Cost cutting Move to eSignatures

A Solution to Cost Cutting: Move to eSignature

The global economy has experienced a significant depreciation in recent months. Companies are now forced to cut costs where they can. The tech industry, one that has seen rapid growth in recent years, is facing mass layoffs and hiring freezes.

Major companies like Apple, Google, and Meta have lost trillions of dollars amid the stock market crisis. Simply put, companies are struggling. While major enterprises are generally well-equipped to handle an economic downturn, many companies are not so fortunate.

So, what’s the solution? While placing a freeze on hiring is certainly one way to cut costs, it’s just as important to consider trimming overhead. For most companies, the costs associated with document execution can be quite expensive.

Some companies still go with the traditional method of printing documents, obtaining signatures, and scanning them in. Others have opted for a simpler method, such as automating documents and signing workflows using services like Docusign.

Whatever the case may be, the above approaches are not always the most cost-effective. Fortunately, Signority offers a high value and cost-effective service (and DocuSign alternative) that saves customers both time and money.

Cutting costs with digital signing...

Signority is a cloud-based eSignature service provider that simplifies document signing without having to opt for the traditional, time-consuming print/sign/scan method.

Signority is a great DocuSign alternative primarily due to its pricing structure. While DocuSign pricing is around $35 CAD per month per user for a standard plan, users can purchase a similar plan from Signority for just $30 CAD per month for unlimited users. Interested parties can get started with a free trial now.

With a subscription to Signority, users not only have a way to automate their document signing workflows, but they can also ensure documents are always maintained in a way that provides top-level security and confidentiality. This is made possible by storing all customer data in Canada, a country known to be a leader in security and privacy.

In addition, Signority’s recipient controls feature adds another layer of security by allowing subscribers to restrict actions such as changing signers or viewing/downloading a document after it has already been executed. Other ways to Increase security include a multi-factor authentication option and masked text (used to hide sensitive information such as SINs/SSNs or birthdays).

...while improving the customer experience

For those considering transitioning to an e-sign service, it’s a great alternative to traditional methods and a great way to improve the customer experience. For example, due to the Covid-19 pandemic there is a hesitancy by many to travel to an office, or anywhere public, just to sign a contract.

Others simply find it inconvenient because they have used e-sign methods in the past and find them much more efficient and secure. Think about it. Less shuffling documents through multiple hands leads to better confidentiality and less room for error. No more missing documents!

Even further, workloads have doubled for companies that have needed to implement mass layoffs. Automation with a platform like Signority is a cost-effective, fast option to ensure both customer and employee satisfaction.

Cost savings for all

Signority is not just an effective solution for small business owners; it also helps large enterprises by making document execution simple and secure.

The team at Signority understands that enterprise documentation requirements can be complex (e.g., requiring integrations with other apps). Pressure is certainly added when it comes to handling sensitive documents that require the protection of personally identifiable information (PII). The team is always keeping its eyes on any new legislation that arises related to data protection and security. It’s important that Signority customers remain confident knowing their information is safe without any violations.

So, whether you’re looking to cut costs (as many companies are) or simply need a quicker workflow to increase customer and employee satisfaction, Signority may be the best option for you. Sign-up now for a free trial today or contact one of our business professionals.

Privacy and Signority’s Data Localization Technology

Signority, Privacy, and Data Localization

For governments there has to be a balance between privacy protection and innovating technologies that provide the best accessibility to its citizens. As a global eSignature company, Signority makes every effort to comply with the laws of every jurisdiction globally. To comply with data sovereignty it is not just matter of where the data centre is located.

Signority eSignature Platform (SeSP) has the full competence to implement a data localization solution to isolate customer data within the enterprise’s designated geographic locations, anywhere globally.

How Ensure Data Localization

Your Choice of Data Centre Locations:

Signority gives options to enterprise customers by offering a dedicated private cloud solution. SeSP is hosted in the state-of-art AWS data re in Canada for the public cloud and can host on any customer designated geographic locations through AWS’s global zones.

