[HN Gopher] Docuseal: Open-source DocuSign alternative ___________________________________________________________________ Docuseal: Open-source DocuSign alternative Author : thunderbong Score : 488 points Date : 2023-07-20 10:04 UTC (12 hours ago) (HTM) web link (github.com) (TXT) w3m dump (github.com) | saqadri wrote: | Just today I was forced by Docusign to pay $45/user/mo in order | to continue using the service for a single document I had to send | out for signatures. Seeing this pop up on HN right after feels | really nice. The cloud-hosted version seems to be very simple to | use, so nice job on this. | | Like some of the other comments pointed out, the key element here | is trust -- in the 3rd-party platform collecting signatures, and | in the confidence that it cannot be manipulated. These are | solvable challenges, but calling that out explicitly in your | documentation and website copy will help convert skeptics, or at | least convince them to give it a try. | judge2020 wrote: | DocuSign is free for 3 signatures a month - did you need more | or were you using more advanced features? | wintermutestwin wrote: | https://www.docusign.com/plans-and-pricing | | Looks like it is $10/mo for 5. I don't see free... | judge2020 wrote: | They don't advertise it, but if you start the trial then | cancel, it'll downgrade you to the free plan. The features | are limited - you have to upload every time and recreate | the fields every time, but it works for occasional use. | saqadri wrote: | There was a free trial period that expired, and there was no | free option for additional documents that required multiple | signers. | judge2020 wrote: | I think you just got hit by their marketing page that hides | the fact that there's a free plan. I'm on the free plan and | I was able to send out a document with three signers. https | ://rr.judge.sh/Screenshot%202023-07-20%20at%201.03.45%E... | o1y32 wrote: | Signing documents online is not a technical problem but a | business and legal problem. DocuSign and other commercial | companies have a business not necessarily because they have any | unique technology or the best user experience (they often do), | but because they handle all the complex stuff around signing | documents. | | A reality many people don't see is that many commercial companies | really have the expertise in certain areas and have the resources | to handle the non technical side of things, at least much better | than open source communities. Similar to "open source tax filing | software", I'm afraid this is another example of people thinking | open source solves every problem. I for one don't see myself | using any of such tools unless they are actually reliable, | competitive and trusted by many corporations and individuals. | TedDoesntTalk wrote: | > I for one don't see myself using any of such tools unless | they are actually reliable, competitive and trusted by many | corporations and individuals. | | People said the same in 1999 for online banking. | | "According to research by Online Banking Report, at the end of | 1999 less than 0.4% of households in the U.S. were using online | banking. At the beginning of 2004, some 33 million U.S. | households (31%) were using some form of online banking. Five | years later, 47% of Americans used online banking, according to | a survey by Gartner Group" | | https://en.wikipedia.org/wiki/Online_banking#Internet_and_cu... | sizzle wrote: | Docusign legal team is probably foaming at the mouth after seeing | this. Godspeed OP | Alifatisk wrote: | Can I redact text too? If not, is there any software close to | Adobe Acrobats functionality? | miniBill wrote: | You can try the latest version of Scribus for editing PDFs | sgc wrote: | I haven't used Scribus in some years. Would the apt version | be good enough, or is there some bleeding edge tech they just | released? | supermatt wrote: | The way a system like docusign works is that it is a (trusted) | independent third party that will verify that the owner of email | address X is the one that "signed" the specific version of an | agreement. | | By self-hosting, you have access to the infrastructure and can | manipulate it to your will. There is no proof that the | counterparty signed anything - you could just manipulate it to | say they did. | | This potential for misuse could make it difficult to enforce your | contract should you be required to do so. | [deleted] | dtx1 wrote: | Not entirely true, cryptographic signatures exist. For example | the EU eIDAS Law allows Advanced Cryptographic Signatures to | basically just be PGP Signed Emails | Nextgrid wrote: | Which unfortunately nobody uses because non-cryptographic | signatures (such as Docusign or this but hosted by an | independent third-party) are considered good enough in | practice. | | Hell, nobody even has a smartcard reader, and as far as I | know none of the eID cards have contactless capability that | phones (who all have NFC readers nowadays) can use. | | I wish smartcards took off and computers included readers as | standard. This would not only solve strong authentication but | also payments (just insert your bank card and do EMV-style | payments with comparable levels of security). | pohuing wrote: | The German eID has had that for years now. And it works | pretty well. Only problem is that nobody uses it because | our processes aren't adapted to it. | | The first time I used it for anything, apart from signing | pgp keys, was to collect 200EUR rent assistance and it | worked flawlessly in 4 minutes. | imdoor wrote: | Latvian eID also provides cryptographic signing, and it's | widely used when communicating with governmental | institutions, because it's mandated by law that they must | accept such digitally signed documents, and they have the | same legal power as regular documents. I believe the | situation in Estonia and Lithuania is probably similar. | Many businesses also accept them but it's not universal. | Foobar8568 wrote: | We do use this type of signatures here but for specific use | cases, generally with administration like bodies, but not | only. Generally speaking, the basic eSign covers 9x% of the | needs. | supermatt wrote: | Yeah, we use them here in Lithuania - but I have never seen | them used for private contracts. | | I'm not even sure how i can use my signature outside the | AWFUL experience that is the government esig portal. | | I dont think they are accessible for non-resident entities | either - i.e. i can only get lithuanian signatures through | the lithuanian portal. | | This likely explains why they arent used b2b as you would | need a separate contract process for foreign and domestic. | awinter-py wrote: | I mean both parties have an email receipt (but then why not | just use email) | | I think the infrastructure need here is extensible messaging. | There are a lot of multiparty flows with notification and | recordkeeping requirements | jsight wrote: | I do wonder about that for self-hosting a service like this. | But how often do actual disputes arise between parties as to | whether a document was actually signed or fraudulently altered? | | TBH, even a contract rests on a certain amount of trust between | the involved parties. | croes wrote: | It's not about how often but about if a dispute arises. If in | that case the signature can't be trusted why signing in the | first place? | somery wrote: | When selfhosting it - it's possible to connect AWS S3 to | store the documents - AWS with S3 logs could be used as a | source of trust to ensure the documents are not altered. | yencabulator wrote: | Nothing prevents the person running the software from | submitting a "bad document" stating anything they want, | with plausible IPs and timestamps etc. _That_ is the | problem. | | A third party like DocuSign is somewhat comparable to using | an escrow company to buy a house. You trust the escrow | company to not steal the money, but you don't have to trust | the seller. You trust DocuSign to not forge document | metadata. | xnx wrote: | TIL that Google Docs has a built-in eSignature capability: | https://support.google.com/docs/answer/12315692?hl=en | | In beta though, so consider that when using. | tiahura wrote: | Adobe Acrobat also has it. | ketanip wrote: | Very nice and easy to use product. Loved that you provided an | live version to try it without any signup wall or anything. | | Also won't DocuSign accuse you of "misleading" their customers by | using a name that is "too similar" to their ? | tyingq wrote: | It does seem on somewhat