How to Assess Your eSignature Cloud Service Provider’s Security with Confidence

security logo

When looking for an eSignature Cloud Service Provider (CSP), security and privacy are crucial. Your eSignature CSP will likely be helping you manage sensitive information. So, it’s important to choose a provider that you can trust to protect your organization’s and your customer’s data. In this article, we review six things to look for when assessing a CSP’s security and privacy protection.

Industry Security Certifications

The world of data processing is complex, even dangerous. In this age, data drives much of our day-to-day life. Hence, there are malicious actors always trying to steal and ransom data, and compromise data processing systems. Thankfully, many security frameworks like the globally adopted NIST Cyber Security Framework (CSF), have been developed to help keep organizations safe.

There are many security frameworks and standards. In the cloud industry a few important ones include:

  • NIST Cyber Security Framework together with other supporting NIST standards
  • ISO 27001, ISO 27017 and ISO 27018
  • Service Organizational Control (SOC) (1, 2 and 3).

These frameworks contain important security guidelines and controls that help ensure the protection of your data. If your CSP has or leverages one or more of them, it means that your data is likely well-protected.

Note that there are three SOC certifications: SOC 1, SOC 2, and SOC 3. SOC 1 focuses on financial reporting and might not be relevant to your needs. SOC 2 was partially created in response to the rise of cloud computing. In most cases, it will be the most relevant. SOC 2 Type 1 signifies that a CSP has been initially audited and the controls were found to be in place. SOC 2 Type 2 signifies that the CSP has maintained the controls over a period of time. Finally, a SOC 3 report is a more general type of report that’s often used for marketing purposes. It covers much of the same topics as a SOC 2 report, but is simpler and easier to digest.

Legislative and Regulatory Compliance

When it comes to government laws and regulations, things can get complex. Depending on the jurisdiction, the laws and regulations that apply will be different. For eSignature CSPs, privacy protection legislation and electronic signature legislation are legal considerations.

In Canada, one law to keep in mind is the PIPEDA. It stands for “Personal Information Protection and Electronic Documents Act”. As its name suggests, it covers personal information and electronic documents.

With its first part, PIPEDA applies to Canadian private-sector organizations. Specifically, those that collect, use or disclose personal information in commercial activity. Organizations subject to a provincial privacy law that’s substantially similar, are often exempt from PIPEDA. Examples include organizations in British Columbia, Quebec and Alberta. Ontario, New Brunswick, Nova Scotia and Newfoundland and Labrador have also adopted substantially similar legislation. Note that in British Columbia and Nova Scotia, provincial privacy laws require public sector organizations to store and access personal information in Canada only. In the rest of the provinces, Canadian data residency may be encouraged, but isn’t mandatory. Therefore it is very important in these cases to use CSPs that store your data in Canadian data centres. To help assure your customers, you may wish to ensure that your organization’s data remains in Canada regardless. If you are not sure which Canadian laws apply to your organization, this decision tree can help:

https://www.priv.gc.ca/en/report-a-concern/leg_info_201405/

In the United States, there isn’t one set of regulations that governs data privacy protection. Instead, several federal and state laws determine how to handle and protect data. For example, organizations in California may be subject to the California Consumer Privacy Act (CCPA).

Other countries also have their own laws and regulations governing data privacy protection. CSPs with customers in the EU may be subject to privacy regulations from the EU General Data Protection Regulation (GDPR).

The second overall consideration is the legality of electronic signatures. There are a myriad of Canadian federal acts and regulations that address eSignatures. Examples include:

  • PIPEDA, Part 2 (governs private-sector organizations’ use of electronic documents and signatures for purposes required by federal laws)
  • Secure Electronic Signature Regulations
  • Electronic Payments Regulations (annexed to the Financial Administration Act (FAA)
  • Payments and Settlements Requisitioning Regulations (annexed to the FAA)

Besides these, over 20 federal acts and 30 regulations include references to “electronic signature”.

As well, most Canadian provinces and territories have enacted e-commerce and e-transaction laws. These provide electronic equivalents to paper-based signatures, along with other requirements.

In the US, there are numerous related laws including:

  • The US Electronic Signatures in Global and National Commerce Act (E-SIGN)
  • The US Government Paperwork Elimination Act (GPEA)
  • The US Uniform Electronic Transactions Act (UETA). This covers most States, D.C. and the US Virgin Islands.

As well, some FDA-regulated industries may need to be compliant with the Code of Federal Regulations (CFR) Title 21 Part 11. This identifies certain technical eSignature requirements. Some examples of these industries include:

  • US drug makers
  • Medical device manufacturers
  • Biotech companies
  • Biologics developers
  • Contact research organizations (CROs)

There are many other existing and evolving eSignature laws around the world. For example, the EU Regulation No 910/2014. This covers electronic identification and trust services for electronic transactions in the European internal market (eIDAS).