Your Choice of 3rd party integration vendors

Through Signority RestFul API integrations, customers can replace their qualified vendors to replace the SeSP out-of-box 3rd party vendors, such as email notification vendor, SMS vendor for 2-factor-authentication and digital certificate vendor for document encryption.

Your Choice of Backups and Retention Policy

Through integration, our customers can synchronize and store every signed document to their record management system or network devices. You can configure the retention period and delete signed documents from the Signority cloud after they are fully backed up to your own systems.

Restricted IP Address Range for Access

Often corporate policy only permits certain access points to access highly sensitive documents. Signority’s enterprise customers can configure their user’s IP address ranges when they log in to their Signority accounts. This also offers a great protection for hacking incidents from unauthorized geographic areas.

Legal Assurance

Signority has a Data Protection Agreement (DPA) along with an Enterprise Agreement that is based on the European General Data Protection Regulation (GDPR). Our Data Atlas details how the different types of data are processed and managed in SeSP.

Empower Signority Employees with Processes and Training to Protect Your Privacy

Security training is a mandatory objective in every employee’s annual performance review. Customer Success staff must go through a rigid privacy training to what to ask and how to ask when confronted with sensitive data. Customer Service is important, and is not outsourced overseas. We believe people that represent Signority must share the same value and the same security and privacy awareness.

The Signority Enterprise Solution allows for customized location, scale, and backup format. No matter where you are, Signority, as a global player, aims to provide an efficient eSignature technology.

I encourage you to read two of our previous blogs about Signority’s security practice:

How Signority Secures Your Data

Security Features You Need in An eSign Platform

Where do you “warehouse” your data?

If you were warehousing physical goods, you would want to know what laws apply to your goods. The data centre location question is equivalent: foreign location means foreign legislation.

Privacy Officers, Legal Counsel, or the Compliance Teams of your organization have an understanding of the risks factors associated with data residency requirements. Signority has the full capability of meeting your needs. If you’d like to learn more, contact us:

Phone: 833-222-1088
using the chat icon on the bottom right of your screen,
or through our contact form.

Frequently Asked Questions

A company has a “.ca” domain name. Does it mean the data centre is in Canada?

Not at all. Having a “.ca” website has nothing to do with data centre locations. To get a “.ca” domain you must meet the Canadian Presence Requirements: https://www.cira.ca/policy/rules-and-procedures/canadian-presence-requirements-registrants

Once you have the “.ca” domain name, the hosting servers can be anywhere in the world.

A company claims on the website that their data is located in Canada for Canadian customers but refused to sign our privacy act that has clear requirements for Canadian data residency. Why is this?

No matter what the marketing collateral statements, signing your privacy agreement is the actual commitment. If this ever occurs, please question their business integrity. Privacy has become a prominent risk factor. Do not compromise on that unless your Privacy Officer has completed a Privacy Impact Assessment (PIA) and agreed to it.

Data Localization

Canadian Privacy Acts At A Glance

There are many blogs about government privacy acts. However, consumers – people – don’t see the connection between their daily lives and privacy acts. Here, we will summarize Canadian privacy acts while sparing you the legal language.

Canadian governments (federal and provincial) set the direction for Canadian organizations and businesses when adopting cloud technologies to protect consumers’ privacy. We can debate governmental restrictions and protections, but all in all, restrictions are imposed on organizations and businesses that collect sensitive information. As a technology company, we take a collaborative approach to complying with legislation.

There are two levels of Canadian privacy acts: federal and provincial levels.

Federal Privacy Acts Regarding Data Residency

Two federal privacy laws are enforced by the Office of the Privacy Commissioner of Canada:

The Privacy Act covers how the federal government handles personal information;
The Personal Information Protection and Electronic Documents (PIPEDA) covers how private-sector organizations handle personal information in the course of for-profit, commercial activities across Canada.
Provincial privacy laws cover municipalities, public-sector organizations, crown corporations, and not-for-profit and charity groups.

The federal government categorizes sensitive data into four protected information levels, Protected A, Protected B, Protected C, and Classified Information.

