Electronic Signature Compliance
Documenso provides legally valid electronic signatures that comply with major electronic signature regulations worldwide.
Regulatory Compliance Status
| Regulation | Status | Description |
|---|
| ESIGN / UETA | Compliant | U.S. federal and state electronic signature laws |
| eIDAS SES | Compliant | EU Simple Electronic Signatures |
| eIDAS AES | Planned | EU Advanced Electronic Signatures |
| eIDAS QES | Planned | EU Qualified Electronic Signatures |
| ZertES | Planned | Swiss federal electronic signature law |
Documenso cryptographically seals all signed documents to prevent any alterations after signing,
regardless of signature level.
What This Means for You
Data Protection & Privacy
Documenso takes data protection seriously and implements measures to comply with GDPR and other privacy regulations.
GDPR Compliance
Security Practices
Documenso implements security best practices throughout the development and deployment lifecycle.
Development Security
- Code review: All changes require review before merging
- Dependency scanning: Automated monitoring for vulnerabilities
- Static analysis: Security scanning in CI/CD pipeline
- Open source: Publicly auditable codebase at github.com/documenso/documenso
Infrastructure Security (Documenso Cloud)
| Layer | Implementation |
|---|
| Hosting | EU data centers with SOC 2 compliance |
| Network | TLS 1.2+ for all connections |
| Database | Managed PostgreSQL with automated encrypted backups |
| Storage | Encrypted object storage for documents |
| Monitoring | 24/7 infrastructure monitoring and alerting |
| Updates | Regular security patches applied to all infrastructure |
Cryptographic Protection
Industry Certifications
Documenso maintains or is working toward various industry certifications and compliance frameworks.
| Certification | Status | Description |
|---|
| SOC 2 | Compliant | Security, availability, and confidentiality controls |
| 21 CFR Part 11 | Compliant (Enterprise) | FDA electronic records and signatures |
| ISO 27001 | Planned | Information security management system |
| HIPAA | Planned | Healthcare data protection |
Technical Standards
Documenso implements industry-standard cryptographic and archival technologies.
Implemented Standards
- ISO 32000 - PDF digital signature specification
- X.509 - Certificate format for digital signatures
- RFC 3161 - Timestamping protocol for long-term validity
- PDF/A - Archival format for long-term document preservation
Standards in Development
- PAdES - PDF Advanced Electronic Signatures (ETSI EN 319 142)
- XAdES - XML Advanced Electronic Signatures
See Standards for technical details.
Audit & Verification
Audit Trails
Every document maintains a complete audit trail recording:
| Event | Recorded Data |
|---|
| Document creation | Timestamp, creator identity |
| Recipient addition | Recipient details, assigned fields |
| Document sent | Timestamp, delivery method |
| Document viewed | Timestamp, viewer identity, IP address |
| Field completed | Timestamp, field type, signer identity |
| Document completed | Timestamp, final document hash |
Signature Verification
Signed documents can be verified to ensure:
- Document has not been altered since signing
- Signature was created with a valid certificate
- Timestamp proves when the document was signed
PDF readers can verify signatures directly without requiring Documenso.
Self-Hosting for Enhanced Compliance
Self-hosting Documenso provides additional control for compliance-sensitive deployments:
Benefits for Compliance
See the Self-Hosting Guide for deployment options.
Vulnerability Disclosure
Documenso operates a responsible disclosure process for security vulnerabilities.
Reporting a Vulnerability
If you discover a security vulnerability, please report it to:
[email protected]
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fixes (optional)
Response Timeline
| Stage | Timeline |
|---|
| Acknowledgment | Within 48 hours |
| Initial triage | Within 5 days |
| Status update | Within 10 days |
| Resolution target | Depends on severity |
Do not publicly disclose vulnerabilities until they have been addressed. Public disclosure of
unpatched vulnerabilities puts users at risk.
Limitations & Disclaimers
What Documenso Does Not Provide
| Capability | Status |
|---|
| Qualified Electronic Signatures (QES) | Not supported; requires QTSP integration |
| Advanced Electronic Signatures (AES) | Partial; full AES requires identity verification |
| Identity Verification (KYC) | Not built-in; may require third-party integration |
| Qualified Certificates | Not issued; would require QTSP accreditation |
| Industry-Specific Compliance | Features depend on configuration and license |
Legal Disclaimer
This documentation is provided for informational purposes only and does not constitute legal
advice. Compliance requirements vary based on jurisdiction, document type, industry regulations,
and specific circumstances.
- Determine appropriate signature levels for your documents
- Understand your compliance obligations
- Assess whether electronic signatures are valid for your use case
- Draft appropriate disclosures and privacy notices
Compliance Topics
Security & Policies
Technical Documentation
