Vendor Questions 1. Legal Compliance Questionnaire This section corresponds to legal requirements as outlined in the CSIO esignatures Advisory Report prepared by Fasken Martineau LLP. 1. Signing Ceremony 1.1 Describe your solution s signing ceremony (how does the signing process work, including authentication, signing the document, and delivery of the document). 2. Consent 2.1 How does the solution prove that consent to use electronic means for both signatures and ongoing delivery of information was provided by the user? 2.2 How does the user indicate acceptance (i.e., click a button, provide a signature, etc.) RightSignature offers an unrivaled, elegant user interface for filling out and signing documents with a singular focus on ease-of-use and intuitiveness for critical, large-scale business-to-business and business-to-consumer signing deployments. Our system is 100% platform-agnostic: Mac-friendly, no downloads, no plug-ins, not PDF-dependent, not Flash-dependent and is fully functional across all browsers including Internet Explorer, Firefox, Safari, Chrome, and Opera. Electronic Signatures by RightSignature is a differentiating factor for companies in competitive markets, as the RightSignature brand symbolizes best practices in e-signatures, ease-of-use, and ironclad legal validity. Our proprietary algorithm captures speed and timing of a handwritten signature and our multi-factor authentication portfolio, including tamper-proof audit log, records a range of data unique to signing the event. Documents are delivered via email, via the API or they can be downloaded from the RightSignature User Dashboard. By signing Members are consenting to the use of an electronic signature. There is language contained within the signature box that states by signing that users are agreeing to the contents of the documents as well. Both
3. In Writing 3.1 How does your solution provide access to documents? All parties who are involved in the signing process may access documents online at RightSignature or simply retrieve them from their personal email 3.2 How will documents be stored? RightSignature user data and documents are stored in our data centers. 3.3 In what form will documents be stored? pdf 3.4 Are the servers located in Canada? No 3.5 How is access to a document determined/permitted? 3.6 When will access be granted to each contracting party and for how long? Users are notified via email that a pending document is pending and requires their review. Users access the document on any internetconnected device by clicking on the signer link (a URL) that is embedded in the email notification. Repeat signers can also access signature pending documents from their RightSignature dashboard. Document expiration is set by the sender up to 30 days. 3.7 Access to the documents if user wants to change providers/no longer uses provider? Data is archived into perpetuity and always available to users. 3.8 Backup/disaster recovery plans? RightSignature s Business Continuity Management is of the highest standard.
4. Original Copy 4.1 Will each contracting party (including any assignee) be able to access, retain, use, print and store a copy of the documents? 4.2 How is document integrity assured? 4.2.1 How does your solution prevent changes to the document content that may occur on communication, storage and display? 4.2.2 Can the document (look/file type/content) be altered during its lifecycle? 4.2.2.1 Who will have the ability to do so? 4.2.2.2 What security measures prevent unauthorized modification? 4.2.2.3 How are changes to the document tracked through its lifecycle? 4.2.3 Will there exist a single authoritative copy of the electronic document that is unique, identifiable and unalterable?. Only fully executed documents (and the original) may be downloaded. Partially signed documents are not downloadable. RightSignature utilizes a proprietary multi-factor authentication portfolio, provides appropriate consumer document access, and maintains a tamper-proof audit log. RightSignature signing events are in full compliance with and exceed standards established by ESIGN and UETA legislation. Web displayed documents are an image and encrypted. Data may be added to data fields where requested by sender, but NO, data cannot be amended or altered No one Documents are protected The audit log The original document is viewable but cannot be amended. Users may only produce copies.
4.2.4 Can this authoritative copy identify assigned parties as the owner or secured party with a security interest therein? 4.2.5 How can the authoritative copy be distinguished from other copies? The original document is viewable but cannot be amended. Users may only produce copies. 4.2.6 How does the authoritative copy mark changes as authorized or unauthorized? Pdfs can be hacked. What matters is the chain of custody 4.2.7 Who owns the final document? All parties involved in the signing of a document have an equity stake per e-signature law. 5. Contract Formation / Electronic Form 4.2.8 Is it possible for the electronic vendor to sell, provide or otherwise use such electronic document without the owner s consent? 5.1 What opportunities will the contracting parties be given to review the contract before submitting? 5.2 If a mistake is found, how can it be fixed prior to submitting? 5.3 Does the solution have notification procedures that allow contracting parties to contact each other and/or your company so that an error can be fixed? RightSignature does not have the authority to sell or use documents or user data. There is a preview page available to senders. Signers can review the entire document (just as they would any pdf or word doc) prior to signing. Editable fields can be changed, the underlying document cannot be changed. Parties may contact one another through email or by phone.