For Protected B, Protected C, or Classified information. they must be stored “in a government of Canada approved data centre located within the geographic boundaries of Canada or the premises of a Government of Canada department located abroad such as a diplomatic or consular mission.”

Refer to Direction for Electronic Data Residency.

The white paper Data Sovereignty and Public Cloud from the Government of Canada website provides insights about data sovereignty with different cloud deployments, Public cloud, Hybrid Cloud, Private Cloud, and non-cloud. Here is the explanation of the cloud option through Wikipedia if you’d like to know the nitty and gritty details.

The Treasury Board of Canada has provided valuable and detailed recommendations and use cases published on the Federal government’s website for public and private-sector organizations to follow.

Provincial Privacy Acts Regarding Data Residency

Provinces either follow the federal PIPEDA or set their own privacy acts to guide public-sector organizations and healthcare providers who manage and process personal data. Provincial privacy acts differ from one to another and are constantly evolving with amendments to provide the best privacy protections while allowing the flexibility of adopting the best and the latest global technologies. Provinces have been debating data residency (whether to keep the data in-province or allow nationwide or outside of Canada storage) for their own public sector organizations, including healthcare providers.

If any specific organization decides to host those sensitive information outside of Canada, the company must adhere to the provincial privacy acts, conduct a thorough Privacy Impact Assessment (PIA) and must inform individuals, and have their consent. One example is the Ontario Physiotherapy Clinic’s terms of agreement, where they disclose what apps they are using and where your health data is stored.

Nova Scotia defined the Personal Information International Disclosure Protection Act, PIIDPA. Under PIIDPA, public bodies and municipalities are required to ensure that any personal information held by them (or any service provider acting on their behalf), remains in Canada, is accessed, and is disclosed only in Canada, unless certain circumstances exist. This FAQ provides the context of data sovereignty under PIIDPA.

Both the federal and provincial governments have specific legislation concerning data location. We have seen the outline of such legislation. Now, if you are responsible for a lot of your customer’s data, one hopes you will do the due diligence, and select your technology partners responsibly.

References for Canadian Provincial Privacy Laws

Three provincial privacy acts may supersede PIPEDA:

Health Related:

Employment Related:

canada privacy

Your Privacy, Not Sharing Is Caring

Our Canadian business and enterprise customers often ask us: what does “Data Centre” in Canada mean? This sounds like a simple question, but actually it isn’t. Let’s dive into what data location means to you.

Privacy is the main driving force for using data centres with a determined location. For financial and medical records, for example, we would like governmental or legal protection of that data. But inevitably, everybody uses multiple cloud applications for business and personal purposes: Gmail, Office 365, iCloud, Facebook, etc…. Google Maps keeps the last 10 years of your travel itinerary. Google gives me a map of everywhere I have been in the last month. By data mining, shopping, and whatever other interests you and your family may have, are potentially exposed. My robot vacuum cleaner has my household floor plan. Without governmental restrictions and law, the Cambridge Analytics scandal will happen over and over.

Using cloud applications (also referred as (Software-as-a-Service), consumers, for the most part, interact with the service provider directly. Major service providers leverage at least one or several infrastructure providers (also referred as (Infrastructure-as-a-Service) for data hosting, email notifications, or SMS messaging. Infrastructure companies are transparent to end-users: what server, where, and what type of infrastructure hosts the cloud application uses, is not visible to the end-user.

For privacy, a commitment from the entire chain, from the application on your phone, to the cloud application, and the infrastructure is required. While your service provider may not set out to violate your privacy, infrastructure companies may not care so much about your data sovereignty. The end-user has no control over the complexity of the multiple layers involved in using that app.

As an end- user, reading the “Term of Service” may be boring, but it’s the responsible thing to do before you hit the “I Agree” button. Personal information is at risk, and it’s good to know your exposures. The convenience of cloud applications is great, but reading the “Terms of Service” is a habit that must be adopted.

Signority seeks to protect the end-user. Our customers demand it. Signority has been offering eSignature applications for over 10 years. We make a point of having the Canadian data handled by our Canadian customers stay in Canada.

