This document describes how Docuplete captures, verifies, records, and stores electronic signatures in compliance with the U.S. Electronic Signatures in Global and National Commerce Act (ESIGN Act, 15 U.S.C. § 7001 et seq.) and the Uniform Electronic Transactions Act (UETA), as adopted in applicable states. It is intended for distribution to custodians, financial institutions, and legal and compliance teams evaluating Docuplete's electronic signature process.
The ESIGN Act (enacted 2000) establishes that electronic signatures have the same legal force and effect as handwritten signatures for contracts and records in or affecting interstate commerce, provided that:
UETA, adopted in 49 U.S. states and the District of Columbia, provides the same framework for intrastate transactions. Docuplete's signature process is designed to satisfy all four requirements.
Before a signatory can proceed to signing through Docuplete, the platform presents a clear electronic disclosure stating that the session will be conducted electronically and that their electronic signature will have the same legal effect as a handwritten signature. The signatory must affirmatively check a consent acknowledgement before advancing. This event is recorded in the session audit trail with a precise timestamp.
Signatories who decline consent are not able to proceed through the electronic signing flow. In that circumstance, the requesting organisation must arrange an alternative paper-based execution.
Docuplete verifies the identity of each signatory through a one-time password (OTP) process before accepting a signature:
The OTP verification event — including the email address used, the time of the code request, and the time of successful entry — is recorded in the immutable session audit trail.
After OTP verification, the signatory is presented with the document and a signature field. The signatory draws or types their signature and confirms it. This constitutes the electronic signature under 15 U.S.C. § 7006(5) — "an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record."
Intent to sign is established by the signatory's affirmative action of placing their signature and clicking to confirm, following the electronic consent acknowledgement at session start.
Every Docuplete document session generates a complete, tamper-evident audit trail. The following events are recorded, each with a UTC timestamp, the signatory's IP address, and device/browser fingerprint:
| Event | What is recorded |
|---|---|
| Session created | Timestamp, initiating organisation ID, document package ID |
| Session opened by signatory | Timestamp, IP address, device type, browser, operating system |
| Electronic consent given | Timestamp, IP address, consent text version |
| OTP requested | Timestamp, email address OTP was sent to |
| OTP verified | Timestamp, IP address — confirmation that signatory controls the email |
| Signature placed | Timestamp, IP address, device fingerprint, signature image hash |
| Document submitted | Timestamp, SHA-256 hash of completed PDF, submission confirmation |
The audit trail is stored independently of the generated PDF. It persists even if the PDF is shared externally, deleted by the organisation, or transferred to another system. It is accessible via the Docuplete dashboard and the REST API on Developer and Enterprise plans.
At the moment a completed PDF is generated, Docuplete computes a SHA-256 cryptographic hash of the document and records it in the audit trail. Any modification to the PDF after generation — including field edits, page additions, or byte-level alterations — produces a different hash. The original hash stored in the audit trail allows detection of any post-generation tampering.
Every signed document receives a trusted timestamp from an independent Time Stamping Authority (TSA) compliant with RFC 3161 (Internet X.509 Public Key Infrastructure Time-Stamp Protocol). The timestamp provides cryptographically verifiable proof of exactly when the document was signed — independently of Docuplete's own systems. This is included on all Docuplete plans.
A summary of the audit trail is appended to every completed PDF as a signing certificate page. This page includes: the signatory's name and email, the OTP verification event, the signature timestamp, the IP address, the SHA-256 document hash, and the RFC 3161 trusted timestamp. The signing certificate makes the identity and integrity record inseparable from the document itself.
| Control | Implementation |
|---|---|
| Encryption at rest | AES-256-GCM authenticated encryption for client interview answer data (all paid plans) |
| Encryption in transit | TLS 1.2+ for all data between clients, Docuplete servers, and integrations |
| Access controls | Multi-tenant isolation enforced at database and API middleware level; all queries scoped to organisation ID |
| Infrastructure | Hosted on Railway (API) and Vercel (frontend); document storage on Cloudflare R2 |
| Security audit | SOC 2 Type II audit in progress; controls aligned with SOC 2 Trust Services Criteria CC6 |
Completed documents, audit trails, and signing certificates are retained for the duration of the subscribing organisation's account and for a period following account closure as specified in Docuplete's Data Retention Policy and the applicable Data Processing Agreement. Organisations may export all submission records and audit trails at any time via the dashboard or API.
Electronic signatures executed through Docuplete are not appropriate for documents that are specifically excluded from the ESIGN Act's scope, including: wills, codicils, testamentary trusts, adoption papers, divorce decrees, court orders, and notices of cancellation of utility services. Organisations are responsible for determining whether electronic execution is appropriate for each document type they deploy through Docuplete.
Docuplete does not provide legal advice. Organisations should consult their own legal counsel regarding the suitability of electronic signatures for any specific document or transaction.
For questions about this document, requests for additional technical documentation, or to arrange a compliance review with your legal team, contact: legal@docuplete.com
Docuplete, Inc. · This document may be reproduced and distributed for compliance review purposes.