6. Timing and Receipt of Electronic Document 7. Electronic Signature 5.4 Does the solution allow the publisher to impose an expiration date on the document, after which it will no longer allow recipients to sign? 6.1 How does the any contracting party or assignee become aware when documents have been sent / viewed / signed / finalized? When it is not delivered? 7.1 How will the digital signatures applied by parties to the contract meet the definition of an electronic signature? 7.1.1 How does your solution generate electronic signatures? (i.e., what standards are used as part of the process?) 7.1.2 How is the electronic signature linked with the document? 7.2 Is your solution flexible with regards to technological advances and future legal requirements concerning electronic signatures as they arise? 7.3 How may a contracting party provide a signature (e.g., scribe, click, etc.) 7.4 Does your solution support multiple signatures within the same document from multiple parties? Recipients (signers) receive notification via email. Senders can see if the document has been review (or not) and signed. Non-deliverable (bounced emails) can be corrected within the system RightSignature only offers e-signature. We do not offer PKI. RightSignature captures an authentic handwritten signature on each document. Most consumers sign in a web browser using a mouse or laptop trackpad, or if they are using a touchscreen device, they may sign using a stylus or their finger. Through and identifier called a GUID - A Globally Unique Identifier is a unique reference number. Biometric handdrawn signature, type-to-sign, sign via fax, sign via mobile, sign via webcam yes
8. Authentication 8.1 How can it be proven that the documents are contracts entered into by the contracting parties (e.g., email, SMS, etc.)? 8.1.1 How and where is the proof thereof stored? RightSignature utilizes a proprietary multi-factor authentication portfolio, provides appropriate consumer document access, and maintains a tamper-proof audit log. RightSignature signing events are in full compliance with and exceed standards established by ESIGN and UETA legislation. In our database 9. Electronic Evidence 8.1.2 How can it be accessed and by whom (e.g., contracting parties, assignees, etc.)? 8.2 What safeguards are in place to verify the identity of the contracting parties? 8.3 Can recipients of an electronic document forward signature requests to others? How is authentication maintained? 8.4 What is the workflow for maintaining authentication when signing in person? 9.1 How will the integrity of your solution be provable? 9.1.1 What mechanisms are in place to track system operations and downtime? The data cannot be accessed. RightSignature utilizes a proprietary multi-factor authentication portfolio, provides appropriate consumer document access, and maintains a tamper-proof audit log. RightSignature signing events are in full compliance with and exceed standards established by ESIGN and UETA legislation. RightSignature does not accommodate requests to forward documents on for signing to an alternate party Documents are still signed in same manner. In Person signing allows for the document presenter to check the signers ID Every action related to the lifecycle of a given document is audited and logged. This information is maintained into perpetuity RightSignature has had an uptime greater than 99.97% since our inception.
9.1.2 What are the system maintenance practices? 9.1.3 What information is backed up and what is the disaster recovery plan? 9.1.4 What system security measures are in place? 9.1.5 Who will have control over the documents? 9.1.6 Is there any reason to doubt the integrity of the system? 9.2 Will the electronic signatures of your solution meet the federal legislative requirements for a secure electronic signature? 9.2.1 Will the prescribed process be followed? If not, detail any variations. 9.2.2 How will signature certificates be validated? 9.2.3 How is it known if the certificate has expired or been revoked? RightSignature will advise users of maintenance windows if any impact to usability is anticipated. RightSignature s Business Continuity Management is of the highest standard. RightSignature s Security is of the highest standard. The creator can send, signers can view. Once executed all parties can download a pdf copy. Account administrators can see all documents in the account. Documents cannot be deleted No RightSignature is fully compliant with ESIGN legislation and UETA RightSignature offers an electronic signature, not a digital signature. There are no certificates to validate N/A
9.2.4 Will signature certificates be supported by other signature certificates? 9.2.5 Who is the certification authority? Have they passed the vetting process of the Treasury Board? 9.2.6 How does an individual receive public and private keys? 9.2.7 What controls are there on receiving public and private keys? 9.2.8 What controls are there on issuing public and private keys? 9.2.9 Do you use a hash algorithm to create a message digest? If so, describe. 9.3 What support do you provide to clients in the event of a legal dispute? 10. Audit Trail 10.1 What is included in the audit trail? 10.2 Where is the audit trail for the document stored, and how may it be accessed by contracting parties? N/A N/A N/A N/A N/A Each executed RightSignature document includes an appended Signature Certificate containing basic authentication information for each signing party, detailed authentication information represented by a SHA-1 checksum. RightSignatures audit log is court-admissable and can be presented to the courts upon request For legal compliance, every action in a document s lifecycle creation, views, signature events, and archiving is time- stamped and logged. Each executed RightSignature document includes an appended Signature Certificate containing basic authentication information for each signing party, detailed authentication information represented by a SHA-1 checksum, and a court-admissable audit log.
