The 21 CFR Part 11 standard, for which TrustCloud has successfully passed a compliance audit, promotes and ensures the correct use of electronic signatures and records.
The corporate solution to identification problems in transactions with electronic signatures
On 29 January 2021, the Provincial Court of Lleida pronounced ruling no. 74/2021 which disclaims any contract signed using the electronic signature solution DocuSign as a result of failure to guarantee the identity of the signer. This ruling has caused a great deal of concern in the sector due to the vast number of contracts which are signed using DocuSign and any other electronic signature platforms on a daily basis.
In this post we aim to answer the main questions that have cropped up as a result of this ruling. We will also set out some of the measures that companies can introduce in order to authorise the identity of individuals in an electronic contracting process, thus avoiding the risks included in the ruling.
What is the situation judged by the Provincial Court of Lleida?
The facts are as follows:
- LTD Invest Capital (“LTD”) sues Ms. Adelaida for the non-payment of approximately €6,300.
- To support its claim, LTD provides a contract signed by means of the DocuSign platform, in which the only method used to identify the signer was an e-mail address.
- Adelaida denies having signed the contract, therefore meaning she challenges the authenticity of the contract.
- In light of the challenge, LTD does not submit any additional expert evidence to prove that the signer was Ms. Adelaida.
What is the decision of the Provincial Court of Lleida? What arguments justify its decision?
After analysing the facts, the Provincial Court rejects the claim as it considers that there is not enough evidence to be able to prove that it was Ms. Adelaida (and not someone else) who signed the contract. As we will see later in the post, the use of an OTP would not have guaranteed the identification of Adelaida either.
The decision of the Provincial Court is predominantly based on the weakness of the identification element used. An unverified e-mail address is not enough to prove the identity of its owner due to the following reason:
DocuSign, or any other signature platform on which identification is exclusively based on the use of an e-mail account, is able to prove that:
- The contract was sent to the e-mail address « firstname.lastname@example.org »;
- The signature platform was accessed from this e-mail address;
- The person who accessed the platform completed the signature process and, in the case of DocuSign, left a signature in the space provided.
Nonetheless, DocuSign (or, we insist, any other signature platform on which identification is exclusively based on the use of an e-mail account, or even of an e-mail address and an OTP), is not able to prove that the owner of the e-mail account « email@example.com » is indeed Ms. Adelaida and not someone else who has simply registered this e-mail address.
In this particular case, no other evidence was provided to compensate for this weakness of the identification element in order to prove that the defendant signed the contract, or even to prove that she was aware of the operation. It would have been useful if this evidence had been available.
How can companies identify the signers of an electronic contract?
Electronic contracting is not an option, rather a necessity. It would be impossible for companies to ignore the digital transformation process which is spreading through the entire society. The real challenge therefore lies in designing an electronic contracting process which is capable of combining legal certainty and user experience.
With regard to authenticating the participants in an electronic contracting process, in other words, to check that “the signers are who they say they are”, the following authentication mechanisms have traditionally been used:
- Use of digital certificates
A digital certificate is an electronic document which links an electronic signature to a specific person. The most recognised certificates are those issued by the National Mint and Stamp Factory (FNMT) and the certificate incorporated into the Electronic National Identity Card (DNIe), which is issued by the Directorate General of the Police.The main restriction of this technology lies in the limited extent of its use (it is mainly used in B2C relationships), which can primarily be explained by the following factors:
- For a certificate to be issued, the future signer must physically go to the offices of a Registration Authority in order to prove their identity until the recent publication, on May 14, 2021, of Order ETD/465/2021, of May 6, which allows remote video-identification.
- The subsequent installation and use of the certificate is complex for the average consumer.
A company cannot solely and exclusively limit its online contracting processes to possible customers who have an electronic certificate. Moreover, it seems unrealistic to think that a consumer is going to be willing to complete an entire process to obtain and install an electronic certificate in order to sign a contract: Just think about the number of people (including ourselves) who have never activated their electronic identity documents!
