I deployed this a month ago and have been pretty happy with it so far. Even in the self-hosted version, there are some built-in upsell features that make this seem open-core. However, these features are trivial to remove in your local version.
Some people are confused about what signing means. To me, there are three different types:
1. The ability to put a visual signature on a document. If you want this, just use MS Paint or similar tools.
2. Cryptographic signature, using Public Key Infrastructure (PKI), etc. This isn't really practical until we have widespread client certificates, or something like EIP-712 in mainstream usage.
3. Digital verification via audit data. This is where eSign platforms really provide their value. It's possible to view when a user opened a document and when they signed it, by logging sufficient audit data about their user client/browser. Think about the unique fingerprint provided by websites like https://coveryourtracks.eff.org/, etc.
Now, DocuSeal seems to only log opening and signature events, along with the user-agent and IP address. For many users, this may be sufficient data, but DocuSign includes a more unique fingerprint. With this data, it's possible to be more confident that a system was used to sign the document than with a wet ink document.
That said, some people also feel that the credibility of having this hosted by a third party adds value, as they are impartial.
Still, for my purposes, it's a great free project, so thank you.
>2. Cryptographic signature, using Public Key Infrastructure (PKI), etc. This isn't really practical until we have widespread client certificates, or something like EIP-712 in mainstream usage.
It's very practical and used in certain jurisdictions, with very high rollout rate of personal certificates. Within EU regulatory framework it's also a thing and has legal meaning, then there is US government with their weird fixation on contact-only smartcards.
That being said, it's globally deployed with an "advanced", rather then "qualified" profile, where provider applies a signature with their own certificate (or ethemeral certificate issued to user on the spot) and embeds it into pdf as a field.
European Commission even has a library [0] in addition to the law for that.
It's kind of a mess, but nobody really cares until somebody tries to challenge validity of their own signature, which is very very rare. As a former industry insider I would say it's all a security theater and you can as well exchange emails to confirm existence of a contract. It's just more convenient to have a document with a signature as a single artifact, even if it's produced in ms pain as you rightly suggest.
Here you go: https://diia.gov.ua/news/perereyestraciya-avto-e-pidpriyemec.... 50% of all adults have the app, almost everybody else has a bank account and proper PKI is part of both and is pre-requisite to deal with tax authorities and e-services in general. Since it's also built into most European id cards for the last forever, it's not a certificate rollout problem is "why do I even need this" problem.
In Ukraine PKI finally found the problem it was solving, due to VAT return fraud and repudiation through courts.
In Lithuania and Estonia it's also widely used, but I'm not familiar with their landscape that much.
Anecdotal, but I use it daily in company setting (as does many people in my company) and 90% time when contacting government in personal matters. Honestly it's pretty awesome.
> If you want this, just use MS Paint or similar tools.
Except then you need to have people install those tools and know how to use them correctly. I think eSign platforms can still provide some value here in terms of usability even if that's not the core value proposition.
Last time we bought a house, we did basically everything on our phones, including tapping our way through the closing paperwork on one of these platforms. Easiest time by far—we’d used them for parts of other house purchases, but had never done the whole thing that way before. These sorts of platforms also take care of notifying everyone when stuff’s done, maintaining an todo list for signing, sending reminders, verifying you didn’t miss spots that need a signature or initials, and making sure everyone who needs access to the docs, has it. They’re really nice.
Anyway, if you just want to draw a signature on docs standalone with only local software and none of that other nice stuff, the good solution on a desktop OS isn’t mspaint, but Preview. Works directly on pdfs, can generate a fancy sig or let you draw your own, signatures re-usable and available in a drop down menu next time you need to sign something.
Preview is great on Mac, but does not exist on Windows. If parent uses Windows, perhaps they must resort to MSPaint (which is much worse for this purpose).
On Windows, the best way to draw on PDFs is actually Microsoft Edge. It even handles pressure sensitivity if used on a laptop with a stylus or with a graphics tablet.
And I'm not sure of the value. If an email reply saying "I agree to this" is sufficient then I'm not sure what having a skeuomorth signature adds to the process.
