Create e-signature — sign contracts online

The eIDAS regulation knows three levels of electronic signatures: simple, advanced and qualified. A simple signature is anything that a person recognizes as their consent — a checkmark, a typed consent, a picture of the own signature. It is sufficient for most everyday business transactions, such as internal approvals, order confirmations or rental contracts in B2B.

For higher requirements you need advanced or qualified signatures. These require unique identification of the signer and connection to a certificate that only this person controls. Such signatures are processed via external providers like DocuSign, Sign-Live, D-Trust or Bundesdruckerei — do not build these yourself. In your own form, the simple signature by typing or drawing is the right choice. Anyone who needs more should integrate an appropriate solution at the providers mentioned and use it in the workflow as an intermediate step.

A simple signature can be captured in two ways: by typing the name in a text field or by drawing with mouse or finger on a canvas element. Both variants are legally equivalent in the sense of a simple electronic signature. Build both options in and let the user choose — on smartphones drawing works better, on desktops often typing.

Combine the signature with mandatory information that uniquely identifies the signer: name, date (set automatically), email (confirmed via verification link). This triad makes the signature robust. Additionally build in a check of the information: before the final click on "Sign", show a summary of what is being signed and with what data. A double confirmation ("I confirm that the information is correct and I am legally authorized to sign") significantly lowers the risk of erroneous signatures. Keep the user interface minimal — the focus is on the signature, not on marketing elements.

With a simple electronic signature, evidential value decides in case of dispute. Without a clean audit trail it is statement against statement. Therefore capture at least seven fields per signature: who signed (name, email), when (timestamp accurate to the second), what was signed (document hash, not just document title), from which IP address, with which browser/device, in which version of your terms and with which confirmation path (such as "email verification link clicked at 14:23").

Store this audit trail immutably — append-only, ideally with cryptographic integrity check per entry. Link it firmly to the signed document, such as an additional page in the PDF or as an attachment in the same file. Anyone who doubts the authenticity of the signature years later gets a complete reconstruction of the circumstances at the time. This care distinguishes a serious e-signature from a mere checkmark that is worth nothing in court. Allow authorized persons access to the audit trail without it becoming modifiable.

A signed agreement is only useful if it can also be found again. Therefore define a clean filing structure from the start. Per signature at least two artifacts arise: the signed PDF with embedded audit trail and a database entry with metadata (contract type, contract partner, status, term). Both belong in a central contract management — be it a dedicated tool like ContractHero or a well-organized directory in the DMS.

Trigger filing via webhook after completion of the signature. Additionally automatically send a copy to the signer by email, ideally as PDF attachment. For contracts with term or notice period, create a follow-up in the calendar so you do not miss the deadline. Define retention periods according to legal requirements — in Germany, six to ten years usually apply for business letters and contracts. After expiry, the data should be deleted in line with the GDPR. Build this lifecycle from the start, then you do not have to launch expensive cleanup projects later.