8-Point Checklist for Evaluating eSignature Security

July 31 2014

checklistHow well does your electronic signature platform protect you and your clients? If you're not sure, use the checklist below to see how it stacks up. These eight items are important attributes that your eSignature solution should have in order to ensure that your documents are legally binding. If any of these criteria are missing, the service or application may be putting you and your clients at risk! It's also highly likely that no reliable electronic records are being created and that your documents will be rejected by banks.

1. Compliant Signing Process

The person signing electronically must create and adopt their electronic signature, and place it into the document in the appropriate signing location, just as you would if you were signing with a pen.

2. Consumer Consent

The ESIGN Act requires the person who has adopted the electronic signature to also agree to the consumer consent, which indicates that they have agreed to conduct business electronically. That consumer consent must be included in the audit trail/certificate, which is the history of the signed document.

3. Signer Authentication Options

The system provides tools to allow the sender/account owner to request the person who is signing the document to authenticate their true identity with third party services such as Knowledge Base Authentication (KBA) or other third party methods. These tools provide additional assurance that the person signing the documents is the correct person. This is especially helpful when you are not e-signing documents in person.

4. Digitally Sealed Documents

The system digitally 'seals' the documents with industry standard technology called Digital Certificates. Sealed documents will alert the viewer if they have been changed, and are 'self-reliant', which means there is no need to refer back to the vendor to validate the seal, the document can validate itself. One example is SHA-1 hashing technology that verifies that a document has not been modified.

5. Secure Audit Trail

The system generates an audit trail of all actions taken, by whom, and captures information such as email, IP address, and other data. This audit trail is important to a court, and serves to show all the elements of the signing. It must also be digitally sealed. Leading eSignature solution DocuSign offers the following items in their audit trail:

  • Signer names
  • Authentication history
  • Digital signatures
  • Email addresses
  • Signer IP addresses
  • Chain of custody (i.e., sent, viewed, signed, etc.)
  • Trusted timestamps
  • Geo-location capture of signer (if provided)
  • Completion status

6. Always On

Because you will rely on this for important documents, the system must maintain at least a 99.9% uptime so your customers can sign anytime they need to. Typically, this means the provider will have multiple data centers, and certifications such as ISO 27001 and SSAE16. The best vendors will provide 'carrier grade' availability that eliminates maintenance windows, and synchronizes data across the system to avoid loss of data in a server failure.

7. A System Trust Page

The service provider's web site should display the current status of the service, dates of any planned updates, and other security certifications as part of the relationship with their customers. This gives customers complete transparency into the overall system health, and demonstrates the vendor's focus on trust.

8. Privacy Policy, Terms of Use and End User License Agreement

The service provider's terms of use and privacy policy should clearly indicate that the data and documents loaded into the account remains the property of the account holder, and the information will not be shared or sold to advertisers by the service provider.

In Conclusion

A document that meets all the criteria above carries within it information that tells a story about a transaction. These standards are not hard to meet if you use a reputable vendor who provides you with an audit trail and authentication options. A trustworthy solution is more amenable to having standards, like Bank of America's, placed upon it.

Ready to learn more? View our recorded webinar, Not All eSignature Platforms Are Created Equal, and then check out the following resources for further information.