One often misunderstood fact is that laws and regulations don’t have associated technology certification programs. Simply put, there aren’t any third-party audits to check compliance with them. That’s different from the industry security frameworks and standards that discussed above.

Ultimately, it is up to your organization to operate under applicable laws and regulation. Your CSP and its eSignature solution should help you remain compliant with all relevant regulation. But in general, you will still remain responsible and legally accountable.

Third-Party Data Sub-Processing

Third-party evaluated security certifications are a good proxy to test how well a CSP handles an organization’s data. However, sometimes you may wish to go a little deeper. Especially about third-party data sub-processors involved in the provision of an eSignature service.

For example, ask questions about the sub-processors that the CSP uses to process data. What data do they share with them for sub-processing? In which countries are those sub-processors storing that data? Does your CSP hold them accountable to the same high security standards that the CSP uses? Has your CSP provided you details on their sub-processors? Are they certified? Have you agreed to their use, in contract?

Another best practice is to document the types of technical and organizational measures (TOMS) that are expected to be in place. Around the world, this is done using a Data Processing Agreement (DPA). You’ll usually see it as an appendix to the main contract with the CSP.

Security Governance Principles

Having a corporate culture stressing the protection of data and implementation of standard privacy practices is very important for a CSP. Even with security certifications, a CSP always needs to take security and privacy seriously at all levels. Good info security and privacy governance ensures that a company can operate securely. It means they’ve got the right board and executive involvement, leadership, organization, policies, standards, practices, processes, and tools.

To assess a CSP’s information security and privacy governance, here are a couple tips. 1. Check if the CSP’s goals and priorities are linked with security and privacy. 2. Make sure that the CSP has designated senior individuals responsible for overseeing and making security and privacy decisions. Usually this is the Chief Security Officer (CSO) and Chief Privacy Officer (CPO).

Solution Security and Privacy

Your cloud software provider’s product must be designed with security in mind. For cloud solutions, there are several important requirements. For example, using TLS 1.2 or 1.3 certificates to encrypt “data in transit”, and encrypting “data at rest”. It’s also important to know how the service keeps data in customer accounts separate from each other. Qualys is an app that can help you assess how secure a cloud-based application is. An “A” means that the web application is securely built using the latest web protocols. A “C” or “D” indicates seri

Your eSignature CSP’s solution should be designed and maintained with security and privacy in mind. For example: implementing a Development-Security-Operations or “DevSecOps” approach to software development. This helps ensure that security is considered at every stage of the software development life cycle. Another example is using the “Privacy by Design” or PbD principles, practices and approaches. This is a solid way of ensuring privacy considerations at every stage.

One simple check that you can undertake is to test the security of its website. Go to ssllabs.com and input the CSP’s website URL, and then run the test. A score of “A” or higher suggests that the CSP pays attention to security. A score of “B+” or below may suggest otherwise. Under no circumstances these days should a CSP be permitting the use of older SSL, or weak TLS 1.0 and 1.1. Nor should it be permitting the use of weak browsers, protocols or ciphers.

Also check the CSP’s website for a comprehensive Privacy Policy or Privacy Statement. The policy should explain the CSP’s privacy practices in detail and kept current; less than one year old. It should also provide you with relevant contact info (e.g. Chief Privacy Officer). This is important if you have any questions. You should also be able to find government privacy legislation contact info. In case you want to file a complaint, that is where you would send it.

Solution Security Features

An eSignature CSP solution should support your privacy and security needs. This is especially true if you’re handling sensitive information. So, you’ll want to look for solution features that help you control and protect that information. For example, look for strong password dynamics and standardized multi-factor authentication methods. Ideally they should be available for both the creators and signers of your documents. Also look for SAML 2.0 capability so you can use your own organizational electronic identifies and related security policies.

Also, ensure that you will have the ability to use more secure ones eSignature options. For example, those that involve the use of public-key infrastructure (PKI) and notarization services. These are often called “digital” signatures.

You will also want to look for granular security roles and the ability to restrict certain documents to a few individuals. Make sure to clarify and ask questions!

Contract Signing in HR Using eSignatures

When managing people and employees, there’s always a lot of paperwork involved. New employees need to sign contracts, contractors need to sign agreements, and every year staff might need to sign acknowledgement forms. If you’re managing a large number of employees, all the paperwork can pile up. It takes a huge effort to sort everything out and make sure that all the forms are in place. Not to mention the mistakes that people make when filling out a form. It could be missing a mandatory field, or filling something in with the wrong type of information. Mistakes like these just make life harder for everyone. That’s where an eSignature tool like Signority comes into play.