You often need to show the document to some kind of a third party, from a local government to your medical provider. People usually expect to get a nice PDF with that useless skeuomorth signature and put into their archive in case they will then have to show it to somebody else during audit or something. Document+signature is simply a convenient artifact. It's obviously very easy to manipulate, so the government invented this whole PKI stuff which nobody uses, as repudiation happens almost never and nobody provides validation services for the cryptography part of it.
Hi - one of the co-founders of DocuSeal here. Thanks so much for upvoting us.
As a quick summary about us: we offer the basics of document signing for free like what DocuSign and the like would give you in their paid product (unlimited document sending, mobile signing, stripe integration) via open source/self-hosted or free tier cloud hosting.
We cover our business costs by having Enterprise focused features as paid offerings (API/Embedding, custom logo branding/domain, SSO/SAML etc).
Please feel free to ask any questions and we'll do our best to answer them today.
None of the features you bill as "enterprise focused" are limited in usefulness to large enterprises. Everyone doing anything beyond trivial would likely benefit from one or more of these features. I get the need to have a working business model, I just find the way it is presented a bit frustrating. Still yet, thank you for creating open source software. Even a half-complete open source solution is better than no open source software! I really appreciate all open source contributors of all sorts! Thank you.
Open source code can be charged money for, if the author so chooses, and there are lots of companies with this business model. Even setting that aside, I never proposed that (of course I and many others use open source code freely), but I was just commenting (generally, not necessarily towards you) on how much entitlement there usually is in the open source community, as if it's not enough to make something for free but that people even complain if the creators ask money for it.
Thanks for the clarification. I have no problem paying money to support open source development, or to pay for support or sponsor open source features I need, etc. I don't use non-open source code for anything critical in my business, and avoid it whenever possible even outside of critical functions. That includes proprietary extensions to open source cores.
I don't mean to sound entitled, I always want to express gratitude to developers for contributing to open source. But I will say that I would never pay for proprietary features- not because I don't want to pay, but because I want open source features, and I am willing to pay for open source features.
True, I definitely don't use non open source stuff for my business either, on the code side, but I definitely do use user land applications that aren't open source, for example Google sheets or QuickBooks for accounting, because user land applications are not necessarily something that there are good alternatives for that are open source; I'd never use OpenOffice over Google sheets.
I'm truly captivated by this model.
The strategy is to target products that have a high Monthly Recurring Revenue and low complexity. This approach can outperform enterprise solutions, as many enterprises prefer to possess full ownership of their solutions.
Notable instances of this strategy include Slack with Mattermost, Tableau with Metabase, and Calendly with Cal.com.
Excellent work, team. I'm optimistic about the success of this approach
We appreciate your support. Yeah we agree that many Saas solutions offer too little for too much money given how much computing costs have gone down in the last 20 years. We hope consumers continue to vote for models like ours.
I do not find your pricing any more desirable or palatable
I currently use DocuSign, for my plan, it would be more expensive to use this
I really want a self hosted, self branded, embedded solution with API access. You have this, but it is only available in the most expensive Enterprise plan. I'm not an enterprise and there is no discount for self hosting
I'm open to reconsidering if you offer the right features at an acceptable price. I'd prefer a fixed price for self hosted, rather than something based on users and docs sent counts
I recommend you to talk to an IP attorney. USPTO TM search is currently down, so I can’t check if DocuSeal a successfully registered trademark. I would be surprised if DocuSign won’t raise opposition to registration.
How do document signing services actually work from a security perspective? How is the signer's identity baked in to the document such that it is verifiable?
Some lawyer friends I have (here in Australia) have told me that electronic signatures (of the kind like DocuSign and Adobe Sign that have you “adopt” a digital signature and click a “Sign” button) should only be used in situations where the other party’s actions soon after signing will confirm their intention to be bound by the document.
For example, if there is a sales contract and the buyer proceeds to pay the money, then that payment shows intent to follow the purchase agreement.
Or, if someone sends an email after signing saying “All done. I look forward to working with you.” — that has the same effect.
To use it for something where the other party will be doing nothing for a long time (like a guarantor on a loan or lease) or acting unpredictably (like a house tenant) would be very risky. The other party could easily use the defence of “I didn’t click the button… I didn’t even know about the contract.” even if they did know and did click the button.
So why use a digital signing system? Efficiency!
