Cybersecurity Awareness Month

October is Cybersecurity Awareness Month

Celebrating Cybersecurity Awareness Month:
Simple Tips to Protect Yourself Online

October 17th, 2023

October is more than just a month for pumpkin-spiced treats and preparing for Halloween – it’s also Cybersecurity Awareness Month. In today’s digital age, where much of our lives revolves around the online realm, it becomes essential to understand the significance of cybersecurity and how to stay safe.

Let’s explore some basic but crucial steps everyone should be taking to ensure a safer online experience.

1. Update Regularly

Ensure that all your software, especially your operating systems and browsers, are up-to-date. Hackers often target vulnerabilities in outdated software. Turn on automatic updates whenever possible.

2. Strong Passwords are Your First Line of Defense

It might seem basic, but many people overlook this step. Use strong, unique passwords for every account. Consider using a passphrase—a combination of four or more unrelated words—and throw in a few special characters for good measure.

3. Use Two-Factor Authentication (2FA)

Whenever possible, enable 2FA on your accounts. This provides an additional layer of security by requiring a second piece of information beyond just a password.

4. Be Wary of Phishing Scams

Always treat unsolicited messages with a healthy dose of skepticism. Refrain from engaging with dubious links or downloading uncertain attachments. Here’s a golden rule to live by: genuine organizations won’t solicit sensitive information through email.

To highlight the evolving nature of threats, I regularly get deceptive bank alerts. Moreover, with the rise of cutting-edge scams, such as those that deploy AI to replicate the voices of people we know, our guard must remain up. In fact, CBC recently reported on how scammers, armed with voice-cloning AI, can deceive even close family members, underscoring the importance of continuous vigilance.

5. Secure Your Home Network

Change the default password on your home router and consider setting up a guest network for visitors.

6. Keep Your Personal Information Private

Be cautious about what personal information you share online. The more cybercriminals know, the more effectively they can scam you or steal your identity.

7. Regularly Backup Important Data

Ensure you have backup copies of critical data in case something goes awry. Whether it’s cloud storage or an external hard drive, regularly backing up data can save you from potential catastrophe.

8. Stay Informed

Cybersecurity is a rapidly evolving field. Keep up-to-date with the latest news and practices to ensure you’re always at the top of your game.

While the digital world brings about incredible conveniences and opportunities, it also carries risks. This Cybersecurity Awareness Month, let’s commit to being more vigilant and proactive about our online safety. Remember, cybersecurity is a shared responsibility. When each of us does our part, we all reap the benefits of the digital world more safely and securely.

On that note, Invest Ottawa is hosting an event titled “Innovation Meets Security.” I’m excited about the insights it promises and hope to see you there!

Securing Your Trust: Signority’s Compliance Journey

Securing Your Trust: Signority’s Compliance Journey

October 5th, 2023

Signority’s security & compliance principles guide how we deliver our products and services, enabling people to simply and securely access the digital world.

Secure Personnel

Child & Family Services encompass an array of responsibilities, from safeguarding children against harm to providing necessary support to families in crisis. Each interaction, whether it’s an initial intake, assessment, or even volunteer onboarding, requires multiple layers of documentation. Historically, this has meant paper forms, manual logging, and significant administrative overhead.

The Practical Benefits of Signority’s Digital Approach

Signority takes the security of its data and that of its clients and customers seriously and ensures that only vetted personnel are given access to their resources.

  • All Signority contractors and employees undergo background checks prior to being engaged or employed by us in accordance with local laws and industry best practices.
  • Confidentiality or other types of Non-Disclosure Agreements (NDAs) are signed by all employees, contractors, and others who have a need to access sensitive or internal information.
  • We embed the culture of security into our business by conducting employee security training & testing using current and emerging techniques and attack vectors.
 

Secure Development

  • All development projects at Signority, including on-premises software products, support services, and our own Digital Identity Cloud offerings follow secure development lifecycle principles.
  • All development of new products, tools, and services, and major changes to existing ones, undergo a design review to ensure security requirements are incorporated into proposed development.
  • All team members that are regularly involved in any system development undergo annual secure development training in coding or scripting languages that they work with as well as any other relevant training.
  • Software development is conducted in line with OWASP Top 10 recommendations for web application security.
 

Secure Testing

Signority deploys third party penetration testing and vulnerability scanning of all production and Internet facing systems on a regular basis.