Standard Forms/Contracts

For standard forms or contracts that don’t change regardless of who is signing the contract, a feature like the Signority eSignature Template is what you’re looking for. By setting up a form as a template, you’ll be able to instantly access and send the form to anybody who needs to sign. If there are multiple administrators in your organization who also need to use the form, you can set up the form as a template once, then share it with everyone who needs to use it. Just make sure that all your coworkers are in the same eSignature account team as you are.

The great thing about a feature like Signority’s eSignature Template is that you can set up a custom workflow for each of your forms. For example, let’s say you have a contractor work agreement form. For this form, you need to have the contractor sign first, and then have an authorized representative from your company sign. You can set this workflow up in the Regular Template by adding two recipients, and then assigning an order for them. This way, you can easily set up any contract signing process as an eSignature Template.

Acknowledgement Forms

Sometimes a form needs to be sent to hundreds or thousands of employees at the same time. An example of this might be a policy acknowledgement form that all staff need to sign. In this case, a feature like the Signority Bulk Sign feature is the thing to use. A bulk signing feature can save your organization hours or even days of work. You can electronically send hundreds of copies of forms at once just by uploading a list of recipient names and emails to your eSignature application. Reporting features also allow you to manage all the forms sent out in one place. You can instantly search for who has yet to sign the document, and even see what each person has inputted into the form.

Signority’s Bulk Sign feature also allows you to build custom workflows for your form, just like any other eSignature document.

Save time by reducing errors

With an eSignature tool, you’ll be able to mark certain fields as “Mandatory” and others as “Optional”. Since the signing process happens on the eSignature app, the app will be able to enforce these mandatory fields. That means that your signer won’t be able to send back the document to you without filling in these fields.

eSignature tools also offer different types of fields, such as text fields, number fields, dropdown menus, radio buttons, and more, to ensure that the recipient is inputting the right type of information. The last thing you want is for your signer to put in their name where their phone number is supposed to be.

Using these features, you’ll drastically cut down on the amount of time both you and your recipient spend on signing a contract. No more going back and forth trying to get forms completely properly.

Customer Acquisition Online with LinkSign

The Signority LinkSign feature lends itself to many different use cases. In this article, we’ll focus on one of those use cases: Customer Acquisition. Customer acquisition is a key part of any business and making it effective and efficient can make a huge difference to your business’ success.

Types of forms can LinkSign be used for

Basically any standard form that needs to be signed by an individual can be set up using LinkSign. Any forms that you might want to post on your website for visitors to view and sign if they are interested in your services will work great using LinkSign. These kinds of forms can include questionnaires, insurance applications, engagement letters, etc.

How it works

At a high level, LinkSign works by generating a URL for a form that you create. The steps to create a LinkSign form are relatively simple.

  1. Sign into your Signority account
  2. Create a new LinkSign form by clicking “New Template” from your dashboard, then choosing the “LinkSign” option
  3. Now upload the file for your form
  4. Drag and drop the appropriate fields onto the document. These are the fields that people will be filling out and using to sign.
  5. Publish the LinkSign and copy the generated URL. You can use this URL to send to individuals or post it on your website for visitors.

Benefits

For many businesses, the customer acquisition process requires the potential customer to sign a form or document before becoming an actual client. If you’re not using an eSignature tool like Signority’s LinkSign feature, that means that people need to print, sign, scan and send the form back to you. It’s a time-consuming process that could be costing your business a significant number of new clients. With LinkSign, signing takes just a few minutes. In addition, you can track each person’s progress in real time as they fill out their forms and view a report of everyone who has already filled out your form.

Signority’s LinkSign functionality doesn’t stop there. Using built-in routing features, you can have every completed form automatically sent to your sales department for approval. If anybody needs to see or sign the form after a potential client completes it, you can set up the LinkSign to route that document to them. Any such workflow can be customized.

To recap, the traditional customer acquisition process can be slow especially when there’s signing involved. Signority’s LinkSign feature gets rid of that problem by enabling fast and easy online form signing, with the added perks of tracking and reporting features for your business.

11 Essential Resources For Your New Paperless Office

11-resources-for-taking-you-business-paperless-esignatures-digital-signatures-electronic

Starting a digital office can seem a daunting task. You want to go in and go all the way – but what if you overlook a key aspect and everything stops working together? Not to worry. Here’s the list of resources you will need to utilize in your new paperless office. With nothing missing. Well, expect the paper.

PAPERLESS INVOICING

Freshbooks is a great service that can convert your billing and invoicing system to a secure electronic database. This “cloud accounting” service delivers a fast, accurate, easy to use, and professional interface for all your billing needs. Automated invoicing is available, as is integrations with Paypal and other online payment services. Use the system to generate reports, track expenses – even get the app to ride along.