- OTP and other means of authentication
Some electronic signature platforms aim to solve the difficulties involved in checking the identity of the signer by combining various means of authentication. For example, when accessing an electronic contract, it is common for prior validation to be requested from the signer with an OTP (One Time Password) which is sent to them via a certain phone number.The main limitation of this technology stems from a similar line of reasoning to that followed by the Provincial Court of Lleida: The electronic contracting platform can prove that an OTP was sent to a certain phone number and that this OTP was validated before accessing the platform. However, on its own it cannot prove the connection between the signer and the owner of the phone number to which the OTP was sent. Data regarding the ownership of each phone line is only available to the telecommunications operators and access to this information is highly restricted in our regulations.Therefore, although the use of OTPs reinforces the electronic contracting process, it does not completely rule out the risk of identity theft.
What secure alternative is there?
In a bid to address the weaknesses of the traditional identification methods, Branddocs has developed TrustCloud UserID, an identity token issued by the corporation to the user which is generated prior to making any business transaction. This makes it possible to assign, check and verify the identity of a customer or future customer. Therefore, the person who will be interacting with the company receives a TrustCloud UserID Token as though it were an SSI (Self-Sovereign Identity). In addition, the UserID service creates an Identity File assigned to each customer, which groups the transactions made by any of the information systems of the company, and makes it possible to gather evidence of non-repudiation of transactions made with this customer, while keeping this evidence in a unified architecture, as though this were a customer Single Sign-On.
Regardless of the possible adjustments that may be made in order to adjust the process in line with the needs of each customer, the UserID solution is structured according to the following steps:
Step no. 1: Access to the UserID service
The signer is able to access the User ID service which will be included in the contracting process itself or which will be provided separately by a link sent via e-mail, URL or SMS.
Step no. 2: Secure assignment of transactional identity
The user will be automatically taken through the various processes carried out by the system in order to be able to securely assign the transactional identity to the user. By means of processes of video identification, document verification, KYC, biometric checks and proof of life, etc., it will be checked that the person carrying out the transaction is who they say they are, that this is not identity fraud, and that this person wishes to use the e-mail address and mobile phone number indicated in the process, clearly assigning these details to their transactional identity.
All transactions will be recorded and carried out in approximately three minutes, therefore meaning that the user experience will be very quick and straightforward.
Step no. 3: End of the electronic contracting process
Once the identity of the signer has been verified and the transactional identity token has been assigned to them by means of the UserID solution, the signer will complete the signature process with the mechanism made available to them by the electronic contracting platform used.
The risk of this transaction or any subsequent transaction being challenged later is practically non-existent, given that the corporate identity token assigned will prove that “the user is who they say they are” and that this person, and that this person has provided a specific e-mail address and phone number for contact purposes.
Returning to the case considered by the Provincial Court of Lleida, UserID not only checks that the signer is Ms. Adelaida, but also that Ms. Adelaida is the person who provided the e-mail address « firstname.lastname@example.org » (and the phone number, where required).
Step no. 4: Issuing and retention of credentials
Branddocs will protect the evidence obtained in the video identification process and issue credentials which will link an e-mail address and a phone number to a specific person.
This means that the signer will gain direct access to sign the contract in subsequent contracting processes, provided that the e-mail address and phone number used are the same as those which have been previously verified with UserID.
In conclusion, UserID is a solution which combines legal certainty and usability in order to guarantee the non-repudiation of transactions and prevent cases of identity theft and fraud in contracting. This solution does not require the user to install or use any complicated electronic certificates, nor does it require them to have any specific devices. All the user needs is a suitable internet connection, a camera and microphone that can capture images and sound of an acceptable quality (a smartphone or a computer) and, in less than three minutes, the company will be able to carry out an electronic contracting process with full legal guarantees.
If you want a TrustCloud UserID demo presentation, or just more information about our solution, visit:
We would also like to invite you to our Telegram news channel.