eSign (Sign Online):

Some Questions Answered

How does eSign Work?

Sign&Send’s eSign allows you to invite your prospective signatories to sign documents online. You simply set up a covering Sign&Send letter, supply the signatory’s email address, and enclose the documents you would like to have signed.

Your covering letter is prepared in the usual way – your signature is added, and the letter is uploaded to the Sign&Send servers and set against your headed paper.

The signatory receives an email attaching your covering letter and advising that a link to a document for online signing will follow very shortly.

When your prospective signatory clicks their agreement, a signature widget appears which allows the signatory to sign the document electronically. The document has now been electronically signed. In other words, an electronic graphical representation of the signature now appears in the document.

The electronically signed document is now digitally signed.  The electronic signature is the ‘mark’ (i.e., the visual representation of the signature on the document) whereas the digital signature is digital framework behind the ‘mark’ that guarantees the legal validity of the signature.  This digital signature is produced using the certificate of our eSign supplier Signaturit.  The digital signature guarantees that this present document is precisely the document which was signed by a person with access to the particular email address the link was sent to, at such and such a time, and from such and such an IP address.

You and the signatory both receive electronically and digitally signed copies of the document.  Additionally, you (as the sender of the original document) will receive an Audit Trail which guarantees the authenticity of the document.

Are eSignatures legally valid?

Documents which have been signed online are legally valid in many jurisdictions. Our eSignatures comply with the governing regulations in the United Kingdom, EU member states, and the United States. In the EU, eSignatures are governed by Regulation (EU) No. 910/2014 of The Europe Parliament and the Council of the European Union. The regulation came into force in July 2016 and is directly applicable and legally binding on each member state. In the United Kingdom, eSignatures are regulated by the Electronic Communications Act (2000) and, within the United States, eSignatures are governed by the Electronic Signature in Global and National Commerce Act (2000) and the Uniform Electronic Transactions Act (1999).

Will the United Kingdom leaving the European Union affect the legality of eSignatures?

It will not. In the first instance, all European legislation will continue to be in effect after the United Kingdom exits the European Union and would only cease to be in effect through a subsequent act of parliament. This position is laid out in the European Union (Withdrawal) Act (2018). In the event that the Regulation (EU) No. 910/2014 were repealed, the United Kingdom’s Electronic Communications Act (2000) would still be in effect ensuring the ongoing legal compliance and validity of eSignatures.

How is the legal validity and integrity of eSignatures ensured?

Sign&Send’s eSignatures meet the requirements set out in the Regulation (EU) No.910/2014. These requirements state that an eSignature should be: 1) uniquely linked to the signatory; 2) capable of identifying the signatory; 3) created using electronic signature creation data that the signatory can, with a high level of confidence, use under their sole control, and; 4) linked to the data signed therewith in such a way that any subsequent change in the data is detectable.
As soon as your client signs any document you have sent them, you (as the person who sent the document) will receive a signed copy of the document as well as an Audit Trail. The Audit Trail provides documentary evidence which demonstrates that the requirements established in the Regulation (EU) No.910/2014 have been fulfilled.

The Audit Trail includes a record of:

  • the email address (both sender and signer);
  • the IP address of the signer;
  • the name of the document that was signed;
  • the precise time and location that the document was signed;
  • the registered events relating to your document, that is, a precise record of when the email was delivered, opened, and attached document opened.

The integrity and authenticity of the document and audit trail is guaranteed by an official time stamp. An official time stamp is a certification provided by a trusted third party, a Time Stamping Authority (TSA), which is independent of both the sender and signer of the document. The time stamp serves to guarantee that none of the data associated with your signed document has been modified in any way since the document was signed.

In addition to this Audit Trail, biometric data concerning your client’s eSignature is also collected. This records the characteristic signature points of your client’s eSignature alongside the position, speed, acceleration and, in devices that allow for it, pressure from the signature. This biometric data can be made available to graphologist should this ever be required.

What is a Time Stamping Authority and how does it work?

A Time Stamping Authority (TSA) is a certification service provider that acts as an independent trusted third party to provide official time stamps. The purpose of a time stamp is to guarantee the integrity of the audit trail and signed document by certifying that no modifications were made to the document (from the moment that it was signed and sent). When your client has signed and sent their document, Sign&Send’s eSignature service sends the Time Stamping Authority a hash value that represents the data of the signed document. The Time Stamping Authority then returns a different hash for all the data associated with the document; this includes the time stamp certificate. Any changes made to the document following this are interpreted as a modification to the data. This will invalidate the time stamp certification which serves to demonstrate that the document has been modified after the time it was signed. The official time stamp helps guarantee the integrity and authenticity of all electronically signed documents.

Are eSignatures complaint with the General Data Protection Regulation (GDPR) and other Data Protection Legislation?

Yes. During the eSignature process your client’s explicit consent is requested to capture the necessary data to ensure that the eSignature meets the necessary legal requirements outlined in Regulation (EU) No.910/2014. Such data includes forename, surname, geolocation, biometric data, etc. It is not possible for your client to complete an eSignature without providing their express consent for this data to be collected. This ensures that Sign&Send’s eSignatures comply with the General Data Protection Regulation (GDPR) which requires the client to give their consent by way of a ‘clear affirmative action’ that ‘signifies agreement to the processing of personal data relating to him or her’ (Article 4.11; Article 6.1(a)). Such requirements represent an extension of the Directive 97/66/EC (processing of personal data and the protection of the privacy in the telecommunications sector) and Directive 95/46/EC (protection of individuals with regard to the processing of personal data and on the free movement of such data).

Are eSignatures safe and secure?

Yes. The eSignature process uses the same level of security as online banking and all data processes adopt Hypertext Transfer Protocol Secure (HTTPS) protocols which ensure point-to-point data encryption. Data is hosted on SAS70 Type II facilities which have obtained the ISO271001 certification. The security, integrity, and authenticity of the document are maintained through the Audit Trail and the document’s timestamp.

Unlike other methods of electronic signing, Sign&Send’s eSignature process does not store any signatures. Rather, the eSignature is embedded within the document as a single process event and no record of individual signatures are stored. This means that the eSignature cannot be replicated for other documents or processes. Your client must produce a ‘fresh’ eSignature for each new document that needs signed. This process helps prevent against fraud and works to ensure an additional level of security for your clients.