It’s quicker and easier. You can get dozens done with the same time & effort it takes to arrange a single wet signature. It’s multilingual. It’s automated. It’s fancy!
Having any signature, whether wet or digital, shows that your side is following proper process. The signing of a document is an important moment, and the specific date & time often has real commercial, accounting or legal ramifications. Even if you could easily show to a court that the other party has “agreed” without signing (e.g. via email, text, phone, etc) and is acting in accordance, it’s better to just avoid the court in the first place.
To summarise:
Wet signatures are best. The other party would be crazy to challenge them.
Digital signatures are better than just an email saying “I agree.” The other party would have to be brave to challenge one.
An email saying “I agree” is better than a handshake.
(Again, I’m not a lawyer! I would love to hear a lawyer’s opinion. Though, please do so anonymously — I don’t want anyone getting in trouble!)
There's some truth to what they're saying, but is it any different than a handwritten signature? "I didn't sign that. That's not my signature."
In both cases, from a legal perspective, the issue is the same: I've got to prove to a judge or jury, by a preponderance of the evidence, you did sign or click. I can either bring in paid whore handwritting analyst to testify that in their professional opinion, it is your signature (and hope he doesn't get excluded for being a quack), or I can subpoena docusign to produce whatever evidence they have that the person actually clicked. In the end, the judge or jury will either believe them or not.
If this is a billion dollar life or death deal, my free legal advice is, in either situation, get as much verification as you can at the time of the signing. Both will be easier to prove if you have things like a copy of their driver's license, or even better, video of the person clicking/signing.
It depends on the jurisdiction. At least in the US, the ESIGN Act of 2000 made esignature valid and enforceable. I believe there is relevant case law after this act that back up the core idea that an esignature is valid.
People can always claim they didn't sign something, ink or digital. The reason that DocuSign is a multi billion $$ company is that they have a bunch of audit trail features which make it pretty darn clear the person did in fact sign it.
There are many ways, but a popular option is to add a “PDF Advanced Electronic Signature” (PAdES) compliant approval signature on the PDF file. You can tack on as many of these on a PDF as you wish, and they have a visual component you can control and place where you want. Most PDF readers support these and can verify the signatures using a PKI system similar as is used with HTTPS. Adobe Reader is a popular choice. Notably Apple's Preview.app does not support verifying PDF signatures.
In the EU, often a personal key on a tamperproof personal device is used. In many EU countries these are readily available to citizens and the resulting signatures carry the signer's name, a unique personal ID code, and have the same legal effect as a handwritten signature. This is called a "qualified electronic signature". Qualified trust service providers verify the identities of people and provision the hardware to them.
The EU system is great in that when creating or verifying signatures, you don't necessarily need a service provider at all — the software is free. Of course a good system can help managing signature invitations, the documents, archival, reminders, etc. But it's not needed for security; in fact the most secure way would be to not give your documents to a third party at all.
Alternatively, the e-signing providers private key can be used to create a seal on behalf of the person signing. It's then up to the security of the e-signing provider, how they validate the signer's identity, etc, to decide how trustworthy such a signature is.
>Most PDF readers support these and can verify the signatures using a PKI system similar as is used with HTTPS. Adobe Reader is a popular choice.
One subtle problem in this setup is the trust list. Abode effectively has their own trust bit sovereign rights, while EU has it's own trust list (which doesn't always match with a list of qualified providers as per EU-conforming states). Then US federal government has it's own trust list.
There is a spectrum between copy-pasting a picture into a pdf and actually requiring user to bring their own CA-endorsed key material to produce an artifact. The most practical compromise is performing all cryptography on a service provider's environment with HSM and all that and issuing the end user ephemeral certificate on the spot, tied to their email.
In the end you can't modify (actually you can, because PDF, but it's a different problem) the data without breaking crypto signature, but identity that is proven by this operation is not government-endorsed. Everybody is mostly fine with a status quo.
In our business, the chain of custody (i.e. audit logs and where the software runs) is the most important security aspect. Not one of our bank clients seem interested in digitally signing their documents, or otherwise "baking-in" any sort of non-repudiation aspect at the PDF-level. For their business, non-repudiation is realized as an emergent property between document cold storage, core system records, and exquisitely-detailed audit trails (also committed to document cold storage).