Canadian governmental organizations, not-for-profits, and private companies, enjoy using Signority services, from Canadian servers, to serve Canadian residents. Information such as insurance forms, finances, medical data, HR data such as employee social insurance numbers, pay rates, job offers, even a primary school’s field trip waivers with health card numbers, are all located in Canadian servers for Canadian residents. For Signority, the end customer is the owner of the data, and we protect that by data colocation. We do not allow 3rd parties to mine our customers’ data, nor do we allow “metadata” analysis. Signority avoids the ramifications of cross-border storage of data by simply not crossing the border.

When considering your eSignature provider, consider your customers privacy and security. This applies to both the public and private sector. Signority offers a private cloud with a complete data localization solution that alleviates the worry of where your customer data is anywhere complying with global legislations. For privacy, Signority is your technological partner. Read our blog about Signority’s data localization solution.

Your Privacy Is In The Details

Your Privacy is in the Details

A few years ago, we received a postal letter from one of the investment funds to which we subscribe: a privacy policy change notice with many pages, small font on paper, thick legal jargon seemingly designed to discourage people from reading through them. It was a bank letter designed by lawyers.

There was a ‘deny’ form at the end: only mail the letter back if we disagreed with the financial institution moving the data centre outside of Canada. We read the entire document and strongly disagreed with the international data centre proposal. As Canadians, our data is not as protected on foreign soil as is in Canada. This was definitely not acceptable. This would change the Data Location, where our bank stores our personal information, from Canada to outside of Canada.

“Data location” is also called “data residency”. In principle, everybody should have the ownership of their own personal data: we should have “Data Sovereignty”. But in practice, we are far from there. If you have accounts on Facebook, Google, or Microsoft, then you know your data is very likely in the United States (U.S.).

But what about your financial, and medical data? Once upon a time, your records were on paper, locked up somewhere nearby. Turns out that the Internet is a more convenient place to store those records.

Data Location can Affect Data Privacy

Here is another real life example from a friend.

My friend had a recent encounter with an Ontario psychologist. The psychologist used a free Gmail account. Right off, my friend was put off by the unprofessionalism. Their services were $250/hour, the clinic should at least use a professional domain name.

I had a chance encounter with my friend. After some discussion, it turns out that more clinics use Gmail accounts. My friend decided to go with the flow and sign a contract, book appointments, get invoices to/from the Gmail account. But here is something that my friend, and the clinics, should know:

Fact: in Ontario, healthcare organizations must comply with the Ontario government’s Personal Health Information Protection Act, PHIPA. Under the PHIPA, healthcare professionals must disclose and receive consent if they would store your medical information outside of Canada.

The contract that my friend received had lots of legal jargon, she didn’t read it, but signed it anyway. Reviewing the contract, it does mention a couple of specialized apps that could be introduced to the patient. But there is no mention of Gmail, nor consent to Gmail.

Then the assessment reports started coming in. Medical information was now being sent via Gmail. Now clearly in violation of PHIPA rules, with medical information being sent.

Personal Information (PI) is information that can identify you unequivocally as an individual. An email address by itself is not personal information, but when that email contains a name and street address, that is “Personal Information” as far as the PHIPA rules go. Furthermore, her Personal Health Information (PHI) is being sent via Gmail.

Cybersecurity and privacy concerns simply did not exist in the past. Your doctor, for example, would simply lock away your records in the filing cabinet. But now, we must look out for our own privacy. You can make some assumptions: a big hospital in Ontario is very likely to be following PHIPA rules, but smaller clinics may not be.

You can ask the clinic if they follow PHIPA rules, or maybe where they store their patient’s data. In the case of my friend’s psychologist, we have taken the time to inform him of the rules, the PHIPA rules specifically, that he should be following. Ultimately, that psychologist could have been reported to the College of Psychologists of Ontario, but that would have been an extreme measure.

