Tracking Electronic Signatures and Securing an Audit Trail

Posted by John Harris on 11/7/12 5:13 PM

cybersecurityThe past two weeks have been interesting, right? Yours truly works and lives in southern New York state, and my neighbors and I have had an interesting time dealing with the aftermath of Sandy. Thankfully, my power went out for only a few days, but we know of friends as well as SIGNiX customers that are still without power. And when the temperature dips below freezing, you can understand the hardship that entails. Our thoughts are with those folks and their families, especially with the prospect of a Nor’easter tonight into tomorrow. Ugh.

On a lighter note, the storm threw off our plans for two more entries on security and assurance honoring National Cybersecurity Awareness month. So to keep up with our promises, we’ll cover the audit and transaction history capabilities of our product today, and then close with a blog entry next week regarding the security architecture of our cloud-based electronic signature solution.

No matter paper or electronic, it’s critical that signatures communicate intent, as we wrote about previously. Moreover, electronic signature systems, if they are to stand up to the scrutiny faced by electronic evidence in today’s courtrooms, must also track and store all of the steps of the signature process, from set-up through signature to final document delivery. Not only does this allow users to clearly track where any document is at a given time in a transaction, but having this detailed information on hand means that companies can also better defend against claims of repudiation: “I didn’t sign that.”

Most online electronic signature services capture some sort of event history while a signature process is in motion, but the level of detail captured and stored can vary quite dramatically, sometimes barely providing enough detail to reconstruct the process at all. Some services simply append this information to the document, where it could be altered, or fail to include key data points, providing an opening for any attorney worth his or her salt to create doubt in the transaction.

SIGNiX already implements strong assurance measures when it comes to documents—SIGNiX uses standards-based digital signatures for every signature and initial on a document to provide in-depth integrity and eliminate vendor lock-in—and SIGNiX also logs an extraordinary amount of detail about each transaction, going far beyond what many of our competitors choose to provide.

Let’s take a look at what a SIGNiX audit trail looks like.

electronic signature audit trail

The information shown here can be accessed from any transaction in the MyDoX Document Center by clicking on View History.

digital signature transaction

While the transaction represented here was pretty simple (one document, two signers, with two signatures each), you’ll notice we don’t skimp on the events listed.  SIGNiX in fact tracks:

  • the creation of the transaction;
  • when emails / notifications were sent to each party;
  • when signing parties consented to the use of electronic signatures (per ESIGN/UETA);
  • how users were authenticated and whether that authentication was successful (Note that in the example above, the lowest form of authentication was used, relying only on an email address. SIGNiX offers many other forms of authentication.);
  • when documents were displayed to each signing party;
  • when each signing party authorized the creation of a signature or agreed to / acknowledged a document;
  • when each digital signature was applied;
  • when the transaction was completed; and, finally,
  • when users downloaded / displayed the document after the transaction was completed.

The screenshot above only displays part of the story. Each event can be expanded to provide even more information.

electronic signature event history expanded

Notably, because SIGNiX uses digital signatures for every signature and initial action, we can also add in significant detail about the nature of the signing credential (and associated certificate) as well as the document before and after each signature. Since we are using published cryptography and document standards to apply digital signatures to PDFs, this information (known variably as a message digest, hash or fingerprint, and visible below under "ToBeSignedDocument" and "SignedDocument") provides experts with the specific details needed to verify documents at any point in the transaction. Try that with the competition.

signix audit trail electronic signature detail

SIGNiX stores a digitally signed XML version of each audit trail, and also makes them available to users in a variety of formats: digitally signed XML (which can then be fed into custom reporting solutions), HTML, and PDF.

 

What makes a digital signature legal?

Get a Digital Signature Quote Now

GET A QUOTE

Posts by Topic

see all

Subscribe for updates