Do you have a PDF document that requires a legally binding digital signature?
It doesn’t matter if it is a consulting agreement, a freelance contract, or a power of attorney, or minutes of a board meeting, you can easily get your PDF documents electronically signed with any of the many services that are available today.
Simply google, “sign pdf document” and you’ll get more than a quarter of a billion hits.
The question is, which of these free online e-signature services can you trust? What makes one more secure than others?
Before we go ahead and follow the instructions of this 90-second video on how to do so, it’s important that we discuss the different kinds of signatures, and more specifically, the difference between a digital signature and an electronic signature.
The difference between a simple electronic signature and digital signature
The terms digital signature and electronic signature are used interchangeably but they are actually very different things.
An electronic signature is electronic data that are logically connected to an electronic message of some sort, like a PDF document or a web contract, that the signatory wanted to sign. Just like in the real world where a signature can take many forms, for example that in some countries an ink stamp is considered a legally binding signature, electronic signatures can take many forms. An email reply with “I agree” can be considered an electronic signature. It’s just a very bad one!
So what is a good electronic signature? An electronic signature implemented by means of a digital signature!
A digital signature is a way to use advanced mathematics, involving the complex usage of really big prime numbers, to ensure both the authenticity and the origin of a message, document, or contract. Like with electronic signatures, digital signatures can be made in many different ways. The most common way is to use Private Key Infrastructure, or PKI.
Digital signatures using Private Key Infrastructure
To make a digital signature with PKI you use a certificate, which has been issued to the signatory by a certificate authority, or CA. The CA is a specialized and trusted 3rd party whose responsibility it is to check that the signatory is who they say they are.
The signatory uses their private key for the certificate to sign the message. Anyone viewing the message can later use the public key for the certificate to verify that the message and the certificate. As the signatory has sole control of the private while the public key is, well, publicly available it means that anyone can later verify who authored the message and that the message is unchanged. It is this use of private and public keys that is called Private Key Infrastructure, or PKI, and it is the most common way to create electronic signatures.
But not all CAs are equal, some CAs are more secure and more trustworthy than others. If a low-quality CA was used to issue the signatory’s certificate, you might have a hard time verifying that the signature is valid, or worse, the signatory might not be who the CAs say they are. To ensure that it is easy to verify a signature, for example in Adobe Reader, only CAs that are either in the Adobe Approved Trust List (AATL) or the EU Trust List (EUTL) should be used.
The EU Trust List is regulated by eIDAS.
eIDAS, or electronic IDentification, Authentication and trust Services, is an EU regulation on electronic identification and trust services for electronic transactions in the European Single Market.
The highest level of electronic signatures and seals under eIDAS, the qualified electronic signature and qualified electronic seal, requires the use of a qualified certificate. A qualified certificate can only be issued by a CA that has been certified as a Qualified Trusted Service Provider, or QTSP, by the EU. Any qualified certificate issued by a QTSP will automatically be part of the EU Trust List (EUTL).
A seal is a special kind of electronic signature that allows legal entities, like an online contract signing service, to sign a contract. This allows them to guarantee the origin and authenticity of the document to their customers, or in legal speak, to ensure “non-repudiation”.
Questions to ask before signing a PDF document online
As we previously mentioned, there are many free e-sign tools out there. Ones that you can upload your PDF, and send it for signing digitally. With PLG being the go to market strategy for many SaaS companies, many of our competitors including ourselves offer free plans.
When it’s “free”, one might become suspicious of whether or not it’s legit. Also what if you reach the limit of free PDFs you can sign, and you lose all your signed documents somewhere on the internet and you have pay to get access.
Here are some considerations to figure out whether or not the free tool is legit or not:
- Go with the tools with the most demanding enterprise clients. Because then they would have to fix their tools according to the strictest requirements
- Go with the free tools with no limit on the PDF documents you can sign within a certain period. So that you don’t have to start to learn new tool again and again because you have reached your limit
- Go with Oneflow because we meet both the requirements above! Oneflow’s free plan has no limit on the number of PDFs you can sign. And it’s totally legit and safe because you’re forever protected by our ecosystem through our enterprise clients like Absolut Vodka, Thule, Nobia, Experis Manpower, Systembolaget, to name a few.
Also, if you are looking to sign your PDF document with secure, reliable signatures that can be verified even if the provider disappears from the Earth, then remember to ask these questions:
Is the document sealed from tampering with a secure digital signature?
What is the quality of that seal and can it be independently verified?
For many providers, the answer to both is “no”. The reason is that proper electronic seals come with a price. For every digital certificate that is issued by a CA, there is a cost borne by the provider.
We seal all our contracts
Oneflow is partnering with Sovos TrustWeaver to deliver a qualified electronic seal on all our contracts. Sovos TrustWeaver is a QTSP, in accordance with eIDAS. Something that can be easily verified by looking at the official EU Trusted List browser and is using only qualified certificates to seal our contracts.
For you, it means that the authenticity of a Oneflow contract can very easily be verified by opening it in Adobe Reader, or any other application that can read from the EU Trust List (EUTL).
The seal prevents intentional and accidental change of the PDF document after it was signed, meaning you and your counterparties can remain secure in the knowledge that what you signed today will remain verifiably unchanged now and in the future, even if that is 20 years away.