Goodlegal will be discontinued as of December 21, 2023.
Please ensure you download and transfer any information you might have on the platform.
Goodlegal E-Sign Specifications
According to the eIDAS Regulation no. 910/2014 - normative act of the European Union, an Advanced Electronic Signature (AES) shall meet the following requirements:
- is uniquely linked to the signatory;
- is capable of identifying the signatory;
- is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control;
- is linked to the data signed therewith in such a way that any subsequent change in the data is detectable.
Goodlegal E-sign capabilities
The Goodlegal E-sign mechanism is a an Advanced Electronic Signature (AES) due to its implementation that follows the above 4 requirements mentioned by eIDAS. Each document signed within the Goodlegal platform is composed of 4 distinct elements:
- the initial document with the user generated content on which the signature is applied
- the automatically generated visual user signature element based on the account name and unique email
- the audit trace page, this is an automatically generated extra section appended to the document that contains a detailed log of each user (name and unique email) that signed that document with a timestamp and their IP address at the moment of the signing
- a PKI digital certificate
Goodlegal Esign functionality uses a unique PKI (Public Key Infrastructure) server-side certificate for signing all documents which ensures that any changes or tampering with a document after it’s been signed can be immediately detected. In this way Goodlegal ensures the unique association between a signature and the signatory via email, as each user must use a unique email address to register an account on the platform.
Details of the signatory and the signature process are included in the audit trail included as an addendum in each of the signed documents:
Important: the platform admin and the users inviting collaborators or sending documents for internal or external signatures are responsible for validating that the email addresses used in the platform by the individuals invited to collaborate or sign a document are in fact owned by those specific individuals. Goodlegal does not validate the identity behind an email.
In the current version of the platform with the e-sign functionality, all the required eIDAS requirements are followed, specifically:
- Each signature is uniquely linked to the signatory and can be easily identified via the name and email combination
- The user has full control and sole ownership over his Goodlegal E-signature via his account
- Any change or tampering attempt can be instantly detected due to the PKI digital certificate encryption scheme present in the final generated PDF.
In addition, the authenticity of the Goodlegal E-signature chain of trust can be easily determined by inspecting the digital certificate and validation the public key used, either by consulting our website and crosschecking the details or by reaching out directly to Goodlegal for confirmation.
Qualified Electronic Signature (QES) support is on the roadmap of the Goodlegal platform and could be accelerated in case of customer demand. Under EU law, a QES is legally equivalent to a handwritten signature (Article 25.2), also known as “wet signature” which may be mandated by the law for specific situations.
The key difference between AES and QES is in the digital certificate used for signing. All four criteria of AES are automatically guaranteed as well as the identity of the user is verified by the usage of a physical electronic ID (eIDs), smart card or USB token issued by qualified providers on the EU Trust Services List.
Depending on the preferred method a customer needs Goodlegal can implement either or both methods of validating the used identity:
User will be able to plug in their token in the Goodlegal platform and use their own issued digital certificate for signing in the future; or
User will be identified by a Goodlegal agent via video or through another face-to-face method of identification for issuing the certificate.