InsureSign Vendor Questions 1. Legal Compliance Questionnaire This section corresponds to legal requirements as outlined in the CSIO esignatures Advisory Report prepared by Fasken Martineau LLP. 1. Signing Ceremony 1.1 Describe your solution s signing ceremony (how does the signing process work, including authentication, signing the document, and delivery of the document). 2. Consent 2.1 How does the solution prove that consent to use electronic means for both signatures and ongoing delivery of information was provided by the user? 2.2 How does the user indicate acceptance (i.e., click a button, provide a signature, etc.) 3. In Writing 3.1 How does your solution provide access to documents? The signer receives an email (or text message) with a link to sign the document. If a password has been selected, they enter it. They are presented with a signing page where they review and sign the document. They may then receive a copy via email, or a link to create an account and then retrieve it. There is a required checkbox and verbiage that shows that by checking the box they agree. Checkbox (above) They normally receive a copy via email, and a copy is available in their cloud account also. 3.2 How will documents be stored? They are stored in geographically diverse, secured data centers, automatically backed up to different centers. 3.3 In what form will documents be stored? They are stored as digitally signed PDFs.
3.4 Are the servers located in Canada? No, US. Documents can be automatically sent via email after completion to a Canadian cloud storage provider if desired. Most cloud providers offer this storage option. 3.5 How is access to a document determined/permitted? 3.6 When will access be granted to each contracting party and for how long? Only senders and signers are allowed access. There is also the option for the sender to set a CC recipient as well. Access is currently unlimited as long as they have an active account. Of course, they can keep the PDF copy they receive however they like. 3.7 Access to the documents if user Once the account is cancelled, the documents can be verified via a wants to change providers/no longer uses provider? document code, but online access stops. They would need to use locally stored documents. The document code is a unique code with a URL to a page with the verification that the document is valid and was signed. The audit page (without document data) can also be accessed. 3.8 Backup/disaster recovery plans? All data centers are fully redundant with full disaster backup plans. 4. Original Copy 4.1 Will each contracting party (including any assignee) be able to access, retain, use, print and store a copy of the documents? 4.2 How is document integrity assured? A digital certificate is applied to each completed document, and a complete audit trail is included in the document. 4.2.1 How does your solution prevent changes to the document content that may occur on communication, storage and display? Digital certificate (above)
4.2.2 Can the document (look/file type/content) be altered during its lifecycle? 4.2.2.1 Who will have the ability to do so? 4.2.2.2 What security measures prevent unauthorized modification? 4.2.2.3 How are changes to the document tracked through its lifecycle? 4.2.3 Will there exist a single authoritative copy of the electronic document that is unique, identifiable and unalterable? 4.2.4 Can this authoritative copy identify assigned parties as the owner or secured party with a security interest therein? 4.2.5 How can the authoritative copy be distinguished from other copies? No (see above) n/a Digital signing above Complete audit trail yes, all parties to the document Digital certificate 4.2.6 How does the authoritative copy mark changes as authorized or unauthorized? See above 4.2.7 Who owns the final document? The sender and signer both receive copies
5. Contract Formation / Electronic Form 6. Timing and Receipt of Electronic Document 7. Electronic Signature 4.2.8 Is it possible for the electronic vendor to sell, provide or otherwise use such electronic document without the owner s consent? 5.1 What opportunities will the contracting parties be given to review the contract before submitting? 5.2 If a mistake is found, how can it be fixed prior to submitting? 5.3 Does the solution have notification procedures that allow contracting parties to contact each other and/or your company so that an error can be fixed? 5.4 Does the solution allow the publisher to impose an expiration date on the document, after which it will no longer allow recipients to sign? 6.1 How does the any contracting party or assignee become aware when documents have been sent / viewed / signed / finalized? When it is not delivered? 7.1 How will the digital signatures applied by parties to the contract meet the definition of an electronic signature? 7.1.1 How does your solution generate electronic signatures? (i.e., what standards are used as part of the No, against terms of use The full document is presented and is scrollable and zoomable The document would have to be cancelled, with an explanation back to the sender. Then resent. Via the cancellation procedure, notes can be attached. Emails can be configured to be sent during these events, and the desktop component can also display alerts. They are PDF-standard digital signatures, with a trusted authority (Adobe) Adobe in-house Document Cloud standards