  • All new systems and services are scanned prior to being deployed to production.
  • We perform penetration testing both by internal security engineers and external penetration testing companies on new systems and products or major changes to existing systems, services, and products to ensure a comprehensive and real-world view of our products & environment from multiple perspectives.
  • We perform static and dynamic software application security testing of all code, including open source libraries, as part of our software development process.

Cloud Security

Signority Cloud provides maximum security with complete customer isolation in a modern, multi-tenant cloud architecture.

Signority Cloud leverages the native physical and network security features of the cloud service, and relies on the providers to maintain the infrastructure, services, and physical access policies and procedures.

  • All customer cloud environments and data are isolated using Signority’s patented isolation approach. Each customer environment is stored within a dedicated trust zone to prevent any accidental or malicious co-mingling.
  • All data is also encrypted at rest and in transmission to prevent any unauthorized access and prevent data breaches. Our entire platform is also continuously monitored by dedicated, highly trained Signority experts.
  • We separate each customer’s data and our own, utilizing unique encryption keys to ensure data is protected and isolated.
  • Client’s data protection complies with SOC 2 standards to encrypt data in transit and at rest, ensuring customer and company data and sensitive information is protected at all times.
  • We implement role-based access controls and the principles of least privileged access, and review revoke access as needed.

Compliance

Signority is committed to providing secure products and services to safely and easily manage billions of digital identities across the globe. Our external certifications provide independent assurance of Signority’s dedication to protecting our customers by regularly assessing and validating the protections and effective security practices Signority has in place.

Signority Acquires SOC 2, CSA Level 2, and HIPAA Compliance

Signority Acquires SOC 2, CSA Level 2, and HIPAA Compliance

October 3rd, 2023

Ontario, Canada, September 27, 2023 – Today, Signority celebrates achieving the SOC 2 Type II compliance, in line with the standards set by the American Institute of Certified Public Accountants (AICPA), commonly referred to as SSAE 18. With an unqualified opinion supporting this achievement, Signority underscores its dedication to enterprise-level security, ensuring the safety of customer data within its system.

Furthermore, Signority has earned the CSA Star compliance, adhering to the Cloud Security Alliance’s Security, Trust, Assurance, and Risk Registry benchmarks.

With a global footprint, Signority provides a cloud-secured digital signature solution. Our platform’s security and compliance credentials were meticulously audited by the reputed Prescient Assurance, known for their expertise in B2B and SaaS sector assessments. We extend our gratitude to Secureframe for their pivotal support in this journey.

Our SOC 2 Type II and CSA Star audit certifications offer a solid reassurance to our existing and future clientele about Signority’s steadfast commitment to maintaining superior standards in security and compliance.

If you ‘d like to acquire Signority’s attestation letter, please reach out to compliance@signority.com.

About Signority

Catering to a worldwide user base, Signority champions in providing leading-edge digital signature workflow solutions. We pride ourselves on ensuring legal compliance, efficiency, cost savings, and enhancing overall productivity for our clients.

Media Relations

Jane He
1.833.222.1088
mediarequests@signority.com

Digitizing Canadian Child & Family Services: Signority’s Impact

Canadian Child & Family Services:

A Digital Transformation

Canadian Child & Family Services:

A Digital Transformation

Digitizing Canadian Child & Family Services: Signority’s Impact

September 26th, 2023

Children represent the future, and families are the cornerstone of our society. In the heart of community resilience and strength lies Child & Family Services organizations. They play an indispensable role in ensuring the safety, health, and overall well-being of our most vulnerable members – our children. Yet, like many sectors with deeply embedded traditional processes, Child & Family Services have often been bound by paper-heavy methods, which can delay vital interventions and take crucial time away from direct service.

Signority: Transforming Child & Family Services with Digital Solutions

Child & Family Services encompass an array of responsibilities, from safeguarding children against harm to providing necessary support to families in crisis. Each interaction, whether it’s an initial intake, assessment, or even volunteer onboarding, requires multiple layers of documentation. Historically, this has meant paper forms, manual logging, and significant administrative overhead.

The Practical Benefits of Signority’s Digital Approach

Streamlined Consent Processes: Child & Family Services often require consent forms for various activities, including medical treatment, counseling, urgent response service plan (URS), and educational support. Signority’s digital signature solution simplifies the process of obtaining and managing these consents. Social workers can send consent forms electronically, and clients or guardians can sign them from anywhere, reducing delays and ensuring that necessary permissions are in place promptly.

