Who’s Keeping Your E-Signature Provider Honest?

Rahim Kaba, November 3, 2015

Businesses are making use of applications in the cloud more than ever, but, trusting operations and confidential data with another company can be nerve-racking. Therefore finding a dependable, security-conscious provider that has the proper controls in place is critical to ensuring that your company and customer data is safe and secure at all times. But how can you be assured that your SaaS provider has your best interests at heart? Keeping vendors honest No organization wants security scars – scars that can impact your company’s reputation and even have legal repercussions. That’s why it’s important to do extensive due diligence when evaluating cloud application providers to ensure they have the necessary protocols in place to protect against data breaches and other security threats. There are a number of compliance programs in the market – e.g., SOC 1/SSAE 16, SOC 2, ISO 27001, etc. – that many of the data center providers such as Amazon Web Services, IBM SoftLayer and Microsoft Azure have adopted. But what about the SaaS applications that are hosted on these data centers? Do they automatically inherit compliance? The short answer is no. At e-SignLive, we went above and beyond compliance at the data center level and completed the SOC 2 security audit for our e-signature solution hosted on data centers around the world. In fact, we’re the first and only e-signature provider to complete the security audit on the e-signature application layer. Our auditors keep us honest, ensuring that we attest to and implement SOC 2 security best practices – day in and day out – without exception. They can ask us to open up the e-signature kimono, if you will, at any given day or time to demonstrate compliance. SOC 2 compliance means that we have the necessary tools to detect and respond to threats, should they occur. Can the same thing be said about other e-signature providers? While they may have the best of intentions to protect your data, the truth is, no one is keeping them honest. As a result, when push comes to shove, they may cut corners with respect to security in order to move other projects forward. Why other e-signature vendors put you at risk If you’re evaluating e-signature solutions, would you rather see an independent audit report about the vendor’s financial procedures, or one that focuses on how they control the security of the hosted application? This is where the SOC 2 audit and report comes in handy. It may be tempting to assume that SOC 2 is closely related to SOC 1 (SSAE 16), but this couldn’t be further from the truth. While SOC 1 is designed to measure a provider’s financial controls, the SOC 2 audit measures service organization controls related to security. e-SignLive successfully completed the SOC 2 Type II audit and our solution is protected against unauthorized access, use and modification. The resulting report is a real measurement and auditor validation that stringent security controls are actually in place – at all times. Avoid security scars Not all vendors that position themselves with "compliant solutions" are really independently audited. When doing your due diligence and evaluating e-signature providers, it’s important to ask about what measures vendors have in place to protect your company and customer data. While the solutions you’re evaluating may be hosted on SOC 2 compliant data centers, the e-signature application itself may not be SOC 2 compliant. Want to be sure? Ask for a copy of their independent SOC 2 report. Visit the e-SignLive Trust Center to view a summary of our auditor’s report, or download our Security for E-Signatures and Digital Transactions white paper for more information on what to look for in a vendor.