Bottom line: vigilance is required every day for all interactions on the Internet. Your privacy is always at risk. The more private information you give, the more you have to think about your own cybersecurity. If the information is important to you, then you must consider the location of your information.

How Signority Secures Your Data

My last blog, Three Stages of Data; In Transit, At Rest, & In Use described each of the three data stages and touched on how each stage requires a different approach to security and privacy. Today we are going to talk about:

when your data enters each of the three stages during the workflow, and
how Signority secures your data.

If you’ve used Signority you know that every document has a workflow. The workflow begins at the creation of the document and ends when it’s been stored after it has been signed by all participants.

During the it’s workflow your document and any data related to it, enters all three stages of data at various times. Here is each of the data stages and when your document enters that stage during the workflow.

In Transit: Your information related to your document is in transit (or in motion) when:

someone registers for a new account
you send the email notifications to the signers that there is a document ready for signing, and,
when the document has completed the workflow, meaning it has been signed by everyone, and a copy of the document is sent to each of the document participants (senders and recipients).

At Rest: All information related to the document and the document itself is at rest:

when it is waiting for the next person in the workflow to sign the document
it is stored on our servers once the workflow has been completed.

In Use: Your document and any related data, i.e.: the audit trail, are ‘in use’:

when a recipient or user are editing the document by adding the required information and/or signatures
the Signority platform is updating the audit trail with any actions, i.e.: signed, id verification, etc.

Signority starts our security process with our employees. All employees and sub-contractors must be security cleared with the federal government security clearance program. And they must complete a minimum amount of security and compliance training each year.

For In Transit and In Use data Signority eSignature Platform services using strongly encrypted extended validation (EV) Transport Layer Security (TLS) certificates to encrypt the data in transit between users and the Signority eSignature Platform. We only allow the highest security TLS 1.2 and 1.3 protocols, and do not allow weaker TLS or SSL. The article linked above explains in detail what EV and TLS certificates are, what they do, and why we use them.

If you would like to know our rating, here is the most current certificate for Signority at the time of this blog post.

We also do not allow the use of older browser versions. Older versions are not updated with the latest security features and updates to ensure a secure browsing connection.

Data at rest data at rest is encrypted by using state-of-the-art AWS encryption technology and we salt usernames & passwords.

What is a ‘salted’ username and password? A salted username and password is a process where they are converted through a ‘hashing algorithm’ into an unintelligible series of numbers and letters. You can read a more detailed breakdown here at Okta.com.

Plus, we offer masked tags for end users to encrypt their sensitive information on documents.

If you are not a technical person, think of it this way:

Your information is locked in a box that requires a key.
That key is locked in another box that requires another key to open it.
And that box, with your box, is in a box that is password protected.

So your data is guarded with multiple layers of protection ensuring your data is secure and private.

If you would like to know more about how Signority protects customers data and privacy I encourage you to go to our Trust Centre. In Signority’s Trust Centre you can review our approach to Security, Privacy, Compliance, and Legislation (Legal).

Have questions?

Contact us by:

calling at 833-222-1088,
using the chat icon on the bottom right of your screen,
or through our contact form.

Look for my next blog, ‘What is Data Residency? And Does it Matter?‘

The Three Stages of Data

The Three Stages of Data; In Transit, At Rest, In Use

What are the three stages of data and what is the difference?

When evaluating the security of a new software for use within your organization, such as an eSignature software, you may have come across terms like ‘Data at Rest’ and ‘Data in Transit’.

These phrases indicate the stage your data is in and are often used when discussing the protection of data. The approach and methods required to protect your data changes depending on the type of information you are looking to protect and what stage it is in. To learn more about securing your data, read this article on Data Security.

Before you learn how to protect your data you must first understand the three different stages of your data because each stage requires a different approach.

They are: Data in Transit, Data at Rest, and Data in Use.

Data in Transit, sometimes referred to as ‘data in motion’, is data that is actively moving from one point, or location, to another. It can be traveling across the internet or through a private network. Data in motion is also data being transferred from a local storage location (hard drive, USB, etc.) to a cloud storage device (Google Drive, OneDrive, Box, etc.).