Efficient Document Signing: Whether it’s agreements, service contracts, or parental consent forms, Signority enables Child & Family Services to send, receive, and sign documents quickly and securely. This efficiency is vital in situations where time-sensitive decisions must be made to protect the well-being of children and families.

Data Security: Signority hosts Canadian customer data exclusively within Canada. Our platform employs advanced encryption and security measures to safeguard sensitive information. Given that Child & Family Services handle confidential data daily, Signority’s robust security features, including masked tags for data security, guarantee that personal identifiable information (PII) remains confidential and fully compliant with data protection regulations.

Environmental & Cost Savings: By shifting away from paper-based processes, agencies can reduce their reliance on physical documents, saving money on printing, storage, and transportation. Additionally, this eco-friendly approach aligns with the broader societal trend towards sustainability.

Access from Anywhere: Signority’s cloud-based platform allows social workers and professionals to access necessary documents from anywhere with an internet connection. This accessibility ensures seamless service delivery, even when working remotely or in the field.

Efficient Onboarding: For Child & Family Services that rely on volunteers or need to conduct background checks, Signority’s digital signature solution streamlines the onboarding process. Volunteer applications and criminal record checks can be seamlessly integrated, ensuring that the agency has the right people on board quickly and safely.

Audit Trails for Accountability: Signority provides audit trails for every signed document, enhancing accountability and transparency within the organization. This feature is particularly valuable in cases where document validity and compliance are essential.

Faster Response Times: Digital signatures expedite the signing process. Social workers can get the necessary approvals in place swiftly, reducing response times and ensuring that children and families receive the support they need without unnecessary delays.

These benefits underscore how Signority’s digital signature solution is uniquely positioned to meet the needs of Child & Family Services by simplifying administrative tasks, ensuring data security, and enhancing efficiency in a sector where time and accuracy are critical for protecting vulnerable children and families.

Ultimately, the mission is clear. It’s not just about digitization for the sake of modernity. It’s about providing Child & Family Services with the platform they need to do their job more efficiently, so more time and resources can be allocated where they matter most: directly with children and their families.

By leveraging the power of Signority, Child & Family Services organizations can ensure that every child’s story is not just heard but also acted upon with the efficiency, care, and urgency it deserves.

Signority is proud to be a part of this transformative journey, offering solutions that make a tangible difference in the lives of many.

How Signority Secures Your Data

How Signority Secures Your Data

How Signority Secures Your Data

My last blog, Three Stages of Data; In Transit, At Rest, & In Use described each of the three data stages and touched on how each stage requires a different approach to security and privacy. Today we are going to talk about:

  1. when your data enters each of the three stages during the workflow, and
  2. how Signority secures your data. 
Three Stages of Data
Three Stages of Data

If you’ve used Signority you know that every document has a workflow.  The workflow begins at the creation of the document and ends when it’s been stored after it has been signed by all participants.

During the it’s workflow your document and any data related to it, enters all three stages of data at various times. Here is each of the data stages and when your document enters that stage during the workflow.

In Transit: Your information related to your document is in transit (or in motion) when:

  1. someone registers for a new account
  2. you send the email notifications to the signers that there is a document ready for signing, and,
  3. when the document has completed the workflow, meaning it has been signed by everyone, and a copy of the document is sent to each of the document participants (senders and recipients).

At Rest: All information related to the document and the document itself is at rest:

  1. when it is waiting for the next person in the workflow to sign the document
  2. it is stored on our servers once the workflow has been completed.

In Use: Your document and any related data, i.e.: the audit trail, are ‘in use’:

  1. when a recipient or user are editing the document by adding the required information and/or signatures
  2. the Signority platform is updating the audit trail with any actions, i.e.: signed, id verification, etc.

Signority starts our security process with our employees. All employees and sub-contractors must be security cleared with the federal government security clearance program. And they must complete a minimum amount of security and compliance training each year.

For In Transit and In Use data Signority eSignature Platform services using strongly encrypted extended validation (EV) Transport Layer Security (TLS) certificates to encrypt the data in transit between users and the Signority eSignature Platform. We only allow the highest security TLS 1.2 and 1.3 protocols, and do not allow weaker TLS or SSL.  The article linked above explains in detail what EV and TLS certificates are, what they do, and why we use them. 

If you would like to know our rating, here is the most current certificate for Signority at the time of this blog post.

We also do not allow the use of older browser versions. Older versions are not updated with the latest security features and updates to ensure a secure browsing connection.