PAPERLESS MEETINGS

TeamViewer lets you conduct paperless meetings and manage data within the paperless. You get remote access to any device 24/7 from any computer or mobile device. Hijack your colleagues’ laptops to access data during meetings, plus use screen sharing, video and file sharing, included whiteboards, and teleconferencing to be effective and paperless. When meetings are over, upload slides and info to Dropbox or Basecamp easily and share the digital copies.

Doodle and SurveyMonkey provide free service for conducting and scheduling meetings but don’t provide device connectivity and takeover capabilities.

PAPERLESS SCANNING AND FAXING

Turboscan is an excellent app that allows phone cameras to be used as scanners which then convert captured images to PDFs. High-quality photos are editable and may be stored and sent singularly or as large files.

Your office may also need a larger scanner for digital imaging. Here’s a PC World review of the best scanners for a paperless office.
eFax takes incoming faxes and puts them into your email box and easily-searchable emails. Receive and send faxes online from any smartphone, tablet, or computer.

PAPERLESS MEMOS AND NOTES

Evernote lets you organize notebooks of digital notes, tasks, and can sync all your devices. Whether you use a laptop or an Android phone, you can have all your notes and thoughts wherever you go. Circulate ideas between team members

PAPERLESS PAYMENTS

Square and Paypal Zettle let you process credit cards from the convenience of any mobile device and send paperless receipts to customers.

Shoeboxed lets you send your mass of paper receipts into the Shoeboxed office and receive digital versions in return. They’ll scan your papers and index them in your account, letting you get reports and integrate the data into your database systems.

PAPERLESS SIGNATURES

Signority streamlines the essential process of acquiring customer signatures with one seamless digital application. Send and receive signed documents via a user-friendly interface usable across any device. Need help on how to create an electronic signature document in Signority? No problem! Check out our Knowledge Base, or contact our customer support. Signority is great for the all agile businesses, allowing you to sign PDFs instantly, edit and store documents with one touch, and move forward faster.

Looking to take your business paperless? Sign-up now and get a 14-day free trial to a Signority Plan!

How we interpret Customer Success

Nobody can deny Farm Boy, a local Ontario grocery store, of its food’s freshness and the quality. It’s my favorite place to shop with plenty of varieties for all occasions, and they’ve always got something for when I can’t come up with a dinner idea; daily fresh made soups, sandwiches, duo or trio ready-to-go meals. The bakery has all types of breads, the butchery section is filled with marinated shish kebabs, tasty sausages, and other delicious meaty foods. When holidays come, they even offer family meal kits. Farm Boy is more than a grocery store to me. It provides me with meals-on-the-go that are healthier and higher quality than what you might get at many restaurants. By now, you should be getting an idea of what kind of the store Farm Boy is. But it goes even further. One day I was there looking for ground pork. Although I had seen Farm Boy selling ground pork before, it wasn’t something that they sold every day. That day, they didn’t happen to be selling any. Tough luck. Not expecting anything, I decided to ask a staff member beside me who was placing meat packages on a shelf. To my pleasant surprise, she said, “We don’t have any today, but I can ground what you’ve selected while you finish your shopping. Just come back in 5 minutes”.

COVID-19 has changed the way we live dramatically. Churches having to go online overnight, 80 year old parents learning how to use Zoom to connect with their families, businesses switching to a completely remote workplace. Our lives are all becoming digital. Customer support especially. These days, a large portion of customer support services are automated through the use of AI chatbots and answering machines. Sometimes I feel like I’ve won a lottery when I call a hotline and have a human answering on the other end of the line. Automation is great for the service providers employing them, but what about for the customers? Is it better to give our customers a “take it or leave it” attitude that often comes with automated support? Or should we tune-in to their problems? Although many Software-as-a-Service (SaaS) providers may see it as costly and inconvenient to provide personal support to customers, at Signority, we believe that it’s a key component to Customer Success.   

When a customer stumbles upon a problem, it’s important to clear their questions as soon as possible, regardless of the size of the customer. That’s why, when you contact Signority’s customer support, whether you need help finishing an online contract signing process, or have questions about how to set up an electronic signature, you will have a real human answering the line. 

Our support response times are posted on our website, but we have been delivering support much faster and aim to continue to do so in the future. We also believe in listening to our customers. Customer requests are directly handed off to the product development cycle. Our product roadmap is based on our customers’ needs. 

This is how we operate at Signority; personally connecting with our clients to ensure their success. After all, there is no better reward for a company than loyal customers who are successful.

Jane He, CEO

Want to learn more about our product? Try it out for free for 14 days!

Wet Signatures vs. eSignatures | Which is more secure?

eSignatures have been around for over two decades, but many businesses have yet to make the switch from paper signatures to electronic ones. One of the main concerns is that eSignatures lack the security necessary to ensure that the document’s contents are kept confidential and the signatures coming back are legally valid. Let’s see if this is true by doing a side-by-side comparison of paper signatures and electronic signatures.