process?) 7.1.2 How is the electronic signature linked with the document? 7.2 Is your solution flexible with regards to technological advances and future legal requirements concerning electronic signatures as they arise? 7.3 How may a contracting party provide a signature (e.g., scribe, click, etc.) 7.4 Does your solution support multiple signatures within the same document from multiple parties? 8. Authentication 8.1 How can it be proven that the documents are contracts entered into by the contracting parties (e.g., email, SMS, etc.)? 8.1.1 How and where is the proof thereof stored? 8.1.2 How can it be accessed and by whom (e.g., contracting parties, assignees, etc.)? 8.2 What safeguards are in place to verify the identity of the contracting parties? There is a link in the signature to the audit page online. Also, it is graphically represented and detailed in the audit trail attached., easily adaptable to future changes in legal requirements. They can type a signature, draw a signature, or upload a scanned image if they have an account with us., multiple signers, as well as the sender s signature. Email verification is the primary method, but passwords may be set for opening and signing the document. SMS verification is also offered. It is stored in our backend system, but is detailed in the attached, digitally certified audit trail as well. Each of the parties and cc s can access it. See 8.1.1 above.
9. Electronic Evidence 8.3 Can recipients of an electronic document forward signature requests to others? How is authentication maintained? 8.4 What is the workflow for maintaining authentication when signing in person? 9.1 How will the integrity of your solution be provable? 9.1.1 What mechanisms are in place to track system operations and downtime? 9.1.2 What are the system maintenance practices? 9.1.3 What information is backed up and what is the disaster recovery plan? Currently, we do not allow signers to forward requests for signature. The document is protected by a combination of name and password to access the signing screen. Our solution runs on Adobe Document Cloud, and is consistent with their normal procedures. There is a publicly available downtime tracker. All data is kept in multiple, geographically diverse data centers that are continually monitored and updated. All information including the data table of transactions/documents. 9.1.4 What system security measures are in place? 9.1.5 Who will have control over the documents? All data centers are protected with advanced hardware security and also physically protected with limited access and armed guards. Adobe and InsureSign, and the sender and signer will have access 9.1.6 Is there any reason to doubt the integrity of the system? No
9.2 Will the electronic signatures of your solution meet the federal legislative requirements for a secure electronic signature? 9.2.1 Will the prescribed process be followed? If not, detail any variations. 9.2.2 How will signature certificates be validated? 9.2.3 How is it known if the certificate has expired or been revoked? 9.2.4 Will signature certificates be supported by other signature certificates? 9.2.5 Who is the certification authority? Have they passed the vetting process of the Treasury Board? 9.2.6 How does an individual receive public and private keys? 9.2.7 What controls are there on receiving public and private keys? 9.2.8 What controls are there on issuing public and private keys? The certificate will be issued by a trusted root certificate authority Built-in to Adobe Acrobat and in the PDF specification The root certificate will be attached to the PDF Adobe / yes We do not issue the public/private keys in our web-based solution See 9.2.6 See 9.2.6
9.2.9 Do you use a hash algorithm to create a message digest? If so, describe. 9.3 What support do you provide to clients in the event of a legal dispute?, internally Complete audit trail and certificate authority details 10. Audit Trail 10.1 What is included in the audit trail? Creation, sending, password validation, and signing details. Also, any declines/cancels 10.2 Where is the audit trail for the document stored, and how may it be accessed by contracting parties? 10.3 Does your solution have the ability to reproduce the transaction from start to finish? 10.4 How is electronic evidence provided to a third party (e.g., courts) in the event of a dispute? 10.5 Does your solution conform to legislated evidentiary requirements (e.g., Canadian General Standards Board s Electronic Records as Documentary Evidence CAN/CGSB-72.34-2005 )? 11. Privacy 11.1 How will the privacy of contractors and their personal information be assured? (e.g., PIPEDA compliance, etc.) It is stored in our internal data structure, and also appended to each document yes Case-by-case basis, but most exists right in the document. A data export can also be arranged. Our platform conforms with the Canadian Uniform Electronic Commerce Act (UECA) Password security on accounts, encryption on retained data