Data at rest data at rest is encrypted by using state-of-the-art AWS encryption technology and we salt usernames & passwords. 

What is a ‘salted’ username and password?  A salted username and password is a process where they are converted through a ‘hashing algorithm’ into an unintelligible series of numbers and letters. You can read a more detailed breakdown here at Okta.com.

Plus, we offer masked tags for end users to encrypt their sensitive information on documents.

If you are not a technical person, think of it this way:

  1. Your information is locked in a box that requires a key.
  2. That key is locked in another box that requires another key to open it.
  3. And that box, with your box, is in a box that is password protected. 

So your data is guarded with multiple layers of protection ensuring your data is secure and private.

If you would like to know more about how Signority protects customers data and privacy I encourage you to go to our Trust Centre. In Signority’s Trust Centre you can review our approach to Security, Privacy, Compliance, and Legislation (Legal).

Have questions? 

Contact us by:

  • calling at 833-222-1088,
  • using the chat icon on the bottom right of your screen,
  • or through our contact form.

Look for my next blog, ‘What is Data Residency? And Does it Matter?

Security Features You Need in an eSignature Platform

Security Features You Need in an eSignature Platform

Your organization has decided to start using eSignatures and you have been tasked with researching the different options available in the marketplace. The first thing you have to do is research the basic security features you need in an eSignature platform.  Then you can move on to the obvious, Price, Ease of use, Scalability, Reviews, and Features.

Why?  Because you need to ensure all your documents and data is protected. You also have to ensure the signatures can be verified.

In order to ensure the integrity and veracity of the final document and signatures you need to be able to:

  1. Secure the document and signatures
  2. Verify the signer’s identities
  3. Protect any confidential information entered
  4. Track the document and signatories
  5. Restrict access

Here are the basic security features you need in an eSignature platform:

  1. Digital Signatures
  2. Masked Text
  3. Signer Identity Verification
  4. Multi-Factor Authentication (MFA) and Single Sign On (SSO)
  5. Audit Trail
  6. Team Account Roles & Permissions

The first security feature you need is a Digital Signature.  Wait… what?  I thought eSignatures are Digital Signatures.  Aren’t they the same thing?

No, that is a common mistake many people make. And it is one that will determine the security of the document and signatures. Here are the definitions as quoted from the post eSignatures vs Digital Signatures

“An electronic signature is information in electronic form (can be sound, symbol, process, etc.) that is associated or attached to a document. This means that so long as we can demonstrate that the signature is associated with a person and that there was intent to sign, everything is legally binding and accepted (all of this can be seen in Signority’s audit trail).

 

A digital signature is actually a form of electronic signature that uses an encryption algorithm that helps validate who the signer is. It also ensures that the document cannot be tampered with, as the signature becomes invalid if the document is changed after signing. This helps prevent repudiation by the signer, making it almost impossible to deny having signed the signature. Essentially, these issues are some of the biggest challenges to electronic signatures, and digital signatures are able to help overcome these issues.”

For a much more comprehensive explanation from a cybersecurity perspective read this post about digital signatures on TechTarget.com.

Next is the Masked Tag.  This tag allows you to protect your signatory’s personally identifiable information (PII) and other confidential information. If you work in the healthcare field for example, you may ask someone for their insurance information.  You want to make sure that no one else sees this information.

Using a masked text tag will allow your signer to securely enter PII into the form where you request it.  The masked tag will conceal and encrypt the information entered once the signer has filled it out.  This means anyone who receives the document for signing after this signer will only see the title of the tag you entered, i.e.: Health Card.

Because the information is encrypted, the person who needs that information, the document sender, will have to follow very specific steps to retrieve that information securely and confidentially.

To help ensure the integrity of a signature you need a Signer Identity Verification feature. This feature will send a one-time use PIN code to the signer either by email or SMS (text message). They will need to have this code in order to access the document.  Once they have used the PIN code to access the document an action will be logged. Using this code verifies the signer received it on an account that can be traced back to them. The log, or audit trail, will document that the signer’s identity has been verified and how it was verified.

And now that you have verified your signers identity, let’s look a little closer to home.  You need to secure access to the eSignature platform. You don’t want just anyone having access to your clients, partners, and company’s information. To do this your organization can either set up Single Sign On (SSO) or a Multi-Factor Authentication (MFA) Login. These sign in methods help restrict access and lower instances of phishing and make it much more difficult for hackers.

