Skip to content (Press Enter)

Understanding the legality and security of eSignatures

Discover how to maximise the legality and security of your online transactions without putting the burden of exhausting, complex workflows on customers or employees.

Two workers review the audit trail of a document signed with HelloSign

In the age of digital transformation, companies are scrambling to find a balance between providing delightful transactions for users and maintaining strong legal and security measures should those transactions ever become the subject of a court case.

By outsourcing eSignature collection to a software platform that provides detailed audit trails, thorough authentication and diligent compliance protocols, which we’ll explore today, organisations will be able to maximise the legality and security of their online transactions without putting the burden of exhausting, complex workflows on their customers or employees.

Are eSignatures really legal?

Let’s start with the basics – documents signed electronically have the same legal recognition as those signed with a good ol’ pen.

Much of this is thanks to the Electronic Signatures in Global and National Commerce (E-SIGN) Act, which was enacted in the US in 2000. The E-SIGN Act basically says that agreements, contracts, transactions and other documents that are signed electronically shouldn’t be denied legality just because they don’t exist on paper.

To learn more about eSignature security, be sure to visit the Dropbox Sign (formerly HelloSign) Trust Centre.

Four ways to maximum legality and security using eSignature software

Whether you choose to build your own eSignature platform (you must have an impressive tech team!) or partner with a provider that specialises in eSignature software (BTW, Dropbox Sign has been named the easiest eSignature tool to implement for several years in a row), it’s critical that you use a solution with strong legality and security measures to protect your most valuable clients and transactions.


With Dropbox Sign, all your communications are safeguarded by Transport Layer Security (TLS) encryption. Each document is stored behind a firewall and authenticated against the sender’s session every time it’s requested. Documents are also encrypted with a unique key – each of which is in turn encrypted with a regularly rotated master key. So even if someone were able to bypass physical security, they still wouldn’t be able to decrypt your data.

Speaking of physical security, we store our data in a SOC 1 Type II, SOC 2 Type I and ISO 27001 certified data centre. Access to the data centre is strictly controlled by security staff equipped with video surveillance, multi-step authentication and state-of-the-art intrusion detection systems.

Detailed audit trails

Audit trails ensure that actions on an electronic document are thoroughly tracked and time-stamped and can help you tell if it was ever modified or tampered with without your knowledge.

Dropbox Sign creates a comprehensive, non-editable transaction trail between signing parties to make sure every eSignature and digital document has an audit trail.

To provide you with a transaction history, we track and timestamp various information – including IP and UserAgent info – from the moment the document is submitted for signature to when it is signed and completed. To help ensure that any tampering of your transaction log is detectable, we process each transaction with hashing technology. This provides a ‘copy’ of every version of the document, which you can use for comparison should a questionable version ever come to light.

These are all the events Dropbox Sign eSignature software tracks to create detailed audit trails.

‍Combine detailed audit trails with authentication (which we’ll discuss next!) and you’re prepared to provide a record of every time someone accessed, reviewed and signed a document.

Thorough authentication

To maximise legality and security, it’s important that your eSignature platform takes major steps towards verifying that a user is who they say they are before they’re allowed to execute a signature or even access a document.

Most commonly, capturing their IP address and proving a person had access to a specific email account and/or phone number is enough to connect them to the computer and software that was used when the eSignature was created.

When using Dropbox Sign, any person signing a document must either have login information for Dropbox Sign or have received a request for signature via email. To ensure no one is able to access a Dropbox Sign user account without permission to sign or send documents fraudulently, all user information including usernames and passwords is encrypted. We also seek to prevent others from accessing or using your account by timing out sessions and emailing you every time a contract is sent to, received by or signed by your account.

In addition, we allow users to set up two-factor authentication, which requires the entry of a unique code sent to a mobile device along with their username and password. Users can also enable a 4- to 12-digit code that signers must enter to view or sign a document. All the authentication data that a user provides to Dropbox Sign is encrypted, and passwords are hashed and salted with an adaptive hashing algorithm.

Diligent compliance measures

Failing to adhere to pertinent compliance regulations can result in repercussions ranging from costly fines to prosecution and even jail time. Why risk the security – or the revenue and the future – of your business on less-than-diligent information security standards?

At Dropbox Sign, we protect our clients by building in processes that make sure our eSignature platform complies with the standards that may govern your business.

Dropbox Sign is compliant with:

  • ‍SOC 2 Type II
  • ISO 27001 and ISO 27018
  • The US E-SIGN act of 2000
  • The Uniform Electronic Transactions Act (EUTA) of 1999
  • The new eIDAS regulation for the EU of 2016 (EU Regulation 910/2014), which replaces the former European EC/1999/93 Directive
  • Privacy Shield
  • General Data Protection Regulation (GDPR)

Get in touch and we’ll help you determine whether Dropbox Sign is the right eSignature platform for your security and legality needs.

Balance legality, security and user experience with Dropbox Sign

At Dropbox Sign, we’re dedicated to helping organisations discover an eSignature solution that provides ease of use and exceptional security. Usability is important to your customers – but taking careful security, audit, authentication and compliance measures is important to you and the legality of the business you conduct online.

The good news is that you don’t have to choose between usability, security or legality anymore. Balance a delightful user experience with extra-strength legal and security features when you team up with Dropbox Sign – a powerful, award-winning platform that caters to everyone from small businesses to enterprise organisations.

DISCLAIMER: The information on this site is for general information purposes only and is not intended to serve as legal advice. If you have legal questions, please consult with your lawyer.

See how Dropbox Sign can securely power your eSignature workflows.

Learn more about Dropbox Sign