Questions to Ask Your Digital Signature Vendor

So you’ve decided to look for a digital signature vendor. You’ve got a lot of choices out there, and the Internet is full of information about what services each vendor provides. But how do you know what’s important for your business?

Here are eight key factors you should be aware of when you’re looking for a digital signature provider. Each business’ needs are different based on your industry and the level of security you need, but these are some good questions to ask vendors before you make your decision.

1. Authentication and Identification

Digital signatures are authenticated when users prove their identity by confirming some sort of sort of shared information. This can be a PIN, a password, the answer to a security question or even a code sent via text message to their mobile phone. Good questions to ask vendors about authentication and identification:

• Do you require users to authenticate themselves before applying an electronic signature to a document?
• How strong is the authentication method? Does the system require that a user only receive an email, or does it require them to enter a more secure piece of information?
• Can documents be accessed without authentication after signature?

2. Audit Trail

The audit trail is a document that basically tracks changes that has been made to a document since it was created. Some vendors condense their audit trails and only show when the document was signed. Others show every change including changes to the document’s wording, which gives customers the assurance that the document was not changed after they signed it. Good questions to ask about the audit trail:

• Does the signature solution track every event in the signature process?
• How detailed are the events being stored? What information is kept?
• How is the audit trail stored? Is it secured against tampering?

3. Information / Notice / Consent

Federal and state laws require that each person signing a document somehow acknowledges that they are signing a legally binding document and be given the chance to opt in or out. Good questions to ask:

• Is the user presented with an appropriate and visible notice about using electronic signatures?
• Is the user provided an opportunity to decline to use the service?
• Is the consent to use e-signatures presented clearly and also tracked as an auditable action?

4. Signature / Intent

The person signing the document must take some kind of action to sign the document. The documents should also be clearly visible and readable for the signer. Good questions to ask about intent to sign:

• How is the user prompted to sign a document?
• Is the process clearly communicating intent?
• How is the document viewed by a user?
• Is it the same as the final signed or printed version?
• Does the document change as part of the signature process?

5. Association

The signer’s signature must be linked to the data being signed to prove a connection between them. The signature should travel with the document. Good questions to ask about association:

• How is the signature linked to the documents being signed?
• Does the signature’s link rely on standards or proprietary solutions?

6. Integrity

When a customer signs a document, they expect that document to remain the same after they sign. An electronic signature system must protect the integrity of documents before, during and after signing. Good questions to ask about document integrity:

• How are documents protected during signing?
• Does the service provide strong tamper evidence for the documents upon signature?
• Can the service protect and also prove the integrity of a document at any point from the first signature to the last?

7. Standards / Verification Independence

Some vendors that offer electronic signatures require you to check back with them to verify that the document has not been tampered with. This can be a problem because if you cancel your contract with that business, you lose the signatures you executed with them. Good questions to ask about verification independence:

• Are documents and signatures accessible using free viewing software?
• Is each electronic signature part of the document?  Do the signatures inherently provide integrity to the document?
• Can individual signatures be validated without having to go back to the vendor that produced them?
• What format are the signatures and documents produced in? Are they proprietary?
• Do the signatures comply with international cryptographic and document standards, such as RSA, DSA, SHA, PAdES and PDF?

8. Long-term standing

You don’t just need a digital signature that is valid today, but you need one that will be legally binding decades down the road. This is where electronic signature standards come into play. Good questions to ask about long-term standing:

• Can the electronic signatures be validated long term?
• Does the digital signature service use technology that is based on standards that can be validated in the future?
• Are the systems used for signing proprietary to the vendor or based on established cryptographic tools?