As stated in this great explanation of SSO by TechTarget.com, “Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials — for example, a name and password — to access multiple applications.” This ensures that unless someone can be verified through your companies main system, they cannot get in. The referenced article does a great job of explaining it.

If your company cannot use SSO then the application you select should, at the very least, offer MFA.  As stated at precisely.com, “Multiple factor authentication verifies a user’s identity by combining two or more of the following independent credentials:

  • Something the user knows (e.g.: password, PIN, passphrase)
  • Something the user possesses (e.g.: email account, smartphone, code-generating device)
  • Something inherent to the user (e.g.: fingerprint, iris scan, voice recognition)”

The Audit Trail is the next security feature we will review.  The Audit Trail is a document that comes with your final copy of the signed document. It can be a part of the final document or arrive as a separate document. It has three main components: the meta data, the Signers, and the History. The audit trail will show you who did what action (signing the document), the timestamp associated with the action, their IP Address, and if required any notes. A note can include the ID Authentication method and include a partial email address or phone number. An example confirming SMS ID Authentication in an Audit Trail can be seen in the image below.

 

ID Authentication Audit Trail log

Finally, you need to have the ability to set up team account roles and permissions. The ability to assign roles and permissions helps you keep your documents secure by restricting who has access to what and when. For a clearer understanding of how roles and permissions may be set up you can review the roles available in Signority. You don’t want everyone in your organization being able to view the documents sent by legal or finance, do you?

Here is a bonus feature. The Retention feature. Depending on the industry you work in your organization may be required to have a retention policy. If you are unsure whether you need a retention policy I strongly encourage you to do some research to find out.  Interdyn has a great article called Data Retention Policy 101 that reviews what a retention policy is, the questions you need to ask, and how to set one up.  I highly recommend you read this if you do not have a policy in place.

A retention feature allows you to apply your retention policy to all the documents that have been signed digitally. And a good one will allow give you ways to automate the whole process. This post gives a good overview of a retention feature and the options available within one. You will see it is easy to set up and helps you ensure compliance.

And those are the basic security features you need in an eSignature platform.

Look out for next weeks edition where I will review the differences between Adobe Signature and Signority eSignatures in the post, “Adobe vs Signority“.

Until then, have a great week and stay safe.

Security Features You Need in an eSignature Platform

Your organization has decided to start using eSignatures and you have been tasked with researching the different options available in the marketplace. The first thing you have to do is research the basic security features you need in an eSignature platform.  Then you can move on to the obvious, Price, Ease of use, Scalability, Reviews, and Features.

Why?  Because you need to ensure all your documents and data is protected. You also have to ensure the signatures can be verified.

In order to ensure the integrity and veracity of the final document and signatures you need to be able to:

  1. Secure the document and signatures
  2. Verify the signer’s identities
  3. Protect any confidential information entered
  4. Track the document and signatories
  5. Restrict access

Here are the basic security features you need in an eSignature platform:

  1. Digital Signatures
  2. Masked Text
  3. Signer Identity Verification
  4. Multi-Factor Authentication (MFA) and Single Sign On (SSO)
  5. Audit Trail
  6. Team Account Roles & Permissions

The first security feature you need is a Digital Signature.  Wait… what?  I thought eSignatures are Digital Signatures.  Aren’t they the same thing?

No, that is a common mistake many people make. And it is one that will determine the security of the document and signatures. Here are the definitions as quoted from the post eSignatures vs Digital Signatures

“An electronic signature is information in electronic form (can be sound, symbol, process, etc.) that is associated or attached to a document. This means that so long as we can demonstrate that the signature is associated with a person and that there was intent to sign, everything is legally binding and accepted (all of this can be seen in Signority’s audit trail).

 

A digital signature is actually a form of electronic signature that uses an encryption algorithm that helps validate who the signer is. It also ensures that the document cannot be tampered with, as the signature becomes invalid if the document is changed after signing. This helps prevent repudiation by the signer, making it almost impossible to deny having signed the signature. Essentially, these issues are some of the biggest challenges to electronic signatures, and digital signatures are able to help overcome these issues.”

For a much more comprehensive explanation from a cybersecurity perspective read this post about digital signatures on TechTarget.com.

Next is the Masked Tag.  This tag allows you to protect your signatory’s personally identifiable information (PII) and other confidential information. If you work in the healthcare field for example, you may ask someone for their insurance information.  You want to make sure that no one else sees this information.