Wet Signatures

Physical or “wet” signatures are the traditional pen-and-paper signatures that are physically applied to a document. For these types of signature, the document to be signed may be sent to the signer via mail or other method to be signed privately. At other times, the document is signed in the presence of one or more other people. Paper signatures are a physical representation of a person’s identity and serve as proof of their consent to and acknowledgement of the contents laid out in the document. More often than not, a paper signature’s validity is based on trust. As the person who requested the signature, you must trust that the person who signed the document is who they say they are. As a signer, you must trust that your signature is not being forged to sign documents without your consent. Since wet signatures don’t come with a report that tells you what happened to a document prior and during signing, there is no way to directly trace the signature back to where and by whom it was signed.

In addition, with wet signatures, if the documents are not scanned and uploaded to the cloud, there is a risk of a natural disaster occurring and destroying the contents. This is another risk that businesses must face if they opt to continue to sign papers using paper.

eSignatures

An eSignature is an electronic piece of data that is created by an individual. The application of this piece of data to a document represents the signer’s identity and consent to and acknowledgement of the contents in the document. It serves the same function as a wet signature. However, since all the signing activity is done in the cloud, eSignature applications can track and observe a signer’s actions during signing. Signority’s eSignature solution tracks the name,  email address, IP address, and time of date of every action performed by the signer during signing. This allows document senders to have a full traceability report for each of the documents they get signed. Compared to wet signatures, this makes verifying a signer much easier, and can save businesses legal headaches down the line. For a signer, as long as you have full ownership over your email address, only you will have access to the documents you should be signing. If someone does try to impersonate you and eSigns a document without your consent, all their activity will be logged through the document’s audit trail. This information can be used to show who really signed the document. Furthermore, the use of SMS 2-factor authentication, and other authentication methods helps ensure the identity of the signer.

In terms of document storage, digitally stored documents are backed up in the cloud, so in case of a disaster, you won’t lose your documents. In addition, almost all eSignature providers have industry best-practice security certifications such as SOC I and SOC II certification and ISO 27001:2013 certification. These certifications verify that the company handles their customer data securely, protecting it from outside attackers, and can effectively recover from incidents that would otherwise lead to loss of data.

Finally, documents signed with eSignatures often come with a digital signature applied to the document by the eSignature provider. This digital signature can act as a type of tamper-proofing mechanism to detect whether or not a document has been tampered with. You can learn more about what digital signatures are here.

With all this information, it’s clear that eSignatures are a good choice for many companies. They provide superior security and traceability for signed documents. Not to mention they also cut down on the time you spend on each document that needs to be signed!

A Brief Introduction to eSignatures | Benefits and the Future (Part 2)

This is the second part in the series, A Brief Introduction to eSignatures. In the first part, we answered the question “What are eSignatures?”. We talked about the legal definition of an eSignature, the components of an eSignature, and the difference between an eSignature and a Digital Signature. If you missed it, check it out here.

In Part 2 of this series, we’ll go over the benefits that eSignatures have for businesses, and where the industry is headed.

Benefits of eSignatures

Legally-binding eSignatures have a number of important benefits for businesses:

  1. Easy to use. Signing electronic documents is super simple for all involved. In fact, most eSignature software is intuitive even to complete beginners, which means less time spent learning how to use new software.
  2. Save money. Paper isn’t cheap, especially when you account for purchasing, copying, scanning, and printing costs, among other paper-related expenditures. Needless to say, these costs add up quickly. Moving to a paperless system can reduce expenditures and instantly increase your profit margins.
  3. Save time. Printing, copying, and scanning takes time. Preparing documents for signature takes time. Tracking down (and waiting for) signatures takes even more time. eSignatures can shorten the turnaround time by as much as 90 percent.
  4. Improve accuracy. There’s nothing more frustrating than waiting for a signed document only to realize the recipient forgot to fill out a required piece of information. eSignature software allows you to specify mandatory fields, which, as you probably guessed, require the recipient to complete all such fields before the document can be signed.
  5. Stay organized. Keeping track of paperwork (regardless of how efficient your filing system may be) is often burdensome. eSignatures create an easily sortable, organized filing system by which you can easily store and retrieve important documents.
  6. Add an extra layer of security. Electronic documents can be protected by a variety of methods, including passcodes, encryption, two-factor authentication, and even biometric authentication methods. These methods instantly make your important documents more secure.
  7. Make things easier for customers and/or vendors. While eSignatures provide some obvious benefits for your own business, they also make things much easier for your customers, partners, suppliers, or other vendors (for many of the same reasons we’ve already covered). Customers prefer eSignature software not only because it is more convenient, but it brings a number of important advantages, including: eliminating unnecessary back-and-forth (saving time), simplifying internal processes, facilitating quicker onboarding, and increasing operational efficiency, among a laundry list of other benefits.

