Document compliance is the reason businesses cannot just email a Word document and call it a signed contract. Regulations, industry standards, and legal frameworks impose specific requirements on how documents are created, signed, stored, and retained. Understanding these requirements — and which ones actually apply to your business — prevents both legal exposure and unnecessary spending on compliance features you do not need.
Document compliance means ensuring that your documents and signing processes meet the legal, regulatory, and industry requirements that apply to your business. This covers:
Different jurisdictions have different rules, but the core principles are surprisingly consistent:
United States: ESIGN Act and UETA. Electronic signatures cannot be denied legal effect solely because they are electronic. Both federal (ESIGN Act, 2000) and state-level (UETA, adopted in 47 states) laws establish this principle. Exceptions exist for wills, certain family law documents, and specific court orders.
European Union: eIDAS Regulation. Establishes three tiers of electronic signatures (simple, advanced, qualified) and mandates that no electronic signature can be denied legal effect. Qualified electronic signatures (QES) are automatically equivalent to handwritten signatures. Simple and advanced signatures are legally valid but may require additional evidence in court.
United Kingdom: Electronic Communications Act 2000. Electronic signatures are admissible as evidence and can satisfy requirements for a signature. The UK approach is technology-neutral — it does not mandate specific methods.
Australia: Electronic Transactions Act 1999. Electronic signatures are valid where a signature is required by law, provided the method identifies the person and indicates their approval, and the method is as reliable as appropriate for the circumstances.
Canada: PIPEDA and provincial legislation. Electronic signatures are generally valid, with specific requirements varying by province.
The practical takeaway: for standard business documents in any of these jurisdictions, electronic signatures are legally valid. The question is not whether you can sign electronically, but how much evidence you need to support the signature.
General e-signature law establishes the baseline. Industry regulations add specific requirements:
Healthcare (HIPAA — US). Documents containing protected health information (PHI) must be signed and stored with appropriate safeguards: encryption, access controls, and audit trails. Consent forms, authorisations, and treatment agreements all fall under HIPAA when they contain PHI. Retention: minimum 6 years.
Financial services (SOX, SEC, FINRA — US; FCA — UK). Financial documents must be retained with integrity protections and clear audit trails. The Sarbanes-Oxley Act requires that financial records be preserved for 7 years. E-signatures on financial documents must include strong identity verification.
Real estate (varies by jurisdiction). Some jurisdictions require specific signing formalities for property transactions — witnessing, notarisation, or qualified electronic signatures. Check local requirements before signing property documents electronically.
Employment (varies by jurisdiction). Employment contracts are generally valid with electronic signatures, but termination notices, non-compete agreements, and union-related documents may have specific requirements. Retention periods vary: typically 3-7 years after the employment relationship ends.
Government procurement. Government contracts may have specific requirements for electronic signatures, including the use of qualified signatures or specific identity verification methods. These vary by country and level of government.
For most business documents, compliance comes down to four elements:
1. Signer identification. You must be able to prove who signed the document. At minimum, this means the signer received the document at their verified email address and signed from a trackable connection. For higher-compliance needs, add SMS verification or biometric authentication.
2. Document integrity. The document must not change after signing. E-signing platforms handle this by flattening signed PDFs and creating hash values that detect any modification.
3. Audit trail. A detailed record of the signing process: who was invited, when they received the document, when they opened it, when they signed, what device and IP they used, and how their identity was verified. This trail is your primary evidence in any compliance audit or legal dispute.
4. Retention. Signed documents must be stored for the required period in a format that preserves their integrity and accessibility. The retention period depends on the document type and applicable regulations.
GoodSign provides the compliance foundation that most businesses need for their standard document workflows.
Legal validity. GoodSign-signed documents comply with the ESIGN Act, UETA, eIDAS (for simple electronic signatures), the UK Electronic Communications Act, and the Australian Electronic Transactions Act. The signing process creates intent (the signer actively places their signature), identification (email delivery, SMS verification, or biometric passkeys), and consent to the electronic process.
Signer verification options. Choose the level of identification appropriate for the document: email delivery for standard business documents, SMS one-time passwords for higher-value agreements, or biometric passkeys for maximum identity assurance. Different signers on the same document can have different verification requirements.
Comprehensive audit trails. Every document includes a permanent record of the entire signing process. This trail meets the audit requirements for most business and regulatory contexts.
Document integrity. Signed documents are flattened — all signatures, form data, and timestamps are permanently embedded in the PDF. Any post-signing modification would be detectable.
Lifetime storage. Signed documents are stored indefinitely in ISO 27001 and SOC 2 compliant data centres. No storage limits, no expiry dates, and no extra charges. Your documents remain accessible and intact for as long as you need them — whether that is 6 months or 20 years.
Data centre options. Choose storage in San Francisco (US) or Sydney (Australia) based on your data residency requirements. This helps with GDPR and other data sovereignty regulations.
Encryption. Documents are encrypted in transit (TLS) and at rest. Access is controlled through authenticated sessions, and signed documents cannot be modified.
All compliance features are included at $1.50 per envelope sent. There are no additional charges for audit trails, SMS verification, or extended storage.
Compliance requirements exist on a spectrum, and no single platform covers everything:
Qualified electronic signatures (QES). If your documents require eIDAS qualified signatures — certain EU real estate transactions, specific government submissions — you will need a platform that integrates with qualified trust service providers and certificate authorities. GoodSign provides simple electronic signatures, which are legally valid but are not automatically equivalent to handwritten signatures under eIDAS.
Notarisation. If your document requires notarisation, that is a separate process from electronic signing. Some jurisdictions now allow remote online notarisation (RON), but this requires specialised platforms.
Industry-specific certifications. GoodSign's infrastructure is ISO 27001 and SOC 2 compliant, but the platform itself does not hold industry-specific certifications like HIPAA BAA or FedRAMP. If your regulatory framework requires these certifications from your e-signing vendor specifically, verify the requirements.
For the majority of business documents — contracts, agreements, employment paperwork, client onboarding, internal approvals — GoodSign provides the compliance infrastructure you need without the complexity and cost of enterprise compliance solutions.
All rights reserved © GoodSign Limited 2026
2 Stuart St, Ponsonby, Auckland 1011, New Zealand..