You create data in transit each time you upload information to a partner organizations site, download the balance of your savings account from your bank online, or save something to a USB flash drive.

Data at Rest is data that is not actively moving from device to device or network to network. This data is usually stored on a hard drive, in the cloud, on a USB, or stored in some other way.

And ‘Data in Use’ is data that is being stored passively in a stable destination, but is being utilized in other parts of the IT architecture. It may be in the process of being created, edited or updated, erased, or accessed through different interface endpoints.

Think of a document you have on our computer that you update, edit, or delete. Any of those actions create the instance of the document and its data being ‘in use’.

There is also one other aspect to data that will be talked about, Data Residency. Data Residency deals with where your data is stored. When we talk about where your data is stored we are not speaking about the kind of device or drive it is on but where is it located in the world.

Data Residency is a key factor in many data laws or regulatory requirements imposed on data that govern a country or region in which it resides. These laws address key requirements in data protection and privacy. When evaluating a software look for their Trust Centre, this is where they will explain how they protect your data and privacy.

Protecting sensitive data is a high priority for any organization. And, as previously mentioned, the approach and methods required to protect your data changes depending on the type of information you are looking to protect and what stage it is in.

Data at rest is often considered to be less vulnerable than data in motion, but hackers and nefarious individuals often prefer data at rest and find it a more valuable target than data in transit.

We will review some of the methods used to protect data in each stage in an upcoming blog.

data at rest data in transit data transfer management Three Stages of Data

Educational Institutions Need to Implement eSignatures

Why Educational Institutions Need eSignatures

Educational Institutions Need to Implement eSignatures

In order to keep up with the ever-changing digital world, educational institutions need to implement eSignatures into their operations. Technology has had a tremendous impact on the education sector, and it’s important for schools and colleges to keep up with the latest trends. Electronic signatures are one of the many ways that institutions can modernize their processes.

Here are three reasons why eSignatures are so important for schools:

Efficiency: When administration staff is bogged down with paperwork, it can significantly impact their ability to complete other tasks. eSignatures allow you to sign documents and approvals quickly and easily, without the need for a physical signature.
Security: Documents signed with eSignatures are more secure than those that are not, as they cannot be tampered with or modified.
Compliance: Many government agencies and organizations require electronic signatures for compliance purposes. Using eSignatures can help your school stay compliant with regulations.

Security wise eSignatures a lot more secure than paper. Paper can get lost, stolen, someone can copy it without someone knowing, and it can easily get damaged resulting in the loss of information. The most secure signature is a Digital Signature. You can learn more about the differences between eSignatures and Digital Signature here.

To be compliant you have to follow certain guidelines and practices that your local governments or industry regulators have set up to ensure the security and safety of the documents and their signatures.

For example, some Canadian educational systems cannot have data that is stored off-site on a server that is located outside of Canada. The data also cannot go outside of Canada’s borders while in transit. This means you have to find an eSignature service like Signority.

Signority guarantees your data stays safe and secure in Canada, both in transit and at rest. This means your student’s data will never travel or reside outside of Canada’s borders.

Now, let's look at efficiency.

When I think of paperwork and schools, as a parent, I think of registration forms and permission slips. Let’s use these as our use case.

Each year you have to confirm the number of students who will be returning as well as register any new students. What are some
of the issues you have probably faced when going through this process.

A rush of last-minute parents coming in to register their child(ren) the week before school starts.
Incomplete and missing paperwork with signatures in the wrong place.
Trying to get the signatures of both parents when they are divorced or separated.

With an eSignature platform you can automate the whole process and ensure that all the information is given where it’s required. Now let’s see what the top 6 features that will help you the most.

