Docuseal Requirements

[than3-bits]

Its not clear where the best place to ask this question is,

Has there been any independent verification of the elements needed for Docuseal to meet legal requirements in various municipalities for submitting e-documents to courts? Usually you have to meet specific requirements such as non-repudiation, and verification, though I am not a lawyer so I don't know all of the specifics.

If this has been done, this would look very promising considering Docusign often won't allow you to export documents for retention, nor keep documents that may need to be retained between regions (i.e. they only let you reset the account's region potentially losing important documents when an employee relocates geographically). You generally don't have that kind of non-sense when you self-host.

[AlexandrToorchyn]

Hey @than3-bits - I believe non-repudiation, and authenticity can be achived for documents signing when self-hosting the tool. To ensure 'non-repudiation' the tool is going provide a strong cryptographic proof that the documents with the exact content were signed at specific date and time - and that the documents were not altered or forged later by the party that self-hosts Docuseal. I'm currently working on this and it will be release in the next version.

This should solve the 'non-repudiation' issue by making it impossible to claim that the party that self-hosts the tool altered the document after it was signed.

Another part of the puzzle - is the 'identity verification'. Email message and prior consent with the signer is already a strong evidence of some person signing the document. But in addition to that I'm planning to add an ability to send SMS or to capture a video for more robust identity verification.

Hope this answers your question - in general solving those two issues should make it easy to prove to the court that the exact document was signed by some exact person.

[gigaion]

I highly recommend providing a separate pdf file containing finished information (basically a receipt?), which all parties involved can download for proof of document signing and information.

This separate receipt document should include:

• The IP addresses of who signed the document
• A timeline of events (Date / Time)
  • Of when the document created
  • When the document was emailed to each party member.
  • When the document was viewed by a party member
  • When the document was signed by a party member.
  • When the document was finished and processed.
• User agents
• fields that were filled
• Original documents SHA256 hash
• Finalized document SHA256 hash

A good example is SignRequest and their separate PDF which is both emailed and available for download on the confirmation page.

Example screenshot shown (Information redacted for privacy)

[apollo13]

Hi, thank you for docuseal -- the project looks very interesting.

Thinking about legal requirements it would be great to be able to tap into qualified signatures as well (in the European Union this is a signature that is compliant with the eIDAS regulation, see https://en.wikipedia.org/wiki/Qualified_electronic_signature for more details). There are plenty of trust service providers in Europe that sell such services for integration into products. For an opensource project it is probably to hard & expensive to get integrated and different people might have different requirements anyways. The good news though is that there exists a standard from the Cloud Signature Consortium (https://cloudsignatureconsortium.org/ -- the API docs can be downloaded for free from https://cloudsignatureconsortium.org/resources/download-api-specifications/ ). The way I understand this is that Adobe initially invented this for their Adobe Sign product. Now Adobe integration is quite interesting for trust service providers and so I guess that at least all of them which are available via Adobe Sign have implemented the CSC standard. So if docuseal were to implement support for CSC you'd get qualified signatures and non-repudiation for "free" and have it in a form that is quasi equivalent to a handwritten signature (legally binding etc…).

Someone else has written a demo server implementing the CSC side of things which could be used to bootstrap such an integration (https://github.com/MatthiasValvekens/certomancer-csc-dummy). Any thoughts on that?