For us, the biggest question that comes up for our customers is the variety of signature specimen we intend to work with and how it will be applied to the final documents (the ones the bank would take to court):
1. No signature captured at all.
2. Signature captured using adoption of a machine-generated specimen.
3. Signature captured using touch, mouse or stylus.
4. Signature captured using a paper specimen & CCD.
5. Actual wet signature on paper with in-person presence required.
Option 1 seems to be the most popular with the latest wave of online banking products. Option 3 is the happy path for our in-branch product, but we have some cases fall into the Option 5 bucket as well - typically only when all signers cannot be present simultaneously for non-consumer accounts.
Depending on the liability associated with the customer/account combo, the required quality of the signature specimen could vary. Some of our customers will allow for basic consumer accounts to be opened with minimal backing documentation because the limits on those products are relatively low (and relative volume is VERY high). For business customers & accounts, we are in a completely different universe. You take that stuff a lot slower. Businesses are typically much more understanding when you say you can't give them an active account right now.
The most important foundation to all of this is Know Your Customer (KYC). That entire process is designed to ensure that whoever you are pulling into the core system is exactly who they say they are, so that all subsequent business with that individual can be correctly attributed to the appropriate natural person. Once you have a 'hardened' customer information file, you can start to do scary business because you are now reasonably-confident you could win in court.
We have 2FA, email verification and other processes to verify that the document is signed by the same person that received the email for signature requests. This level of security is sufficient for simple signatures and applies to most businesses. Some specific industries might require advanced signatures to where the signer needs to submit their ID to verify themselves before signing. These types of signatures are usually very expensive and only apply to certain industries.
They did take off, it's just hiding really well, because digital (as opposed to electronic) part of the signature isn't a feature you pay for, it's an implementation detail you are not supposed to care about.
For a start, PDFs only /look/ simple.
The PDF format is Byzantine and very few viewers implement all of it.
Making a PDF editor is much, much worse and the market of people who need to modify, rather then generate or view, PDFs and who can pay for an alternative rather than have their company use Adobe seems to be quite small.
I'm not sure what you define as "viable". Firefox and Chromium both have built-in PDF readers, and I believe both now allow for a t least basic form filling in. Okular is another open source PDF reader that allows for filling and even annotations that can be used to sign a document.
I really dislike services that claim they'll be free forever. There is no infinite growth, so you'll never get a sustainable business with a service that's free forever.
I am not very familiar with the e-sign space. But can't you just create a signature certificate with any name you want [1] to sign [2] only verifying PDF integrity ? Which mean that if you want a custom trust chain (you choose who to issue certs for), for verified signers, you have to roll your own certificate solutions? which these kind of product wrap nicely.
The management and tracking of the documents presumably. You can sign a doc yourself but how do you manage keys? Where do you store the doc for auditing etc.
We are eIDAS first level compliant. For the US, we follow UETA and the ESIGN Act by satisfying Record Retention and collecting/generating Audit Trails. Please feel free to peruse our compliance page on our website.
We like to give our customers several options to cater to different levels of technical skill and size of the business. Many of our customers are less technical and choose not to use the open source so the free cloud tier gives them a great entry point to try us out.
Some people are confused about what signing means. To me, there are three different types:
1. The ability to put a visual signature on a document. If you want this, just use MS Paint or similar tools.
2. Cryptographic signature, using Public Key Infrastructure (PKI), etc. This isn't really practical until we have widespread client certificates, or something like EIP-712 in mainstream usage.
3. Digital verification via audit data. This is where eSign platforms really provide their value. It's possible to view when a user opened a document and when they signed it, by logging sufficient audit data about their user client/browser. Think about the unique fingerprint provided by websites like https://coveryourtracks.eff.org/, etc.
Now, DocuSeal seems to only log opening and signature events, along with the user-agent and IP address. For many users, this may be sufficient data, but DocuSign includes a more unique fingerprint. With this data, it's possible to be more confident that a system was used to sign the document than with a wet ink document.
That said, some people also feel that the credibility of having this hosted by a third party adds value, as they are impartial.
Still, for my purposes, it's a great free project, so thank you.