The Future of eSignatures

According to a report from MarketsandMarkets, one of the largest market research firms in the world, the eSignature market is expected to grow from USD $2.8 billion in 2020 to $14.1 billion by 2026. In another five years, the market will quintuple in size. So, what’s driving this incredible growth?
There are three primary factors driving the growth of the eSignature market:

  1. Online business continues to explode: More online business is good for the eSignature market. As more and more businesses move online, more legally-binding documents will be required, in order to govern and accommodate this transition. eSignatures are a necessary part of online business. As one goes, so does the other.
  2. Online security is more important than ever: It should be relatively easy to see the relationships forming here. As more business moves online, there’s more reason to protect that business. More importantly, Digital Signatures make it incredibly easy for business owners to protect their most important documents. Digital Signatures use a combination of public and private keys to encrypt and secure important documents, further reducing the risk of online fraud.
  3. Businesses will always be in the business of making money: And eSignatures can drastically reduce operational costs, thereby increasing profit margins. For example, it costs U.S. businesses nearly $8 billion each year to manage their paper documents. Going paperless brings drastic (and nearly instantaneous) cost benefits. In the end, money talks.

Even still, eSignatures simply make sense for nearly all businesses, regardless of size or industry. It simply makes business easier while saving companies time, money, and unnecessary headaches. When it’s all said and done, it wouldn’t be the least bit surprising to see the global eSignature market outperform its five-year projections.

Ready to use eSignatures for your business? Take advantage of Signority’s 14-day free trial!

A Brief Introduction to eSignatures | What are eSignatures? (Part 1)

Making sense of electronic signatures (eSignatures) can be intimidating. In addition, the eSignature industry is still relatively young (less than 25 years old), which means it can often be more difficult to find reliable, easy-to-understand information to address all of the questions a business owner might have.

This blog post is the first in a multi-part, educational series in which we will examine a number of important eSignature-related topics in greater detail, including: eSignature basics, the history of eSignatures, laws governing the use of eSignatures, when to use eSignatures, and how to implement eSignatures in your own business, among other topics.

In Part 1 of this series, we’ll review the basics of eSignatures (components, advantages, etc.).

Understanding eSignatures

As defined by the ESIGN Act (more on this foundational piece of legislation shortly), an eSignature is “any sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.”

If that definition sounds vague or unclear, don’t worry. That’s sort of the idea; it is, after all, “legal-ese”. In plain English, however, the above definition simply “states” an eSignature as a legal concept. That is, its legal definition simply means that it is possible for an eSignature to carry the same sort of legal “weight” as its pen-and-paper equivalent.

That probably doesn’t make too much sense at this very moment.

So, let’s take a closer look.

First, there is one critically important point you should understand:

In a strictly legal sense, the term “electronic signature” does not refer to an actual signature. Instead, the term refers more broadly to the process requirements (we’ll call them components) that must be met in order for an electronically signed document to be considered legally binding in a court of law.

As far as the law is concerned, a signature is simply one component of an electronically signed document. By itself, it carries no legal authority. In order for an electronic document to stand up in a court of law, all of the components must be present.

The ESIGN Act (again, more on this shortly) explicitly outlines these components in an attempt to standardize, well, the process by which an electronic document must be handled so that it carries full, legal authority.

Let’s take a quick look at the basic components of an eSignature.

Components of eSignatures

As we just reviewed, the signature itself is only one component of a legally-binding electronic document. However, there are four, primary components that you should care about most:

  1. Consent: Basically, any individual who signs an electronic document must explicitly consent to do so in the first place. Should an individual choose not to consent to an electronically signed agreement, a non-electronic option must made available.
  2. Intent: In the simplest terms, this means that the signer clearly understands his or her intent to sign the document, and the process by which the individual signed the document was clear and understood from beginning to end.
  3. Verification: For an electronic document to be considered legally binding it must be signed by the same person whose signature appears on the dotted line. In turn, most eSignature solutions have built-in verification methods.
  4. Auditability: This is the electronic equivalent of a “paper trail,” whereby each party involved in an electronic agreement (or a legal entity, for instance) can, if necessary, easily access each step of the eSignature process at any time. So, we’ve covered the legal definition of eSignatures and reviewed some of the most important components of eSignatures.

Before we go any further, though, we need to make an important distinction.

The Difference Between an eSignature and a Digital Signature

Yes, there is a difference.

In fact, if you Google “eSignature vs. digital Signature” you’ll find nearly two million search results that will tell the same story. While the two terms are often used interchangeably, they are not one in the same.

So, what’s the difference then?

Remember the intentionally vague definition we reviewed earlier?

An eSignature is “any sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.”