dangerous ground for "trademark | similarity testing", "consumer perception", etc...with | "docu-<next word starts with S>". | | I'd have gone with "DocSeal" or something that was a harder | break from the "DocuSxxx" pattern. | somery wrote: | Thanks for pointing this out - it actually didn't expect that | because of GitHub and GitLab and i haven't hears any | trademark dispures between them. When Gitlab differs from | Github by only 2 letters - DocuSeal vs DocuSign is already 3 | letters. | | But i think that's a valid concern and i need to better | investigate this - changing the name shouldn't be a problem | when the project is still very new. | tyingq wrote: | Yeah, it's one of those things where there's no definitive | guidance, just loose tests. It's possible, for example, | that DocuSign wouldn't care. | | But, it seems different from GitLab/GitHub since the second | word starts differently. GitHut, GitHow, GitHot, etc, vs | GitHub would be more similar here. | MaKey wrote: | I'd keep the name and not worry too much (I like it). Going | after a small open source project would be bad press for | DocuSign and even if they did, it would be a promotion for | DocuSeal and you could change the name afterwards. | wintermutestwin wrote: | I think the real problem with the name is that there is a | docuseal.co | paulnpace wrote: | > won't DocuSign accuse you of "misleading" their customers by | using a name that is "too similar" | | Docuseal would be the winner with all the free press, and | changing a name costs almost nothing. | tough wrote: | They should make a seal be the mascot | tiffanyh wrote: | These projects never realize that eSign tech is a commodity, the | actual business you are in is creating market level Trust for | your platform. | | Eg if you're a CFO, would you being willing to take the risk just | to save a couple of bucks on a no-name eSign service for all your | sensitive legal & vendor agreements, or use the worldwide Trusted | eSign platform of DocuSign - which has gained acceptance by | regulators as being an authoritative legal signature of | contracts. | hgs3 wrote: | Competition is a good thing and a core tenet of capitalism. If | we don't have competition and regulators are wedding themselves | to one particular business then that means we have a government | sanctioned monopoly. | bob1029 wrote: | > eSign tech is a commodity | | We learned this pretty quickly with our banking products. | Having your own bundled, first-party e-sign features can help | differentiate your product from other vendors, but if the | _only_ thing you are selling is e-sign, they probably won 't | look at you. We do have an in-house e-sign feature in our | product now. We evaluated integration with Adobe & DocuSign, | but their APIs were so far away from what we needed that we | decided to DIY. | | Consider this - what is a bank going to do with raw access to | something approximating docusign APIs? They outsource | everything. Their _vendors_ are the ones who would be consuming | something like this and then reselling it. Getting onto the QVL | for a US financial institution (and staying there) is usually a | monster battle if you are a new kid on the block. | | If you still wanted to market this solution towards US | financial institutions, I'd start with the vendors of those | institutions. Companies like Jack Henry & Associates, FiServ, | CSi, FIS, Harland Clarke, et. al. | somery wrote: | That's interesting that you ended up developing an in-house | document e-signing feature for your product. I'm curious, | would it be possible for you to choose a self-hosted and | open-source solution like Docuseal, integrated with your | product to outsource the complexity and speed up the | development? (if such an option existed back then?) | bob1029 wrote: | > outsource the complexity | | Honestly the bulk of complexity seemed to emerge from the | mismatch between what we thought would be a good e-sign API | and what APIs were actually available. | | The way our product works, we need to have access to the | raw signature specimen at various stages of the signing | process because we have a document generation feature that | dynamically inserts the specimens into the appropriate | fields. Put differently, we don't show the documents until | we first have a signature (and initials) specimen collected | from the e-sign participant. This is basically the exact | opposite of how most vendors work, but our customers | _really_ like it this way. | | We also needed a way to in-line bank-specific e-sign | consent documents into the experience, giving the e-signer | a way to decline consent and have this decline kick off an | appropriate back-office workflow. The other reason we went | in house is we wanted to completely close the loop. After | the last e-signer completes their piece, our product | detects this condition and submits all final documents to | the institution's long-term cold storage system. Getting | _this_ to work with a 3rd party API looked like a total | non-starter to me - We can 't just send the docs right | away. There are time-of-day constraints on when those | systems will be available throughout the week. | | Our e-sign solution ultimately turned into a workflow-style | experience with 6-7 steps. | yencabulator wrote: | > Put differently, we don't show the documents until we | first have a signature (and initials) specimen collected | from the e-sign participant. | | Why would I sign something I haven't seen? | | Businesses & government in USA seems to like asking for | my signature on a little LCD pad, without showing me what | I'm signing. That's absolutely horrible and anti-consumer | behavior. | | (And yes, I do diff DocuSign-style PDFs before and after | the insertion of the pseudosignatures and visible | watermarks, or PDFs from before and after a email-print- | sign-scan-email cycle.) | pottertheotter wrote: | > The way our product works, we need to have access to | the raw signature specimen at various stages of the | signing process because we have a document generation | feature that dynamically inserts the specimens into the | appropriate fields. Put differently, we don't show the | documents until we first have a signature (and initials) | specimen collected from the e-sign participant. This is | basically the exact opposite of how most vendors work, | but our customers really like it this way. | | Can you elaborate on this? Why people would want to have | the signature first before showing the document? | bob1029 wrote: | In our solution, providing the up-front signature does | not construe immediate consent to terms of whatever | hypothetical documents. We have a subsequent review phase | where the customer is expected to confirm each document | meets their expectations (i.e. _with_ their actual | signature on it). Only after confirming all of the | documents is the transaction considered to be completed | and the signed copies taken as official. | | The more complicated answer is that we are serving | e-signatures for business accounts wherein there might be | 10+ authorized signers involved. In these cases, we want | to permit parallel sign completion. To allow this, each | signer gets to view an isolated scope of documents with | just their signature affixed. This also helps to conceal | the signature specimens of other parties until the entire | transaction is considered finalized. If a required party | to an account does not want to participate, then no one | gets to see anyone else's ink. | | At the very end, all participants of the signing ceremony | receive emailed copy of documents that combine signatures | from all participants. | FpUser wrote: | >"Eg if you're a CFO, would you being willing to take the risk | just to save a couple of bucks " | | Typical FUD preached by many online companies to lure | customers. | | Even verbal contracts are enforceable (with the caveats of | course). These will be fine for the most boring cases. The | others are signed with lawyers anyways. | gamblor956 wrote: | _" take the risk"_ | | This is the important part you're ignoring. Yes, verbal | contracts between businesses are binding, but only to the | extent you can actually _prove_ the terms in a court of law. | | Using DocuSign (or similar) is about risk mitigation, | specifically about being able to _prove_ the the contents of | the contract in legal proceedings. | | The risk with being a business that allows for verbal | contracts is that one of your vendors may be unscrupulous and | truly screw you over. And