Using a masked text tag will allow your signer to securely enter PII into the form where you request it.  The masked tag will conceal and encrypt the information entered once the signer has filled it out.  This means anyone who receives the document for signing after this signer will only see the title of the tag you entered, i.e.: Health Card.

Because the information is encrypted, the person who needs that information, the document sender, will have to follow very specific steps to retrieve that information securely and confidentially.

To help ensure the integrity of a signature you need a Signer Identity Verification feature. This feature will send a one-time use PIN code to the signer either by email or SMS (text message). They will need to have this code in order to access the document.  Once they have used the PIN code to access the document an action will be logged. Using this code verifies the signer received it on an account that can be traced back to them. The log, or audit trail, will document that the signer’s identity has been verified and how it was verified.

And now that you have verified your signers identity, let’s look a little closer to home.  You need to secure access to the eSignature platform. You don’t want just anyone having access to your clients, partners, and company’s information. To do this your organization can either set up Single Sign On (SSO) or a Multi-Factor Authentication (MFA) Login. These sign in methods help restrict access and lower instances of phishing and make it much more difficult for hackers.

As stated in this great explanation of SSO by TechTarget.com, “Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials — for example, a name and password — to access multiple applications.” This ensures that unless someone can be verified through your companies main system, they cannot get in. The referenced article does a great job of explaining it.

If your company cannot use SSO then the application you select should, at the very least, offer MFA.  As stated at precisely.com, “Multiple factor authentication verifies a user’s identity by combining two or more of the following independent credentials:

  • Something the user knows (e.g.: password, PIN, passphrase)
  • Something the user possesses (e.g.: email account, smartphone, code-generating device)
  • Something inherent to the user (e.g.: fingerprint, iris scan, voice recognition)”

The Audit Trail is the next security feature we will review.  The Audit Trail is a document that comes with your final copy of the signed document. It can be a part of the final document or arrive as a separate document. It has three main components: the meta data, the Signers, and the History. The audit trail will show you who did what action (signing the document), the timestamp associated with the action, their IP Address, and if required any notes. A note can include the ID Authentication method and include a partial email address or phone number. An example confirming SMS ID Authentication in an Audit Trail can be seen in the image below.

 

ID Authentication Audit Trail log

Finally, you need to have the ability to set up team account roles and permissions. The ability to assign roles and permissions helps you keep your documents secure by restricting who has access to what and when. For a clearer understanding of how roles and permissions may be set up you can review the roles available in Signority. You don’t want everyone in your organization being able to view the documents sent by legal or finance, do you?

Here is a bonus feature. The Retention feature. Depending on the industry you work in your organization may be required to have a retention policy. If you are unsure whether you need a retention policy I strongly encourage you to do some research to find out.  Interdyn has a great article called Data Retention Policy 101 that reviews what a retention policy is, the questions you need to ask, and how to set one up.  I highly recommend you read this if you do not have a policy in place.

A retention feature allows you to apply your retention policy to all the documents that have been signed digitally. And a good one will allow give you ways to automate the whole process. This post gives a good overview of a retention feature and the options available within one. You will see it is easy to set up and helps you ensure compliance.

And those are the basic security features you need in an eSignature platform.

Look out for next weeks edition where I will review the differences between Adobe Signature and Signority eSignatures in the post, “Adobe vs Signority“.

Until then, have a great week and stay safe.

Security Features You Need in an eSignature Platform

Your organization has decided to start using eSignatures and you have been tasked with researching the different options available in the marketplace. The first thing you have to do is research the basic security features you need in an eSignature platform.  Then you can move on to the obvious, Price, Ease of use, Scalability, Reviews, and Features.

Why?  Because you need to ensure all your documents and data is protected. You also have to ensure the signatures can be verified.

In order to ensure the integrity and veracity of the final document and signatures you need to be able to:

  1. Secure the document and signatures
  2. Verify the signer’s identities
  3. Protect any confidential information entered
  4. Track the document and signatories
  5. Restrict access

Here are the basic security features you need in an eSignature platform:

  1. Digital Signatures
  2. Masked Text
  3. Signer Identity Verification
  4. Multi-Factor Authentication (MFA) and Single Sign On (SSO)
  5. Audit Trail
  6. Team Account Roles & Permissions

The first security feature you need is a Digital Signature.  Wait… what?  I thought eSignatures are Digital Signatures.  Aren’t they the same thing?