Remember that one?

Like we said earlier, that’s because “eSignature” refers to a broad category that encompasses many different types of electronic signatures. As you’ll learn shortly, this definition was created back in 2000, way before eSignatures became a widely popular, legally-binding entity.

This language was intended to be vague from the start.

But, why?

Well, lawmakers wanted to leave themselves some “wiggle room,” understanding that at some point in the future there would be many different methods to electronically sign a document. So, they wrote the law to be intentionally inclusive. What’s a digital signature then?

A digital signature is one of these specific types of eSignature. It has its own set of legal rules, standards, and governances. We won’t go into the specifics right now (but may do so in a later guide in this series). That’s an entire guide in and of itself.

For the purposes of this guide, it’s enough to simply understand that there is, in fact, a difference between the two terms.

Now, let’s take a quick look at how an eSignature works.

How to get Signed Electronically

Illustration of a Signority eSignature workflow

Thankfully, eSignature software like Signority is easy to use—even for the most inexperienced users. In fact, it’s ease of use has been one of the contributing factors to its sky-high adoption rate. Though the exact process may vary depending on software solution, the basic workflow is virtually the same.

Here’s how a basic eSignature works:

  1. A document is uploaded to a website (usually a third-party software).
  2. The document is tagged to pinpoint exactly where a signature is required.
  3. The document is then emailed to the participants who are required to sign.
  4. The signer(s) completes all required fields, then signs the document electronically.
  5. The completed document is then automatically emailed back to the original sender.
  6. The document is automatically stored for safe, secure, and easy access.

Now that you understand the basics of how eSignatures work, stay tuned for the Part 2 of this series where we talk about the benefits and history of eSignatures.

Ready to use eSignatures for your business? Take advantage of Signority’s 14-day free trial!

The Breakdown: eSignature vs. Digital Signature

Overview

An electronic signature is information in electronic form (can be sound, symbol, process, etc.) that is associated or attached to a document. This means that so long as we can demonstrate that the signature is associated with a person and that there was intent to sign, everything is legally binding and accepted (all of this can be seen in Signority’s audit trail).

A digital signature is actually a form of electronic signature that uses an encryption algorithm that helps validate who the signer is. It also ensures that the document cannot be tampered with, as the signature becomes invalid if the document is changed after signing. This helps prevent repudiation by the signer, making it almost impossible to deny having signed the signature. Essentially, these issues are some of the biggest challenges to electronic signatures, and digital signatures are able to help overcome these issues.

Electronic Signatures: An Overview

You may be wondering how electronic signatures even work in the first place? Before we can get to the difference between digital signatures and electronic signatures, let’s discuss what an electronic signature is first.

According to the Canadian Uniform Electronic Commerce Act (UECA), an electronic signature “means information in electronic form that a person has created or adopted in order to sign a document and that is in, attached to, or associated with the document.” The American equivalent is the Uniform Electronic Transaction Act (UETA) and the Electronic Signature in Global and National Commerce Act (ESIGN). Their definition is “an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record.”

At the heart of both definitions is the capture of the intention with which a signature is added. What that implies is that the electronic signature doesn’t have to look anything like your handwritten signature when it’s applied. It can be a symbol, a typed text, or even an image or sound. So long as the intention is present, then it is legally accepted and binding. In this sense, if the association with a person is demonstrated and the intent to sign is also demonstrated, the signature will meet the signature requirements stated above. This is done through the audit trail and by authenticating and determining who the signers are and what was signed.

Signority’s e-signature solution is able to capture all of this data through its detailed audit trail with time stamps, multi-factor authentication methods to validate the signer’s identity, and by securely storing the data to prevent tampering.

Digital Signatures: An Overview

We’ve explained what an electronic signature is in the previous section. The digital signature further improves the security and authenticity behind each electronic signature, acting like a digital “fingerprint” for a signer of a specific document.

The biggest challenges with regards to secured signatures have always been:

Is the signer who they say they are?
Is the signature valid and hasn’t been forged?
And has the document been tampered with?

In history, to counteract these challenges, the existence of notaries were introduced and played a key role in assuring authenticity and trust of a document.

Similar problems still exist today for the electronic world. However, digital signatures were created to help serve the purposes of notaries in the past. Certification Authorities (CAs), a trusted third party, now serves as the notary in terms of verifying a signer’s identity. Rather than being present at the time of signing, like a notary would, a CA acts as a trusted third party organization that ensures the security of the Public Key Infrastructure (PKI) and providing digital certificates for signers, both of which are necessary for a digital signature transaction.

The technology behind secured Digital Signatures

A digital signature is unique to each individual signer. To ensure this, electronic signature solution providers follow a protocol called the PKI. The PKI uses a mathematical algorithm to generate two keys for the signer, a public key and a private key. The two keys together make your digital certificate, which help validate the signer’s identity.