11.1.1 What information is stored by the system? All information needed to produce the audit trail, and also pre- and post-signing documents 11.1.2 Where is it stored? Geographically diverse data centers in the US 11.1.3 Who has access to the information? 11.1.4 What security procedures exist? 11.1.5 What is the information used for and by whom is it used? 11.1.6 How long is the information stored? 11.1.7 In what form is the information stored? Contract participants, and tier 2 technicians Physical and network hardware security is extensive Outside the contracting parties, information would only be accessed to diagnose a problem or in the event of a dispute Indefinitely Electronic data structure and PDF
2. End-User Functionality Questionnaire This section corresponds to the operational aspects of your esignature solution. # Functionality Items Questions Responses 1. Field Overlay 1.1 Can a signature field be overlaid on top of a form? 1.2 Does your solution support multiple signatures within the same document from multiple parties? 1.3 Can additional fields be overlaid on top of a form? 2. Document Management 2.1 How are the documents organized from a broker's point of view? The broker/sender can send as many documents to the software as they like. We assemble them all as thumbnails prior to sending. 2.2 Does your solution support multiple signed documents as a single transaction? 2.3 What is the size limit per document? No limit 2.4 What document formats are supported? Any document that can be printed can be sent (Word, PDF, Excel, HTML, etc.) 2.5 Can customers attach supplemental documents with the document to be signed? by simply printing them in Documents can be printed utilizing the InsureSign virtual printer component, which installs like a real printer, showing up on the
# Functionality Items Questions Responses 3. Broker Management System (BMS) Integration 4. Compatibility 3.1 Are there APIs available to provide the ability for your solution to integrate with third-party applications such as Broker Management Systems (BMS)? 3.2 How are finalized documents transferred to a BMS (e.g., manual, FTP, etc.) 4.1 What web browsers does your solution support? 4.2 What operating systems does your solution support? 4.3 Will users have to install software to sign documents? 4.4 Is your solution compatible with the Citrix environment? printer list, only with no hardward involved. Any document(s) printed to this printer will show up in InsureSign, ready for sending to the signer. There are several methods available manual, email, HTTP PUT, API connection All modern browsers All No 5. Mobile 5.1 Are customers able to sign using mobile devices (tablets / smartphones)? If so, what does it look like from an enduser perspective? 6. User-Friendly 6.1 Are contracting parties able to partially complete the signing process and finish at a later time? How is there is a mobile-specific interface All mobile devices are supported by our universal signing interface. Not currently, but in an upcoming version
# Functionality Items Questions Responses security/authentication maintained? 7. Admin Account 7.1 Is there an admin account that has the ability to monitor/control other user privileges? 8. Reporting Tools 8.1 Are there any reporting features? 8.2 Are the reports out of the box? Can they be customized?, can be customized and automated 9. Branding 9.1 How can customers customize and brand the documents they wish to have signed? 9.2 Can users customize emails sent by your solution? 10. Reliability 10.1 Has your solution been involved in any security or legal disputes within the past five years? If so, describe. Logos and email footers can be customized, as well as the body of the email sent to signers See above No
3. Services and Pricing Questionnaire This section corresponds to the customer support and pricing models of your solution. # Services and Pricing Items Questions Responses 1. Technical Support 1.1 Is there a help line for customer issues/questions with the solution? shown right on our website 2. Versions / Pricing Model 2.1 What different versions does the software include? Only one version of software, different pricing is annual vs monthly and also depends on user seats 2.2 What deployment options (i.e., cloud, behind firewall, etc.) are available? Several web-based, desktop-based within local network, terminal server/citrix 2.2 What is the pricing model? Priced per user-seat, discount for annual billing. Free 30-day unlimited trial. Unlimited signers and documents on all plans.