Eliminating Risks with Digital Signatures: Part 2

We're back with Part 2 and those questions we promised you!

When it comes to electronic signature services, your technology risk exposure could be substantial. If you are considering electronic signatures, you need to be asking yourself these questions:

• How long do my electronically signed documents need to be trusted?
• Does my electronic signature vendor comply with actual standards and formats that are accepted and proven worldwide?
• Can each of the signatures in each of the documents that I send to this electronic signature service be independently verified without having to check back with a vendor-run server / cloud service?
• Can the integrity of the document and its contents be independently verified at each step of the electronic signature process, so that I can trust a document didn’t change between the first electronic signature and the third?
• Where are my electronically signed documents being stored?  How can I access them if my electronic signature vendor goes out of business?

The current crop of popular eSignature vendors offer solutions that meet the general requirements of the US ESIGN act, and are thus ‘legal,’ and all of them offer some way to lock down the document after the last signature. However, most of them use proprietary methods for controlling the document between the first signature and the last, relying on a vendor-controlled service and/or process to verify a document didn’t change. Many of these vendors also offer to store your signed documents as a service. What happens when that vendor goes out of business? What happens to your documents?  How can you verify the signatures absent the vendor?

Digital signature solutions, such as those offered by SIGNiX, offer a clear path to mitigate the risks around electronic signatures while maintaining an intuitive experience for the user. Why?

• Based on standards…not proprietary technology. Digital signatures, digital certificates, and the technology behind them are based on more than 15 years of existing standards and documentation. They’re known by obscure acronyms like x.509, RSA, DSA, SHA-2, yet every time you shop online, your web browser is using these technologies and standards behind the scenes, regardless of browser vendor. Why should electronic signatures on PDFs be any different? The international, non-proprietary PDF standard ISO 32000-1 clearly defines digital signatures in a PDF using the standards above, and it’s a standard that SIGNiX embraces. This means digital signatures, and the documents protected by them, will be future-proof… customers can always refer back to these public standards to access the documents.
• Tamper-evidence for each signature, built right in. Digital signatures are designed for the express purpose of assuring that content has not been changed since it was signed, and the manner in which this happens is standardized and clearly ‘evident.’ With solutions like SIGNiX, each signature or initial in the document is represented by a true digital signature in a PDF, describing in detail what the document looked like at the time of signature.
• Verify the document…not the vendor. The ability to verify that a document is intact without having to refer back to a centralized server for that information: our CEO Jay Jumper refers to this capability as ‘portable non-repudiation.’ In a digital signature solution like SIGNiX, document recipients can open the document in free, popular, standards-based PDF viewers and see each signer’s electronic signature represented as a digital signature in-line on the document itself. Recipients need not check with SIGNiX just to verify that the document the Buyer signed was identical to that of the Seller.

Moreover, because all of the essential digital signature information is stored in the PDF itself, your company can choose to store the documents in an archive / storage system of your choice, rather than relying on a third party to securely store it. Services like SIGNiX even offer customers the ability to download not only the PDF, but also a comprehensive audit log that can further add to the evidence behind an electronic signature process.

Once we move to standards-based technologies like those used in digital signature services, the exposure to risk from vendor lock-in and reliance on proprietary eSignature technology goes away.

In our next risk-focused blog, we’ll be speaking about legal risk and how electronic signatures can mitigate those risks.