When you move contract signing online, you inherit both convenience and responsibility. Electronic signatures are legally binding in virtually every major jurisdiction, but only if the platform you use meets specific security and compliance standards. A signed PDF without proper encryption, access controls, and audit evidence is just a file — not a legally defensible record. This guide covers the compliance frameworks, security controls, and practical checks you need to evaluate any e-signature platform.
The regulatory landscape
E-signatures operate under a patchwork of regulations depending on geography, industry, and document type. The major frameworks:
| Framework | Jurisdiction | What it covers | Key requirements |
|---|---|---|---|
| ESIGN Act | United States (federal) | Legal equivalence of e-signatures | Consent, record retention, consumer disclosures |
| UETA | US (47 states + DC) | State-level e-transaction validity | Intent to sign, consent, record integrity |
| eIDAS | European Union | Three tiers: simple, advanced, qualified | Qualified e-sigs have highest legal standing; require trusted service providers |
| UK eIDAS | United Kingdom | Retained EU regulation post-Brexit | Functionally similar to EU eIDAS with UK trust services |
| GDPR | EU / UK | Data protection for personal data in signatures | Lawful basis, data minimisation, DPAs, international transfers |
| HIPAA | United States | Protected health information in signed docs | BAAs, access controls, encryption, audit logs |
| SOC 2 | Global (US-origin) | Service organisation controls | Security, availability, processing integrity, confidentiality, privacy |
Security controls every e-signature platform must have
Encryption
Data must be encrypted both in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent). This applies to the document file, signer personal data, audit trail records, and any attachments. Without encryption at rest, a database breach exposes every signed document in plaintext.
Authentication
How do you verify signers are who they claim to be? Authentication options range from basic (email link) to strong (SMS code, knowledge-based authentication, ID verification). The appropriate level depends on the document's value and risk. An internal policy acknowledgement may need only email authentication. A £500,000 investment agreement should use multi-factor authentication.
Document integrity
Once a document is signed, it must not be alterable. Platforms achieve this through cryptographic hashing (SHA-256) — a digital fingerprint of the document at the moment of signing. Any change to the file after signing invalidates the hash, proving tampering. This is the foundation of legal defensibility.
Access controls
Role-based access controls (RBAC) determine who can create, send, view, and manage documents. Minimum requirements include: separate admin and user roles, ability to restrict document visibility by team or department, IP allow-listing for sensitive accounts, and session timeout policies.
Audit trails
Every action on a document must be logged with a timestamp, actor identity, IP address, and action type. This includes: document creation, sending, viewing, field completion, signing, declining, voiding, and downloading. The audit trail must be tamper-evident — stored in a way that prevents retroactive modification.
Industry-specific compliance
Healthcare (HIPAA)
If signed documents contain protected health information (patient consent forms, treatment authorisations, insurance documents), your e-signature platform must support HIPAA compliance. This means: a signed Business Associate Agreement (BAA) with the platform, encryption of PHI at rest and in transit, access controls limiting who can view documents containing PHI, and audit logs retained for the HIPAA-required minimum of 6 years.
Financial services
Financial institutions face additional requirements under regulations like SEC Rule 17a-4 (record retention), MiFID II (European financial services), and PCI DSS (if payment card data appears in documents). Key considerations include: long-term record retention (often 7+ years), WORM (Write Once Read Many) storage for regulatory records, and strong authentication for high-value transactions.
Government and public sector
Government contracts may require specific signature levels (qualified electronic signatures under eIDAS), data residency within specific jurisdictions, and FedRAMP authorisation (US federal) or equivalent certifications.
What to audit in your e-signature provider
- ☐ Where is data stored? (region, data centre provider)
- ☐ Is data encrypted at rest and in transit? (what algorithms?)
- ☐ What authentication methods are available for signers?
- ☐ Is a SOC 2 Type II report available?
- ☐ Will they sign a DPA (GDPR) and/or BAA (HIPAA)?
- ☐ Can you export all documents and audit trails at any time?
- ☐ What is their data retention and deletion policy?
- ☐ How are sub-processors managed and disclosed?
- ☐ What is the incident response and breach notification process?
- ☐ Is there a vulnerability disclosure or bug bounty programme?
Common compliance mistakes
- Assuming all e-signatures are equal: Under eIDAS, a simple electronic signature (typing your name) has different legal weight than a qualified electronic signature (issued by a trust service provider with identity verification).
- No DPA with your provider: If you process EU/UK personal data through an e-signature platform, you need a Data Processing Agreement. Many platforms offer one, but you must actually sign it.
- Ignoring data residency: Some regulations require data to stay within specific borders. If your provider routes data through US servers but your signers are in the EU, you may have a transfer problem.
- Weak audit trails: A timestamp and name are not enough. Legal disputes require IP addresses, device information, authentication method, and document hash.
- No retention policy: Keeping signed documents forever is a liability, not a feature. Define retention periods based on the contract type and applicable regulations.
Not legal advice
This guide is for informational purposes. Compliance requirements vary by jurisdiction, industry, and document type. Consult qualified legal and compliance advisors for your specific situation.
Compliance-ready e-signatures
eSignHub provides encryption at rest and in transit, comprehensive audit trails, role-based access, and GDPR-compliant data handling — built for businesses that need more than just a signature.
Sign Up Now