+		$libreSignFile->method('__call')->willReturnCallback(function ($method) {
+			if ($method === 'getDocmdpLevelEnum') {
+				return \OCA\Libresign\Enum\DocMdpLevel::NOT_CERTIFIED;
+			}
+			return null;
+		});
 
 		$service
 			->setSignRequest($signRequest)
@@ -1227,7 +1247,18 @@ public function testSignThrowsExceptionWhenDocMdpLevel1Detected(): void {
 		$service->method('getEngine')->willReturn($engineMock);
 
 		$signRequest = $this->createMock(SignRequest::class);
+		$signRequest->method('__call')->willReturnCallback(function ($method) {
+			switch ($method) {
+				case 'getFileId':
+					return 1;
+				case 'getSigningOrder':
+					return 1;
+				default: return null;
+			}
+		});
+
 		$libreSignFile = $this->createMock(\OCA\Libresign\Db\File::class);
+		$libreSignFile->method('getDocmdpLevelEnum')->willReturn(\OCA\Libresign\Enum\DocMdpLevel::NOT_CERTIFIED);
 
 		$service
 			->setSignRequest($signRequest)
@@ -1255,6 +1286,10 @@ public function testValidateDocMdpAllowsSignaturesWithVariousPdfFixtures(
 
 		$service->method('getLibreSignFileAsResource')->willReturn($resource);
 
+		$libreSignFile = $this->createMock(\OCA\Libresign\Db\File::class);
+		$libreSignFile->method('getDocmdpLevelEnum')->willReturn(\OCA\Libresign\Enum\DocMdpLevel::NOT_CERTIFIED);
+		$service->setLibreSignFile($libreSignFile);
+
 		self::invokePrivate($service, 'validateDocMdpAllowsSignatures');
 	}