This article will walk you through Ironclad Signature compliance.
IMPORTANT
Ironclad is not a law firm, and this article does not constitute or contain legal advice. To evaluate the accuracy, sufficiency, or reliability of the ideas and guidance reflected here, or the applicability of this information to your business, you should consult with a licensed attorney. Use of and access to any of the resources contained within Ironclad's site do not create an attorney-client relationship between the user and Ironclad.
Ironclad Signature was designed to comply primarily with ESIGN and UETA electronic signature requirements within the United States.
The product is compliant with the EU's eIDAS SES standards, but not with eIDAS’s more complex tiers, such as AES and QES, at this time.
While some countries may have their own frameworks that mirror US ESIGN and UETA standards, or the EU’s eIDAS SES standards, many jurisdictions outside the US and EU may not be supported at the time of general availability on October 11, 2023. Continue to check back as this article will be updated as we add compliance for other standards in the future.
For a full list of electronic signature compliance standards that Ironclad Signature adheres to today, see below. Please check with your legal team on whether or not the current compliance standards for Ironclad Signature are sufficient for your use of the product before implementing.
Compliance Standard | Abbreviation | Country/ Region | Supported |
---|---|---|---|
The Electronic Signatures in Global and National Commerce Act | ESIGN | United States | Yes |
The Uniform Electronic Transactions Act | UETA | United States | Yes |
Electronic Signatures and Records Act | ESRA | United States (NY State) | Yes |
eIDAS Standard Electronic Signature | SES | EU | Yes |
eIDAS Advanced Electronic Signature | AES | EU | No (expected in 2024) |
eIDAS Qualified Electronic Signature | QES | EU | No |
Food and Drug Administration’s part 11 of Title 21 of the Code of Federal Regulations | FDA/21 CFR Part 11 | United States | No (expected in 2024) |
What makes Ironclad Signature compliant in the US?
ESIGN, UETA, and ESRA share four basic requirements, all of which Ironclad Signature is designed to satisfy:
- Intent to sign from the signer - Ironclad includes language on the signing screen as the signer selects “Finish Signing,” indicating that the signer intends to sign the contract.
- Consent to do business electronically by the signer - Consent can be implied by doing business electronically, but Ironclad also includes language on the signing screen as the signer selects “Finish Signing,” indicating that the signer consents to contract electronically.
- Association of signature with the record – Ironclad establishes association of the signature with the record by including an Electronic Record at the end of every completed signature packet. The Electronic Record identifies the signer, identifies the contract signed, and includes a date and time stamp.
- Record retention – In our Repository, records are retained for reference by all parties or persons entitled to retain the contract or record. Records are retained for as long as a party remains a customer.
Compliance for API-based implementations
The legal enforceability of API-based solutions, including our embedded clickwrap product, is largely contingent on customer implementation. Our best practices and guidance for implementation are based on US law, but the products can often be configured to comply internationally. Work with your legal team to ensure an enforceable implementation.
Review the related Clickwrap resources below:
- Clickwrap vs. Browsewrap: What's the Difference?
- 6 Components of Clickwrap Enforceability
- Clickwrap Litigation Trends Report
Support of EU Datacenter Customers
Minimal data transfer from the EU to the US is required to use Ironclad Signature.
Ironclad Signature leverages infrastructure and data centers in both the US and EU. The Ironclad Activity API, which manages the electronic capturing of assent for Ironclad Signature, does not currently support EU data centers.
As a result, data necessary to generate an electronic record of acceptance is transferred to the US when using Ironclad Signature. This data includes the signature request title, document IDs, and related signer data for all signers, including signer id (unique id), email, email address, and browser data (eg. user agent, IP address). The cover page generated with this data and attached to the fully executed contract is also generated and stored in the US. The underlying contract is not.
Data Privacy and Security
As an Ironclad product, Ironclad Signature is in scope for Ironclad’s annual SOC 1 Type II and SOC 2 Type II audits. Ironclad Signature is also in scope for Ironclad’s ISO 27001, 27701, 27017, and 27018 certifications.
Our treatment of data processed via Ironclad Signature also complies with GDPR and CCPA. Ironclad Signature is not yet HIPAA compliant.