When a document is electronically signed and completed, a unique “fingerprint” of a document (called a hash) is generated by using a mathematical algorithm. This hash is, then, encrypted by the signer’s private key. The encrypted hash and the document certificate issued by a trusted CA are both attached to the digitally signed document, thereby completing the digital signature transaction.

To validate the signer’s identity and verify the signature, the signer’s public key is used to decrypt the document hash. During decryption, a new hash is calculated and matched with the original encrypted hash. If the two are the same, the signer is validated, as the two keys must match and create the same hash.

Benefits of Digital Signature

All of this finally brings us to the question, what’s the point of all of it and how will it benefit my business? As stated at the beginning, an electronic signature captures the intent and also helps prove who the signer was and what was signed in the first place.

The key benefits of digital signature is that it works with the electronic signature rather than replacing it. When you apply the digital signature to a document, the cryptographic operation helps bind the digital certificate and the data being signed into one unique digital “fingerprint”, the uniqueness of the certificate and the data is what makes digital signatures so viable.

As a result, you can be assured of 3 things:
Signer identity is valid – you will know that the signers are who they say they are
Tamper-proofing – you can be ensured that the document hasn’t been tampered with, otherwise the signature would be invalidated
Non-repudiation – the signer cannot deny having signed the signature and is possible to prove in court HSM or Hardware Security Module

For Signority to have digital signatures available for users, it uses a Notarius Hardware Security Module (HSM) to help store and manage the digital keys that are used in the digital signing process. It also acts as the key generator for the digital certificate.

Adobe AATL Certificate Policy requires that digital certificates are stored on FIPS-compliant hardware. HSM is FIPS-compliant, which allows Signority to provide digital signatures.

Ready to use eSignatures and Digital Signatures for your business? Take advantage of Signority’s 14-day free trial!

What is Data Residency & Why is it Important?

Have you ever asked yourself, “how important is my personal information, and where is this kind of data being stored?”  These are the kinds of questions that are asked when discussing data residency. Before diving deep into what data residency is, and its importance, let’s first break down what personal information is and its different types.

What is Personal Information?

The Office of the Privacy Commissioner of Canada (OPCC) states that, according to The Personal Information Protection and Electronic Documents Act (PIPEDA), personally identifiable information (PII) is classified as “any factual or subjective information, recorded or not, about an identifiable individual.” According to the OPCC website, PII includes: 

  • Name, age, ID numbers (SIN), income.
  • Social status, evaluations, opinions, disciplinary actions.
  • employee files, credit score, employee files, loan records

Other types of information include Personal Health Information (PHI) which, according to the Information and Privacy Commissioner of Ontario’s Guide, 

  • Relates to the individual’s physical or mental condition, including family medical history; or
  • Relates to the provision of health care to the individual; or
  • Is a plan of service for the individual; or
  • Relates to payments, or eligibility for health care or for coverage for health care; or
  • Relates to the donation of any body part or bodily substance, or is derived from the testing or examination of any such body part or bodily substance; or
  • Is the individual’s health number; or 
  • Identifies a health care provider or substitute decision-maker for the individual

Data Residency

Data residency, otherwise known as data localization, refers to the legal and administrative prerequisites forced on the geographic or physical location of an individual’s or organization’s data.  In addition to addressing data storage, data residency also highlights how data is processed and creates conversation among legislators and citizens regarding data management and the safety of citizens’ data. When sensitive data is being managed, it’s vital that an organization’s data stays secure and locally stored. Companies and organizations could also qualify for various tax benefits based on what kind of data is being stored and where it resides. More importantly, the data being stored would be subjected to the laws and regulations of the country that stores it. While the Government of Canada does not have severe laws prohibiting companies or organizations from storing their data outside the country, numerous provinces have put up guidelines and regulations regarding the protection and handling of their resident’s data.

How Signority Can Help Secure Your Data?

Signority takes great pride in being the largest Canadian eSignature provider whose data centers are located in Canada. Signority’s main servers are in Montreal and we have ensured that our back servers are also located in Canada. This ensures two things. First, if one server location is affected by an outage, your documents will remain safe, secure, and accessible. Secondly, this ensures all our customer’s personal and private information is securely stored within Canadian borders, a key requirement ensuring our compliance with the PIPEDA and HIPAA acts, as well as the SOCIII, ISO270001, and PCI certificates. In addition to complying with Canada’s data residency laws, Signority follows strict security protocols when handling customer data. 

On top of the many security features, Signority also offers products and services at a low price without compromising the quality of our customer service received or our product itself. 

Now, ask yourself again, “how important is me and my client’s personal information, and where is this kind of data being stored?” 

Ready to send secure eSignatures with Signority? Sign up for a 14-day free trial today!