Automated workflow. With the automated workflow feature set who to send the document package to and in what order. Each recipient receives an email notifying them they have a document. You can even set up auto-reminders that go out if someone takes too long to sign.
Templates. Setting up the school registration forms as templates means you are always ready to go – all you have to do is enter the parent’s name(s) and emails. And if you need to do 2, 20, or 200 at once, use a bulk sign template to send them in less than 5 minutes!
Multi-document package. One document package can consist of the registration form health forms, the list of required supplies, and the waiver. Just upload whatever files you need in the package one at a time or using bulk select. They can even be different file formats.
Automated email reminders. Forget having to pick up the phone or send another email. This feature allows you to determine when and how often the parents or school staff and officials will receive an automatic email reminder if they haven’t signed the document yet. This simple nudge encourages them to do their part while saving you time.
Template Link. Put a registration form on the school website so parents or students can register for an event. You can even put the registration form online for new student registrations.
Masked Tag: A masked tag will take any information entered into it, encrypt it, and conceal it from everyone in the workflow. This feature is especially useful for a student’s personal information like their health card numbers, student numbers, etc.

Having and using these six features in any eSignature platform can save you and your staff time and increase productivity.

BONUS - you help save the planet

There is one more really big benefit to using eSignatures. Sustainability. How much paper and printer/copier ink do you go through each year? I encourage you to check your budget. I’m sure you will find on the paper side, it’s a lot of trees. Remember, “Today is the opportunity to build the tomorrow you want.” ~ Ken Poirot.

Finally, I would like to ask you to consider the other savings you get along with eSignatures being a green technology. You save time and money.

Consider the time it takes to:

chase people for the signed documents,
having someone travel to deliver the document,
and then filing the document or scanning it back into your system.

Adopting eSignatures into your operations saves an average of $20 per document. Think about that. They save you time, money, and the environment. But don’t take our word for it, see for yourself with this article on Financesonline.com.

If you would like to learn more about eSignatures and the features available that may help you Signority’s tutorial page is a great resource.

And to see how well an eSignature Platform would work for you then I encourage you to take advantage of our free no obligation 2-week trial.

Look for my next blog where I write about Working from Home and eSignatures.

Have a great week everyone

Security Features You Need in an eSignature Platform

Your organization has decided to start using eSignatures and you have been tasked with researching the different options available in the marketplace. The first thing you have to do is research the basic security features you need in an eSignature platform. Then you can move on to the obvious, Price, Ease of use, Scalability, Reviews, and Features.

Why? Because you need to ensure all your documents and data is protected. You also have to ensure the signatures can be verified.

In order to ensure the integrity and veracity of the final document and signatures you need to be able to:

Secure the document and signatures
Verify the signer’s identities
Protect any confidential information entered
Track the document and signatories
Restrict access

Here are the basic security features you need in an eSignature platform:

Digital Signatures
Masked Text
Signer Identity Verification
Multi-Factor Authentication (MFA) and Single Sign On (SSO)
Audit Trail
Team Account Roles & Permissions

The first security feature you need is a Digital Signature. Wait… what? I thought eSignatures are Digital Signatures. Aren’t they the same thing?

No, that is a common mistake many people make. And it is one that will determine the security of the document and signatures. Here are the definitions as quoted from the post eSignatures vs Digital Signatures

“An electronic signature is information in electronic form (can be sound, symbol, process, etc.) that is associated or attached to a document. This means that so long as we can demonstrate that the signature is associated with a person and that there was intent to sign, everything is legally binding and accepted (all of this can be seen in Signority’s audit trail).

A digital signature is actually a form of electronic signature that uses an encryption algorithm that helps validate who the signer is. It also ensures that the document cannot be tampered with, as the signature becomes invalid if the document is changed after signing. This helps prevent repudiation by the signer, making it almost impossible to deny having signed the signature. Essentially, these issues are some of the biggest challenges to electronic signatures, and digital signatures are able to help overcome these issues.”

For a much more comprehensive explanation from a cybersecurity perspective read this post about digital signatures on TechTarget.com.

Next is the Masked Tag. This tag allows you to protect your signatory’s personally identifiable information (PII) and other confidential information. If you work in the healthcare field for example, you may ask someone for their insurance information. You want to make sure that no one else sees this information.