that's a matter of _when_ , not if. | FpUser wrote: | You are suddenly switching from Ducusign vs Docuseal to | DocuSign vs verbal. That was not point of my reply. | gnicholas wrote: | I've never understood how DocuSign mitigates the risk any | more than both parties signing a PDF in Preview (or | similar) and exchanging via email. Doesn't the email part | validate that you are the person signing the document? | somery wrote: | I think that's a valid point - and actually in their | terms of services say that they are not responsible for | the signer authenticity. | | Here is a summary from their TOS: | | "DocuSign provides tools and features that help to | establish the authenticity of a signer, such as email | verification, access code, SMS verification, phone | verification, and knowledge-based authentication. | However, it's important to note that while these tools | can enhance the security and authenticity of the signing | process, DocuSign itself does not guarantee the | authenticity of the signers. The responsibility of | ensuring the identity of the other party lies with the | user" | guideamigo wrote: | You are right. | | Alternative to eSign is to just send PDF documents. And as the | person to add their signature to it. | [deleted] | grokgrok wrote: | If your company has a board and a CFO then sure, go with the | trusted solution. If you're starting a scrappy, modern, real | world business, things like this can help avoid death by a | thousand cuts that is paid microservices. | phrz wrote: | One of the features DocuSign charges a lot of money for is batch | envelopes, like uploading a CSV to fill out fields and send to | different recipients (basically Mail Merge). Is this something | that could work in DocuSeal? | somery wrote: | I was planning to add this week a feature to download csv or | xlsx with all the data from submitted documents (the person | that posted this link on HN somewhat spoiled the release - it | was not be posting this link and wanted to wait just a bit ) | | But I'm sure this can work the other way around - it should be | easy to make it possible to import contacts from csv to collect | signatures and data from the PDF submissions form in batches. | johnfonesca wrote: | Our product Bulksign https://bulksign.com does this, the name | of the product is directly inspired by that feature (sending | same documents for signature to hundreds of recipients). | reisr3 wrote: | What is the bar for a "legally binding digital signature"? Is | this a very complicated topic - or is it quite simple? | | I can sign a PDF with OSX Preview for free. I can pay a bunch of | money to sign with Docusign. Both produce a PDF with a digital | image of my signature. I assume both documents constitute a | legally binding agreement, so long as I actually preformed the | digital signature. What justification do the e-signature SaaS | companies have for their exorbitant prices? I understand the | "audit trail" angle - that's just collecting my IP every time I | interact with the document. | | Is this a big SaaS scam? | V__ wrote: | As always, it depends on the jurisdiction. The EU has the eIDAS | [1] which allows simple signatures such as these for most form- | free-contracts (the majority). There are however some, which | need a digital cert and have to be encrypted. | | [1] https://en.wikipedia.org/wiki/EIDAS | traspler wrote: | And Switzerland ZertES: https://en.wikipedia.org/wiki/ZertES | - There are not normally various levels of trust with afaik | only QES (Qualified Electronic Signature), the highest level | to legally be on the same level as a hand signature. | lolinder wrote: | See the recent Canadian case of the thumbs up emoji signature | [0]. The bar for a legally binding contract is much lower than | what most people believe. The main thing you need is to be able | to prove that the other party actually did express their assent | to the contract. In the thumbs up case, who sent the text was | not disputed, so the issue hinged on whether a reasonable | person would interpret thumbs up emoji as expressing assent. | | [0] https://news.ycombinator.com/item?id=36618650 | lawtalkinghuman wrote: | The legal rules around formality are somewhat complicated. To | give you an idea, here are the broad laws in England and Wales. | | Not a lot of formality is required for most contract signing, | and so long as the other side of a contract is sure that you | signed it, a PDF signed in a standard PDF editor like Preview | is almost certainly fine. | | But if you are making a deed, there are attestation | requirements under s1 of the Law of Property (Miscellaneous | Provisions) Act 1989 - see | https://www.legislation.gov.uk/ukpga/1989/34/section/1 | | If a company is executing a document, it has to follow the | rules in sections 43 to 47 of the Companies Act 2006. See | https://www.legislation.gov.uk/ukpga/2006/46/part/4/crosshea... | | For property transactions, there's still an issue in use of | e-signatures. There's a statutory scheme for "e-conveyancing" | set out in Part 8 of the Land Registration Act 2002 which gives | the Land Registry the ability to set up provision for using | e-signatures for formalities that previously required wet ink | signatures. They never got round to actually implementing this | up until COVID restrictions made it somewhat impractical to get | wet ink signatures so made a temporary change to allow it. When | the COVID restrictions were lifted, they've gone back to the | old practice but have promised that they're totally going to | sort out a permanent solution. Whether they will is another | matter. | | See https://www.gov.uk/government/publications/electronic- | signat... | | I've personally used an iPad with an Apple Pencil to sign and | have attested a (non-company) deed that had to comply with the | LP(MP)A requirements and nobody seemed to have any trouble with | it. | | I suspect the target audience of a lot of e-signature SaaS | products are companies where there are teams managing a lot of | documents being signed across multiple jurisdictions, and | juggling between sales, in-house legal and so on. Most of the | problems those products are solving are likely business process | issues rather than strictly legal requirements. | magundu wrote: | I had same feeling when I build a free tools to unlock the | password protected pdf. It can be easily done with OSX Preview. | Then I see that people who don't have technical knowledge and | tools, they can easily unlock pdf from browser itself. | hellcow wrote: | Docusign makes it easy to collect lots of signatures from lots | of people. That's the use-case from my POV. 1 signature on 1 | doc, use any PDF tool--no problem. When a board needs to | approve 4 docs and you need 5 signatures on each, it needs to | be easy. | | Whether that's worth Docusign's pricing or if there's better | alternatives, up to you. But it's objectively a helpful tool. | haswell wrote: | > _Docusign makes it easy to collect lots of signatures from | lots of people. That's the use-case from my POV. 1 signature | on 1 doc, use any PDF tool--no problem._ | | Collecting lots of signatures isn't Docusign's value prop. | | The value is signature certification, and a proven track | record in court. | | A single signature on a PDF is not technically difficult. The | machinery to reasonably guarantee (edit: verify is a better | word here) that it was _you_ who signed the PDF is the thing | that matters. | | The value increases from there as the complexity of the | document being signed increases. | Canada wrote: | DocuSign doesn't really do anything to reasonably guarantee | that it was any particular person who signed the PDF. Not | that it really matters. If there was something worth suing | over then usually there will be plenty of other evidence as | to who signed the agreement. | | Really the only thing that DocuSign does is timestamp the | actions on the document. In order to get that a self hosted | implementation would need some kind of third party system | to act as a witness. | colechristensen wrote: | Do you _know_ what DocuSign is doing on the backend, what | logs they 're keeping and data they're tracking? | haswell wrote: | They're capturing more than just timestamps. If possible, | they'll associate a signature with a DocuSign profile, | which itself has a history of interactions with DocuSign | servers. They also capture associated emails, IP/browser | info, drop cookies, location data if enabled, etc. | | None of this guarantees Person A signed the