How we verify who actually clicked Sign.
Email-only (default — SES)
The signing link goes to the signer's email. They click, type or draw their name, and sign. Under eIDAS this is a Simple Electronic Signature — admissible as evidence but with the weakest identity binding. Suitable for low-stakes contracts where the parties already know each other.
SMS one-time-code (AES tier)
Flip a toggle when sending. The signer receives a 6-digit code by SMS to a phone number you supplied. They must enter it before they can sign. This adds a second factor that uniquely binds the signature to the phone holder — Advanced Electronic Signature under eIDAS. Costs €0.05/SMS in Europe, billed monthly.
Identity attribution in the audit trail
Every signature, regardless of tier, records: the signer's email, IP address(es) used during viewing and signing, browser fingerprint, signing time (server-side, plus RFC 3161 third-party timestamp), and — when SMS-verified — the masked phone number. The full event log is exported as a sealed PDF.
Bring-your-own qualified certificate (planned)
Eventual support for QES via the signer bringing their own qualified certificate (Swiss SuisseID, German Personalausweis nPA, Estonian Mobile-ID, etc.) is on the roadmap. We don't issue qualified certs ourselves — that's a TSP partnership separate from our SaaS.
Have a question this page didn’t answer? Email sales@letssign.now — our DPA, security overview, and infosec answers are available on request.