10.3 Does your solution have the ability to reproduce the transaction from start to finish? 10.4 How is electronic evidence provided to a third party (e.g., courts) in the event of a dispute? 10.5 Does your solution conform to legislated evidentiary requirements (e.g., Canadian General Standards Board s Electronic Records as Documentary Evidence CAN/CGSB-72.34-2005 )? 11. Privacy 11.1 How will the privacy of contractors and their personal information be assured? (e.g., PIPEDA compliance, etc.) 11.1.1 What information is stored by the system? See above Via email to a court assigned representative. If printed delivery is required, paper copies can be delivered for a fee We believe so, please consult an attorney well versed in Canadian General Standards Board regulations to confirm. RightSignature does not dispense legal advice Data is encrypted through out its lifecycle and at rest All data entered into the document, audit trail log and Authentication factors. 11.1.2 Where is it stored? Amazon Web Services 11.1.3 Who has access to the information? 11.1.4 What security procedures exist? Executive management RightSignature s Security is of the highest standard.
11.1.5 What is the information used for and by whom is it used? 11.1.6 How long is the information stored? 11.1.7 In what form is the information stored? Documents are stored for user into perpetuity in the event they lose their local copy, they may always revisit RightSignature to download a new copy Into perpetuity Encrypted text 2. End-User Functionality Questionnaire This section corresponds to the operational aspects of your esignature solution. # Functionality Items Questions Responses 1. Field Overlay 1.1 Can a signature field be overlaid on top of a form?
# Functionality Items Questions Responses 1.2 Does your solution support multiple signatures within the same document from multiple parties? 1.3 Can additional fields be overlaid on top of a form? - date box - signature box - check box - text box - initials box - attachment box * the attachment box or field, allows for the signer to attach other documents to be returned to the sender 2. Document Management 2.1 How are the documents organized from a broker's point of view? 2.2 Does your solution support multiple signed documents as a single transaction? 2.3 What is the size limit per document? Latest activity at the top. You can sort using data fields in doc, party names, expired or pending, and you may apply meta data tags to search using your own marker we offering packaging of templates. 150 pages or 20MBs 2.4 What document formats are supported? User may upload documents in any common format, including PDF, DOC, DOCX, HTML, TXT, and more. 2.5 Can customers attach supplemental documents with the document to be signed?
# Functionality Items Questions Responses 3. Broker Management System (BMS) Integration 4. Compatibility 3.1 Are there APIs available to provide the ability for your solution to integrate with third-party applications such as Broker Management Systems (BMS)? 3.2 How are finalized documents transferred to a BMS (e.g., manual, FTP, etc.) 4.1 What web browsers does your solution support? 4.2 What operating systems does your solution support? 4.3 Will users have to install software to sign documents? 4.4 Is your solution compatible with the Citrix environment? REST based OAuth authentication or revocable token You may use a callback API call to retrieve the URL to download the asset Any browser, any device, any platform. Any OS will do. No provided standard web ports are available. 5. Mobile 5.1 Are customers able to sign using mobile devices (tablets / smartphones)? If so, what does it look like from an enduser perspective? 6. User-Friendly 6.1 Are contracting parties able to partially complete the signing process and finish at a later time? How is security/authentication maintained?. The same (just smaller ;) If there are more than 15 fields to fill in then a Interim Save feature will appear. The session will time out and they will need to access the page from the original signer link
# Functionality Items Questions Responses 7. Admin Account 7.1 Is there an admin account that has the ability to monitor/control other user privileges? 8. Reporting Tools 8.1 Are there any reporting features?. Reports include document sending volume, sent vs. signed efficiency, and time to signature. There is also a data exporter filtered by date, template, and data field 8.2 Are the reports out of the box? Can they be customized? 9. Branding 9.1 How can customers customize and brand the documents they wish to have signed? 9.2 Can users customize emails sent by your solution? 10. Reliability 10.1 Has your solution been involved in any security or legal disputes within the past five years? If so, describe.. (See above) User company logo is displayed prominently on the document signing screen to reinforce brand throughout the customer interaction. Emails sent to document signers indicate company name in the email subject line (e.g. [ABC Corp.] Joe Smith has sent you Form A9 to sign). In addition, emails may include a custom introduction and conclusion, to fit business processes. See above no
3. Services and Pricing Questionnaire This section corresponds to the customer support and pricing models of your solution. # Services and Pricing Items Questions Responses 1. Technical Support 1.1 Is there a help line for customer issues/questions with the solution? Chat, phone and email 2. Versions / Pricing Model 2.1 What different versions does the software include? Cloud based single instance 1 version 2.2 What deployment options (i.e., cloud, behind firewall, etc.) are available? 2.3 What is the pricing model? See attached SaaS only no on-premise solutions