Using a masked text tag will allow your signer to securely enter PII into the form where you request it. The masked tag will conceal and encrypt the information entered once the signer has filled it out. This means anyone who receives the document for signing after this signer will only see the title of the tag you entered, i.e.: Health Card.

Because the information is encrypted, the person who needs that information, the document sender, will have to follow very specific steps to retrieve that information securely and confidentially.

To help ensure the integrity of a signature you need a Signer Identity Verification feature. This feature will send a one-time use PIN code to the signer either by email or SMS (text message). They will need to have this code in order to access the document. Once they have used the PIN code to access the document an action will be logged. Using this code verifies the signer received it on an account that can be traced back to them. The log, or audit trail, will document that the signer’s identity has been verified and how it was verified.

And now that you have verified your signers identity, let’s look a little closer to home. You need to secure access to the eSignature platform. You don’t want just anyone having access to your clients, partners, and company’s information. To do this your organization can either set up Single Sign On (SSO) or a Multi-Factor Authentication (MFA) Login. These sign in methods help restrict access and lower instances of phishing and make it much more difficult for hackers.

As stated in this great explanation of SSO by TechTarget.com, “Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials — for example, a name and password — to access multiple applications.” This ensures that unless someone can be verified through your companies main system, they cannot get in. The referenced article does a great job of explaining it.

If your company cannot use SSO then the application you select should, at the very least, offer MFA. As stated at precisely.com, “Multiple factor authentication verifies a user’s identity by combining two or more of the following independent credentials:

Something the user knows (e.g.: password, PIN, passphrase)
Something the user possesses (e.g.: email account, smartphone, code-generating device)
Something inherent to the user (e.g.: fingerprint, iris scan, voice recognition)”

The Audit Trail is the next security feature we will review. The Audit Trail is a document that comes with your final copy of the signed document. It can be a part of the final document or arrive as a separate document. It has three main components: the meta data, the Signers, and the History. The audit trail will show you who did what action (signing the document), the timestamp associated with the action, their IP Address, and if required any notes. A note can include the ID Authentication method and include a partial email address or phone number. An example confirming SMS ID Authentication in an Audit Trail can be seen in the image below.

ID Authentication Audit Trail log

Finally, you need to have the ability to set up team account roles and permissions. The ability to assign roles and permissions helps you keep your documents secure by restricting who has access to what and when. For a clearer understanding of how roles and permissions may be set up you can review the roles available in Signority. You don’t want everyone in your organization being able to view the documents sent by legal or finance, do you?

Here is a bonus feature. The Retention feature. Depending on the industry you work in your organization may be required to have a retention policy. If you are unsure whether you need a retention policy I strongly encourage you to do some research to find out. Interdyn has a great article called Data Retention Policy 101 that reviews what a retention policy is, the questions you need to ask, and how to set one up. I highly recommend you read this if you do not have a policy in place.

A retention feature allows you to apply your retention policy to all the documents that have been signed digitally. And a good one will allow give you ways to automate the whole process. This post gives a good overview of a retention feature and the options available within one. You will see it is easy to set up and helps you ensure compliance.

And those are the basic security features you need in an eSignature platform.

Look out for next weeks edition where I will review the differences between Adobe Signature and Signority eSignatures in the post, “Adobe vs Signority“.

Until then, have a great week and stay safe.

Security Features You Need in an eSignature Platform

Your organization has decided to start using eSignatures and you have been tasked with researching the different options available in the marketplace. The first thing you have to do is research the basic security features you need in an eSignature platform. Then you can move on to the obvious, Price, Ease of use, Scalability, Reviews, and Features.

Why? Because you need to ensure all your documents and data is protected. You also have to ensure the signatures can be verified.

In order to ensure the integrity and veracity of the final document and signatures you need to be able to:

Secure the document and signatures
Verify the signer’s identities
Protect any confidential information entered
Track the document and signatories
Restrict access

Here are the basic security features you need in an eSignature platform:

Digital Signatures
Masked Text
Signer Identity Verification
Multi-Factor Authentication (MFA) and Single Sign On (SSO)
Audit Trail
Team Account Roles & Permissions