doc, but the | point is to systematically collect as much info as | possible to be used if someone _does_ sue, and to check | the boxes that customers need checked in a consistent | manner that they can sell as an effective solution that | stands up in court. | | I'm not saying they're doing anything unique here, but | customers - especially enterprise customers - buy it for | all of these things, not just because it makes | coordinating many signatures easier. | | The typical "no one gets fired for buying DocuSign" adage | applies here. | zokier wrote: | Depends on country how much verification DocuSign is able | to do, and also the higher levels of verification are | opt-in. In some countries it can be backed with fairly | strong auth schemes, in other places stuff like video | calls are used. | | This link has list of different IDs they support in | different countries: | | https://support.docusign.com/s/document- | item?language=en_US&... | tiahura wrote: | Electronic Signatures in Global and National Commerce Act | | https://en.wikipedia.org/wiki/Electronic_Signatures_in_Globa... | | "may not be denied legal effect, validity, or enforceability | solely because it is in electronic form" | jazzyjackson wrote: | > What justification do the e-signature SaaS companies have for | their exorbitant prices? | | They will defend their digital signature in court. | | I was shocked to find these "click here to sign" contracts | manage to do it all without an ounce of cryptography, but the | fact is lawyers don't need cold hard math, they need a warm | body to be a subject matter expert to explain to a jury that | unless you're claiming someone else has access to your inbox, | you're the one that clicked the button. | flaviut wrote: | I'm skeptical--are there any court cases where they've | actually testified about this? | bottled_poe wrote: | Bingo. This is why it's worth paying for. It's more akin to | paying for insurance than paying for software. | doliveira wrote: | Yeah, I find it funny to see technologists being surprised | that in most cases judges won't mind that the signature | wasn't done with quantum-resistent cryptography stored in a | blockchain or whatever. Technical solutions to political | problems... | _jal wrote: | Like anything, but especially in law, the devil is in the | details. Docusign has been rejected by a court before - | | https://www.cryptomathic.com/news-events/blog/us-court- | rejec... | | That was fact-specific and doesn't call Docusign invalid, but | it does demonstrate why simply "using Docusign" might not | save you in a dispute. | gamblor956 wrote: | Not really applicable, in that situation there were local | court rules requiring physical documents and "wet" | signatures (i.e., signed in person with a pen). The UST | specifically noted that absent those rules DocuSign would | have been acceptable. | | Also...the article is from 7 years ago... | _jal wrote: | Of course it is applicable. The Docusign users failed to | use it in a way that would be legally valid. | | If you have a more recent case that seems relevant or | invalidates that result, post it. Otherwise I'm not sure | what being 7 years old has to do with anything. | gamblor956 wrote: | You're attempting to make a mountain of a single | instance, years ago, of an electronic signature being | rejected by a non-judicial officer in a quasi-judicial | proceeding and trying to make it out like a general | policy when it is so rare an exception that no court | _before or since_ has ruled against the consensual use of | electronic signatures by the parties. | | If you have any evidence that electronic signatures can't | be used in court proceedings, and not just in the limited | circumstance of one US Trustee's meeting room, the onus | is on you. | _jal wrote: | > If you have any evidence | | I never claimed I did, and I have no interest in talking | to someone intent on making up weird crap I never said, | so I'm going to ignore you now. | colechristensen wrote: | I had to get a notary to sign my I-9 form for a new remote | job. The process of identity verification involved a | seemingly 19 year old dude looking at my ID and then signing | a piece of paper. | | A website sending you an email and tracking your IP and | keeping a log... seems to be about the same level of trust to | be honest. | yencabulator wrote: | Notaries are personally responsible for any misconduct with | up to a felony criminal case for violations. Including not | sufficiently verifying the identity of the person in front | of them. Sure, most states will just slap them with a $500 | penalty, but they'll also revoke the notary status pretty | quickly. | | I would like to re-emphasize _personally_. It 's not a | business risk, it's a personal liability. | owenmarshall wrote: | Ageism aside, you are describing a system where an | unrelated third party who has experience validating your | state/federal identity documents validated yours, visually | comparing the person presenting the documents to the | picture on the ID, then signed a log in his possession that | he'd testify to in court if needed. | | That feels like a pretty damn good system to me, and far | beyond the system you handwave at. Where's the complaint? | mhrmsn wrote: | I think there's more to that. A proper digital signature | requires you to obtain some certificate/key from an authority | which you can then use to sign documents (this doesn't even | require an image of your physical signature in the document). | This proves that it was actually you who signed the document. | The document also can't be altered afterwards without rendering | the signature invalid etc. | | Just adding the image of your signature to a PDF is probably | fine for unimportant things, but it certainly isn't enough to | be legally binding (at least in the EU). | V__ wrote: | It actually is for most contracts. See eIDAS. | Foobar8568 wrote: | Oral agreement is enough to be legally binding in several | countries in Europe. And most providers can reach what ever | European directives on eSign. | bux93 wrote: | Mostly yes. In the EU at least, the rule is "An electronic | signature shall not be denied legal effect and admissibility as | evidence in legal proceedings solely on the grounds that it is | in an electronic form or that it does not meet the requirements | for qualified electronic signatures." | | However, the burden of proof is higher if you dispute a | "qualified electronic signature". To be qualified, there's no | specific technical requirements, e.g. use of cryptographic | signatures, but you'd need to be certified and registered as a | "Remote QSCD" according to ETSI EN 419 241-2 PP. | | Self-hosting this solution (or using PGP) won't magically make | you a certified QSCD trust provider. You need to convince some | certifying body that everything is nice and safe, which will | mostly involve a lot of paper work and (evidence of) processes | being in place. | pantulis wrote: | > Self-hosting this solution (or using PGP) won't magically | make you a certified QSCD trust provider. You need to | convince some certifying body that everything is nice and | safe, which will mostly involve a lot of paper work and | (evidence of) processes being in place. | | This! Just like a self-signed SSL certificate for a website: | yes, the traffic will be encrypted but you cannot be sure | that the website is who it says it is. | Gasp0de wrote: | How do these electronic signatures work? Is it PGP? Where does | one store the secret (e.g. private key) and how can someone prove | that it is really my signature? | arnley wrote: | What makes docuseal better than documenso, which is in the same | space and also open source? | | https://github.com/documenso/documenso | somery wrote: | Documenso doesn't have all the features that are currently | available at DocuSeal - also Docuseal if free in the Cloud when | Documenso is $30/month | | Afaik the only thing Documenso can do is to place a signature - | when with Docuseal it's possible to create more complex PDF | forms with different field types like file/image/checkbox etc. | | While Documenso looks like an ambitions project - DocuSeal | already appears to be more robust and can become a true | DocuSign alternative with all the features already available | and open-source | wintermutestwin wrote: | >Documenso is $30/month | | WTF? Considering that DocuSign is $25 or even $10 and has the | name and weight behind it, I can't imagine that they are | selling many subs. | KingOfCoders wrote: | The benefit