No, that is a common mistake many people make. And it is one that will determine the security of the document and signatures. Here are the definitions as quoted from the post eSignatures vs Digital Signatures

“An electronic signature is information in electronic form (can be sound, symbol, process, etc.) that is associated or attached to a document. This means that so long as we can demonstrate that the signature is associated with a person and that there was intent to sign, everything is legally binding and accepted (all of this can be seen in Signority’s audit trail).

 

A digital signature is actually a form of electronic signature that uses an encryption algorithm that helps validate who the signer is. It also ensures that the document cannot be tampered with, as the signature becomes invalid if the document is changed after signing. This helps prevent repudiation by the signer, making it almost impossible to deny having signed the signature. Essentially, these issues are some of the biggest challenges to electronic signatures, and digital signatures are able to help overcome these issues.”

For a much more comprehensive explanation from a cybersecurity perspective read this post about digital signatures on TechTarget.com.

Next is the Masked Tag.  This tag allows you to protect your signatory’s personally identifiable information (PII) and other confidential information. If you work in the healthcare field for example, you may ask someone for their insurance information.  You want to make sure that no one else sees this information.

Using a masked text tag will allow your signer to securely enter PII into the form where you request it.  The masked tag will conceal and encrypt the information entered once the signer has filled it out.  This means anyone who receives the document for signing after this signer will only see the title of the tag you entered, i.e.: Health Card.

Because the information is encrypted, the person who needs that information, the document sender, will have to follow very specific steps to retrieve that information securely and confidentially.

To help ensure the integrity of a signature you need a Signer Identity Verification feature. This feature will send a one-time use PIN code to the signer either by email or SMS (text message). They will need to have this code in order to access the document.  Once they have used the PIN code to access the document an action will be logged. Using this code verifies the signer received it on an account that can be traced back to them. The log, or audit trail, will document that the signer’s identity has been verified and how it was verified.

And now that you have verified your signers identity, let’s look a little closer to home.  You need to secure access to the eSignature platform. You don’t want just anyone having access to your clients, partners, and company’s information. To do this your organization can either set up Single Sign On (SSO) or a Multi-Factor Authentication (MFA) Login. These sign in methods help restrict access and lower instances of phishing and make it much more difficult for hackers.

As stated in this great explanation of SSO by TechTarget.com, “Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials — for example, a name and password — to access multiple applications.” This ensures that unless someone can be verified through your companies main system, they cannot get in. The referenced article does a great job of explaining it.

If your company cannot use SSO then the application you select should, at the very least, offer MFA.  As stated at precisely.com, “Multiple factor authentication verifies a user’s identity by combining two or more of the following independent credentials:

  • Something the user knows (e.g.: password, PIN, passphrase)
  • Something the user possesses (e.g.: email account, smartphone, code-generating device)
  • Something inherent to the user (e.g.: fingerprint, iris scan, voice recognition)”

The Audit Trail is the next security feature we will review.  The Audit Trail is a document that comes with your final copy of the signed document. It can be a part of the final document or arrive as a separate document. It has three main components: the meta data, the Signers, and the History. The audit trail will show you who did what action (signing the document), the timestamp associated with the action, their IP Address, and if required any notes. A note can include the ID Authentication method and include a partial email address or phone number. An example confirming SMS ID Authentication in an Audit Trail can be seen in the image below.

 

ID Authentication Audit Trail log

Finally, you need to have the ability to set up team account roles and permissions. The ability to assign roles and permissions helps you keep your documents secure by restricting who has access to what and when. For a clearer understanding of how roles and permissions may be set up you can review the roles available in Signority. You don’t want everyone in your organization being able to view the documents sent by legal or finance, do you?

Here is a bonus feature. The Retention feature. Depending on the industry you work in your organization may be required to have a retention policy. If you are unsure whether you need a retention policy I strongly encourage you to do some research to find out.  Interdyn has a great article called Data Retention Policy 101 that reviews what a retention policy is, the questions you need to ask, and how to set one up.  I highly recommend you read this if you do not have a policy in place.

A retention feature allows you to apply your retention policy to all the documents that have been signed digitally. And a good one will allow give you ways to automate the whole process. This post gives a good overview of a retention feature and the options available within one. You will see it is easy to set up and helps you ensure compliance.

And those are the basic security features you need in an eSignature platform.

Look out for next weeks edition where I will review the differences between Adobe Signature and Signority eSignatures in the post, “Adobe vs Signority“.

Until then, have a great week and stay safe.