of DocuSign for me is, my clients already use | DocuSign and have no problem using it with me. | lolinder wrote: | Do your clients even notice, though? | | I'm a rare user of these platforms, but all I ever see is that | I get an email with a link to sign something. Sometimes it's | DocuSign and sometimes it's Adobe or something else, but I | certainly don't feel any loyalty towards one over another, and | as a signer, I certainly don't trust the platforms to hold onto | my copy for me. | | It seems that unless you've got clients who are trying to use | DocuSign as their personal document management system, as long | as the interaction flow is essentially the same it should be | fine. | KingOfCoders wrote: | It's usually NDAs they want (an me to provide) to have and | DocuSign is fine with their legal department because they use | it themselves. | | If I can't use DocuSign usually I need to print a PDF, sign | it, scan it and send it back. | insanitybit wrote: | I suggest a new name. `SealDoc` etc. The `Docu` part is going to | cause you trouble imo. | | I would also suggest maybe an explainer about how it's possible. | Specifically, what makes a contract legally binding if it uses | this system? The main reason people use DocuSign/ HelloSign is, | in my opinion, because it feels safe _legally_ to do so. Are | there laws that make it possible for your service to work? | quadrature wrote: | What is the API like ?, is this something I could easily embed | into an application ? | somery wrote: | embedding will be available in August - the ideas is to create | a npm package to bring the PDF document form into apps for | developers | quadrature wrote: | thats awesome. great work developing this! | sandGorgon wrote: | any chance you want to include docsend functionality ? it is VERY | incremental to what you are doing. And a bunch of us would | totally pay for it. | somery wrote: | can you please elaborate what exactly from docsend you'd love | to see available in docuseal? | trallnag wrote: | Last time I wanted to sign a document with the reputation of a | third party I used PandaDocs free tier. Worked fine enough | noodlesUK wrote: | In order for this to be legally useful to users in the EU/UK, | this would need to comply with the eIDAS regulations. I'm not | sure what that entails, but it would be worth looking into. | | A lot of the value of a signature provider comes from it being a | neutral trusted third party. They slap a signature and a time | stamp on a document, and you can get them to testify that the | document existed in a particular state at a particular time. | woodylondon wrote: | As i understood it the difference was esignature (was what this | was providing) and esign was to sign with a digital certificate. | esignature is plenty for most things. | | Docudeal looks really cool and simple! and compared to the crazy | costs of HelloSign, Docusign etc. | | One thing I would say is provide a RestAPI so easy to integrate | into our own applications so we can have the GUI on our side. | somery wrote: | RestAPI integration will be available in August | guideamigo wrote: | Ruby backend in 2023! | victor9000 wrote: | Oof, unfortunately the Alfredo license kills a lot of use-cases | for this project. | somery wrote: | can you please elaborate which use-cases? - maybe that's | something that actually can be possible by splitting some parts | of the project into MIT licensed dependencies? | jstummbillig wrote: | Sweet! The SaaS pricing in this space is insane. Will look into | it. | dcu wrote: | have you looked at zapsign.co? it's a good UX and it's not too | expensive | wintermutestwin wrote: | I just tried it out and it was totally unintuitive how to add | fields to a PDF. I tried to chat with support, but it wants | you to use WhatsApp. (?!) Then I went to their youtube | channel to see if I could see a walk through and every video | is in Spanish. I guess they aren't interested in other geos | like the US. | somery wrote: | Hi everyone, my name is Alex and I'm the creator of DocuSeal. | | I was not happy with the existing mainstream document signing | solutions so I decided to create an open-source alternative. | | I've been working on this project since the middle of May and | here is what the tool can do so far: | | - PDF form fields builder | | - 10 field types available (Signature/Date/File/Checkbox etc) | | - Multiple submitters per document | | - Automated emails via SMTP | | - File storage on AWS S3, Google Storage, or Azure | | - Automatic PDF eSignature | | - PDF signature verification | | - User management | | - Mobile-optimized | | DocuSeal can be self-hosted on-premises or used in the Cloud for | free. DocuSeal was built with Ruby on Rails with a bit of Vue3 | for complex UI parts like the form builder. | | Looking for some feedback and would be happy to answer any | questions | capableweb wrote: | > - File storage on AWS S3, Google Storage, or Azure | | I'm guessing it's just a mistake/miss in this comment, but for | file storage it is also possible to store it locally on the | server right? Otherwise all "editions" are "in the Cloud" yes | or yes, so would kind of defeat the purpose of the self-hosted | version. | somery wrote: | It's possible to use local storage or Aws s3, Azure, Google | Cloud to store files. When storing locally it makes all the | documents 100% owned by you - but in some cases companies | might want to bring a third party files storages to ensure | the integrity of the documents. | | But as was mentioned before in the comments - maybe bringing | AWS QLDB as a third party to ensure the consistency of data | with a local files storages is the best option. This way all | documents can be logged with a third party so they can't be | altered - while to content of the documents won't be shared | with any third party. | michaelmior wrote: | I tested it out briefly and it looks very cool for something | put together within a couple months. One thing that doesn't | seem to work at the moment is automatically recognizing | existing PDF form fields (although perhaps there was a problem | with the specific PDF I tested). | | Being able to quickly import existing forms and then just add | some labels would make things move a lot quicker. | | One other thing that would be helpful is to handle variable | numbers of signatures required. Some documents I have to deal | with have space for many signatures but for any given instance, | only one or two might be needed. Perhaps I've missed this, but | I'm not sure existing templates would handle this case. I think | that ideally a template would contain all the signature fields | but then I can specify which ones are actually required when I | send out the document for signature. | toomuchtodo wrote: | Hi Alex. Would you be interested in help running this as a non | profit like Let's Encrypt, but for digital signatures? I would | be willing to contribute both financially and infra/DevOps/biz | ops to bootstrap. | abound wrote: | I run a small tech nonprofit (see profile) and have also been | unsatisfied with DocuSign and alternatives in the past. I'd | be happy to help if I can be useful here, either with hosting | (and PKI) or with development directly. | somery wrote: | It's hard to say at this point if something like Let's | Encrypt can exist in this space - but I'm for sure going to | continue offering a free Cloud SaaS option with a generous | set of features for document signing. I'd love to chat to | explore more about the potential non-profit solution - please | feel free to drop me a line at alex@docuseal.co | toomuchtodo wrote: | I'll reach out shortly. My thoughts on this are you don't | remain free, but instead charge based on a cost recovery | model. You figure out annual people/tech/admin expenses, | forecast and observe request volume over time, and then | adjust per signing request pricing accordingly (or perhaps | sell buckets of requests to high volume consumers, | contracts ensure smooth cashflow). This enables longevity | and stability of the service (which gives warm fuzzies to | consumers of it), no concern of an acquisition or buyout, | while enabling servers to spin and people to eat. | | TLDR think electric cooperative or similar. You're building | an internet utility/primitive for long term consumption. | 2Gkashmiri wrote: | hey. do you have support for pfx based signatures like jsignpdf | does? | somery wrote: | Currently it's possible to sign documents only using the | autogenerated pkcs7 certificate in self-hosted DocuSeal (it's | done automatically be default). | | But it should be doable to make it work with different | certificate formats to bring your own certificates. | | I'd be happy to explore those options and would appreciate it | if you could open on issue on GH in case you're interested to | have this supported this in the tool. | 29athrowaway wrote: | Does it comply with US regulations for e-signatures? Otherwise, | what's the point to have a signature that is not legally | binding? | | That is the whole point of signatures. Otherwise it is just an | image editor. | somery wrote: | The E-Sign Act grandfathered in existing agreements that | existed digitally prior to Oct. 1, 2000. All agreements after | this date, however, must comply with the following set of | guidelines in the E-Sign Act to be considered legally | binding: | | - Intent to sign. Electronic signatures are only valid if the | involved parties have the intention to sign. Signature | requests can be declined. | | - Consent to do business electronically. Involved parties | must agree to conduct transactions electronically. | | - Attribution. The signature must uniquely attribute to the | individual signing the document. | | - Association of signature with the record. E-signatures must | have a mark on the document from the signer that can then be | associated with the record. | | - Record retention. Electronic documents must be savable, | viewable and printable by either party. | | I think the tool provides all that - usually when working as | a contractor i've been signing documents in PDF viewer and | sending them back via email and that was what my clients | wanted me to do. Tools like DocuSeal are making the process | of signing docs easier than doing it via email. | 29athrowaway wrote: | And how do you achieve this with this? | | How secure is it? How confidential are the records? How | does it guarantee integrity? | somery wrote: | When self-hosting it - it's up for the company that is | using the tool hosted on-premises to ensure that all | their specific requirements are met - i think DocuSeal | provides enough features to make this happen. | | AWS S3 to store documents can be integrated with DocuSeal | to ensure the documents integrity - AWS services have | their own logs that can't be altered and so can be used | as a source of trust. | | And to ensure that the document was signed by a real | person companies can include photo attachments into the | documents signing process (this could be a photo of an ID | card or a selfie) | 29athrowaway wrote: | Then it is the most toxic thing you can ever self-host. I | will gladly pay any company to get all the liability on | my behalf. | | This is the "I have a friend that does it cheaper" of | e-signature solutions. | wintermutestwin wrote: | I am involved with two nonprofits that need to have an easy way | to get many non-technical people to sign a document. Each is | paying for their own DocuSign account. The thing is, they only | need to do 6-12 documents per year each, so the cost per | document is insane. | | Testing it now with fingers crossed and hoping that the cloud | version sticks around. | wintermutestwin wrote: | Darn. I created a document, setup the info for three sigs, | added the recipients emails and then it was unclear how to | push it out. I guessed at "Submit it yourself," which | required me to add my email so I used the first recipient's | and then it opens the doc for me to fill out. It asks for | full name and then when I submit, "next" just keeps spinning. | FWIW, I am running FireFox with UBO, etc. | | This is really important to me, so I'd be glad to work with | you to troubleshoot and provide detailed user feedback. | somery wrote: | The emails are automatically sent to the recipients after | you submit the modal window to add them (there should be | 'SENT' status displayed next to their emails) | | Regarding the form issue - it looks like some js client | side bug - i'll try to investigate this. | wintermutestwin wrote: | I was going to try it with Safari, but it didn't recognize | the account that I created earlier in FF... | 1equalsequals1 wrote: | Looks like great work for a 2 month project | somery wrote: | Thanks | cyberax wrote: | > Looking for some feedback and would be happy to answer any | questions | | It would be great if you could add support for AWS QLDB. It's | an immutable blockchain database (basically, "git with an SQL | interface"), and you can periodically "stamp" it by notarizing | its hash with one of the public blockchains. | | This way you can guarantee that the records are going to be | immutable and unalterable. | somery wrote: | thanks, i think that's an interesting space to explore. there | were many comments regarding the 'consistency' of the | data/documents so solving this 'trust' issue especially when | selfhosting it is really important | V__ wrote: | This looks great. What's the best way to contribute a | translation? | | I think a great feature would be an email with a confirmation | link after the pdf gets signed to ensure the owner of the email | was the person who signed the document, if the link share | option is used. | btown wrote: | This is amazing work, and this space desperately needs an open- | source solution! | | The signing experience could use some polish, but it's well on | its way. A few things: clicking a signature field immediately | opens a file upload despite the very functional draw-your- | signature canvas. Focusing to type into a field scrolls the | page not so the field is in view, but so it's at the top of the | viewport, which prevents the reader from seeing the paragraph | of context above the field. And minimizing the bottom panel | where you type fields should be unminimized if you click | another field, otherwise it can cause non-technical users to | feel "stuck." Oh, and in terms of demonstrations, the demo PDF | should likely be a (fake) legal contract of some sort, to show | off how things can be positioned in a realistic document! | | If there's one thing I'd suggest you implement, though, it | would be the ability to embed the signing interface in an | iframe whose URL can be parameterized to prefill values via the | query string, e.g. following https://helpx.adobe.com/sign/adv- | user/web-form/url-parameter.... (Oh, and postMessage to the | parent page when signing is done so the interface can react to | that!) | | So many real-world workflows can be handled with a simple | wizard that pre-populates a PDF to sign, with the values from | that wizard. But most of the solutions out there charge an arm | and a leg for this, with large minimum order sizes and even | charging for the view even if the user doesn't complete the | form! Not to mention that letting people self-host, thereby | avoiding third-party cookie issues, makes things significantly | more accessible. | | Really looking forward to how this progresses! | somery wrote: | Thanks for the feedback! All your UI suggestions/fixes make | sense and will definitely be brought into the the tool soon! | Also I like the idea of using some 'fake' legal document for | the demo. | | Regarding the iframe - i've been thinking about creating an | npm package for better integration with the host app - but | maybe giving an option to use iframe should be available as | well for companies that don't have developers to implement a | better integration with the npm package. | dtx1 wrote: | Hi Alex, | | what a great idea, thank you very much. Two years ago I was | evaluating different signing solutions for the company I worked | with and there were two killer features that forced us to go | with docusign since at the time they were the only ones really | supporting it: | | 1. Relaying of Submissions to other Signers | | We often found that we needed to get a Signature from someone | at another company. However, we couldn't a priori say "Person X | has to sign it". Often we had a contact person that would help | us navigate the internal structure of the other company and | relay the signing to that person. Docusign has the ability to | allow us to say this person we know can decide who has to sign | this document, even if we don't know that person. No one else | at the time supported that use case. | | 2. Qualified Electronic Signatures | | So... Here in Germany our Government has some kind of Angst | (might call it german angst) of anything digital. A Handwritten | signature on a piece of paper is held in such high regards that | the digital equivalent (qualified electronic signatures) | require a video ident workflow with a passport held into the | camera and so on. This has to be done via a third party service | that takes like 15-20 Euro per validation. I know it's insane. | There's a reason that theres no german silicon valley... | Anyway, there are many situations where this level of | validation is required by law. | | Just my 2cts after dealing with this issue here, I think 1. is | something you might look into implementing, cause it's a use | case that might come up more often, 2. is just really annoying | for everyone. | rkagerer wrote: | I'm interested in reading more about #2, can you provide a | source? | | https://www.docusign.com/products/electronic- | signature/legal... doesn't mention anything about videos or | passports. I could see how that might be one means a third | party has chosen to collect proof of intent, but haven't | found anything legally mandating it. | zokier wrote: | https://support.docusign.com/s/document- | item?language=en_US&... | | This describes how docusign uses video identification for | document signing. | | > If they request qualified signatures, you must verify | your identity with the IDnow video service after selecting | the SIGN button. | | Signicat, another document signing service, uses WebID to | do video verification | | https://www.signicat.com/identity-methods/web-id | | > The WebID service VideoID provides call-center | functionality, where trained support agents can verify the | validity of the provided identity papers and ask security | questions to the end-user during a live video call. | dtx1 wrote: | This may be german law specific, the overarching EU | Legislation can be found by googlign "qualified electronic | signature". | | In general they require complete, verified cryptographic | signatures via smartcards or similar but because no one | uses it, videoident has become the defacto alternative in | germany | V__ wrote: | That's a misconception. Most contracts or form-free and | can be made by handshake if one wants to. There are | however some exceptions, which require either physical | signatures or the qualified signatures as declared by | eIDAS. Those exceptions are some employment contract and | most things related to banking. | | The need for identification over video, etc., has more to | do with the know-your-customer laws. | bestham wrote: | Most physical bearers (smart card or similar) of a | Qualified Certificate are issued in person or based on a | known identity. Here there is no need for remote | identification before the issuance of the certificate. | | What you are talking about is a "remote signature | service". Such a service will often onboard a user | remotely using a physical ID, video and liveliness checks | and give them the credentials to produce advanced or | qualified electronic signatures with the service in | question. These credentials have to meet LoA Substantial | or High for a QTSP to be able to issue a QC to a user. | Most remote signature services use very short lived | certificates (10-15 minutes) that are created for every | signature the user produces. (As opposed to the long | lived certificates of several years for a physical card). | | Germany have to follow the eIDAS-regulation as a member | state of the EU/EAA. But what level of signature is | needed for what transactions is not regulated in the | eIDAS. | FpUser wrote: | Thanks for nice work. Will be checking it out and most likely | using IRL if works as advertised. | Bilal_io wrote: | Thank you for creating this and making it open source. | | What mechanism(s) is used to ensure non-repudiation? | | I appreciate that the demo is not behind a sign up wall, but is | account creation and email verification required for invitees | to sign any documents? | | Are IP addresses stored as part of the digital signature? | | Any other mechanism? | somery wrote: | IP addresses and browser User Agent strings are stored for | each signature/submission - those are the only measures for | 'non-repudiation' currently available. | | but i think it doens't differ from other mainstream SaaS | solutions - if you read through their terms of services - | they put 'non-repudiation' liability on users of their | services | rgarcia wrote: | Another method you might consider implementing would be | identity verification via SMS code. I've experienced this | with docusign: https://support.docusign.com/s/document- | item?language=en_US&... | | It requires you to know the phone number of the signer, but | for important stuff you typically do. | dtx1 wrote: | Those are both unfortunatly trivially faked | infogulch wrote: | And yet it's the standard practice for normal people. | dtx1 wrote: | From my research this has 0 legal validity, at least in | germany in regards to the EU eIDAS. They are just smoke | and mirrors for companies to make them "feel" secure but | without cryptographic ensurances (Advanced Electronic | Signature) or TLS like Signed Cryptography (Qualified | Electronic Signature) this is just as legally binding or | not binding as an E-Mail | etothepii wrote: | Unless you are a qualified lawyer it would be polite to | begin a comment like this with IANAL. | | IANAL but in the common law world a contract requires 3 | things: | | * Offer and acceptance | | * Consideration (something of value) | | * An intention to form legal relations. | | Acceptance is, of course, what a signature signifies. | Acceptance is "a matter of fact" and thus in reality | pretty much anything will do. | TheNewsIsHere wrote: | Yeah, it's not like in the spirit of the law you can | perform your part of the contract and then get away with | saying "I never agreed". | | In the US, we have a federal law that covers electronic | contract signing. I believe it's part of the UCC? (I'm | not an attorney, and that area isn't one I practice with | in tech either.) | V__ wrote: | > just as legally binding or not binding as an E-Mail | | Which is legally binding. In Germany most contracts are | free-form contracts (Formfreiheit) and only need | declarations of intent in the form of offer and | acceptance. This can be a handshake or even a head shake. | infogulch wrote: | Or perhaps even an emoji reaction in a text chat, as | described elsewhere itt. | jsight wrote: | Signatures are pretty easy to fake too, because basically | noone verifies them. | | In practice, the security involved only has to reach the | "good enough" threshold and not a 100% hack proof level. | hkhanna wrote: | One of the tough things about a party-controlled, self-hosted | e-signature is that it becomes easier to repudiate because a | party to the contract has custody of the platform. | | The non-custodial party can claim they never signed, and when | the custodial party produces evidence of IP address and | timestamp, the non-custodial party may have a credible | argument that they are faked and the person asserting those | authenticated details has the motive and means to fake them. | | That argument is much harder to assert with something like | DocuSign because it is unlikely DocuSign would put their | business on the line to fake someone's signature. | | I'm not saying repudiation based on custody of the | e-signature platform is a winning argument, but it's | something to consider before self-hosting if you are going to | use the platform to sign your own contracts. | dboreham wrote: | If only someone would invent a public nonrepudiatable | ledger. | yencabulator wrote: | The problem is that it would require _everyone_ to | monitor the ledger for falsified versions of their own | signature. That works a lot better in the world of | Certificate Transparency where Google can scan for | google.com registrations. It does not scale well to every | human being doing that, or outsourcing it. | | The fundamental challenge here is that there's no way to | tell, based on a the signature alone, which signatures | are "valid" and which are "forged"; they're not | cryptographic signatures. And getting cryptographic | signatures for lay people is apparently too hard to do, | outside of Estonia's digital citizenship initiatives. | | It might be neat if the big guys agreed on an OIDC | extension that let you piggyback text to be affirmed by | the user. Cryptographic proof that jane.doe@gmail.com saw | text with hash H at time T and chose "Accept". | ooterness wrote: | Like a chain of blocks? Where each block is signed by | adding a prefix that produces an increasingly difficult | hash? | yokem55 wrote: | It could probably be done with a merkle based signature | log that whoever is hosting the service could provide. | | To cheat, the party hosting it would probably have to | forge signatures for everyone after the disputed | signature. | yencabulator wrote: | As long as we're talking about non-cryptographic- | signatures, the party hosting the e-signing software can | claim any signature to have happened at any time. The | whole point was DocuSign would be _unlikely_ to do this. | shmichael wrote: | I have Zero Knowledge about this topic | snapplebobapple wrote: | someone should combine a chain of blocks for identity | management with one for financial transactions/tokens and | one for signature attestation. We could call it the cube | chain and usher in web 4.0..... | cseleborg wrote: | Wait... You're talking about Git, right? Brilliant idea! | You could sign a pull request, and once it's signed, you | can then merge the businesses. But how do you show a diff | of the signature? And what if it's not for a corporate | merger? | TheNewsIsHere wrote: | That's just crazy talk. Corporate mergers are the only | transactions there are! | xur17 wrote: | But what keeps someone from forking your git repository | and insisting that their HEAD is the source of truth? How | can we get a globally agreed upon source of truth? | lesuorac wrote: | > That argument is much harder to assert with something | like DocuSign because it is unlikely DocuSign would put | their business on the line to fake someone's signature. | | This seems like the claim that the USG will be unlikely to | put it's Military on the line so they won't leak any tank | designs on discord. | | Happy to concede that the CEO of DocuSign wouldn't do this | but surely some 15$/h employee doesn't have that same | opinion. | mc32 wrote: | The support person should not have that kind of access | without auditability and traceability. Even Sundar should | not be able to log into a console and read your emails | either. | lesuorac wrote: | Sure but that's a different argument than the one | presented above. | mc32 wrote: | Someone implied that counterfeiting a sig or altering | one, etc. was just as easy in Docusign as it would be | with on on-site one-party controlled system. It just | isn't. | rodolphoarruda wrote: | Hi Alex. First of all, congratulations. The product looks great | for a 1.5 month worth of dev work. Impressive. | | Is it possible at the moment to send signature requests via | WhatsApp? (even at a cost per send) | somery wrote: | It's not possible at the moment - but i've been planning to | add this feature to use phone number and text messages | (including WhatsApp) as a second layer of authorization when | signing docs. Stay tuned! | WirelessGigabit wrote: | If it's a US phone number, you can send an email to the phone | number: | | E.g. for T-mobile it is @tmomail.net. | gamblor956 wrote: | _can be self-hosted on-premises_ | | This kills it as a viable alternative to DocuSign. The point of | Docusign is that it is an _independent third party_ that | maintains custody of the signed contract and proof of | acceptance (i.e., digital signatures) by all parties to the | contract. | | A self-hosted digital signature system isn't worth anything in | court; the other parties will simply reject the authenticity of | any data held within it and the amount you'd have to spend to | get that data into evidence would probably pay for several | centuries of DocuSign's enterprise edition. | | That being said, the cloud-hosted option seems viable as a | competitor for Docusign if it's offered by you/your | organization as a service, and could provide financial support | for continued development. | somery wrote: | >A self-hosted digital signature system isn't worth anything | in court; the other parties will simply reject the | authenticity of any data held within it and the amount you'd | have to spend to get that data into evidence would probably | pay for several centuries of DocuSign's enterprise edition. | | When self-hosting it - you can integrate it with AWS s3 Azure | or Google Cloud files storage - those are the trustworthy | third parties that provide the entire history of logs to | ensure that the documents were not altered and signed at | specific date/time with the specific content. | | So bringing cloud storage providers as a thirdparty when | self-hosting will bring enough evidences to the court to | defend the signed documents. | Karunamon wrote: | Definitely going to formally evaluate this; it looks | straightforward enough to administer and prices outfits like | Docusign charge are just north of silly. | rkagerer wrote: | It's great to see fresh efforts being made in this space. I | categorically refuse to use DocuSign, due to objectionable | clauses in their Terms and Conditions ( | https://www.docusign.com/legal/terms-and-conditions or | https://archive.ph/y27U4). Some examples are below. As far as I'm | concerned _nobody_ should agree to use their service. | | Unfortunately DocuSign has monopolized electronic signatures in | some contexts (examples from my own local experience: healthcare, | real estate), to the extent that it's become exceedingly | difficult to request a simple PDF to print, hand-sign, scan and | return. Such friction is common at companies who outsource their | paperwork to third party workflow providers. I'm fortunate that | folks I do business with tend to want my signature badly enough | to escalate to someone with authority who can make a procedural | exception, but I doubt everyone is so lucky and suspect many | users are effectively "bullied" into accepting the Terms | regardless of their wishes. | | Clauses I find objectionable include: | | - various consents to analytics, including use of my data to feed | their machine learning (might have been more palatable if they | provided some insight and stronger confidentiality assurances) | | - 2.1.1 waiver of jury trials and class actions | | - 8 indemnification (a and e are a little broad, I'm not going to | pay for your lawyers in circumstances that don't warrant it) | | - 9.2 is unfair; any damages caps should be reciprocal | | - confusing and possibly overly-broad intellectual property | rights clause 1.1 (they should explicitely restrict their | protections to only DocuSign's IP, not "all IP"). | | - They expressly disclaim any warranties regarding accuracy, | quality, fitness for purpose or that information they provide | will be error-free. That feels dangerous in the context of | forming contracts. A fundamental value proposition of their | business is accuracy ("Oops we made a mistake and actually your | counterpart did not really sign the document..."). Liability here | falls back to the parties, and as a consumer I refuse to be | liable for their mistakes. | | - Nor am I a fan of increasingly common clauses along the lines | of "we can modify our terms at any time and you'll be deemed to | accept the revisions" or "you further agree to any other notices | we might choose to inject elsewhere onto our site" or vague | expectations I consent to additional third party licenses not | disclosed at this time (and ironically some of their preamble | along these lines seems to be in conflict with 10.8). If you and | I agree to something, then later you want to change your mind, | you'd better come back and seek fresh consent. If you're making | changes so often as to make that annoying and inconvenient, then | it's a sign you have too many salaried lawyers on staff and need | to replace them with a team empowered to stop wasting my time and | yours and get this right the first time. Customer attention is a | precious resource, and companies sending out legal updates on a | frequent basis can't possibly in good faith expect consumers to | keep up with reading them. | | - I take offense to their Terms page making connections to | Twitter, Facebook, Salesforce, Google analytics, etc. and | subjecting me to cookies prompts. All this is _not_ required to | simply provide me with your terms of use, and somewhat | inappropriate seeing as I haven 't yet consented to anything. | | These are off their current website, but I recall similarly | problematic terms the last time I started (and subsequently | abandoned) a signature attempt some years back. | | And don't even get me started on their Privacy policy. (Among the | various problems... nobody should have to "opt out" of their | personal data being sold to other parties). ___________________________________________________________________ (page generated 2023-07-20 23:01 UTC)