SMS Validation Page for Tender Response

When a company submits a response to a public or private tender, the question of the legal value of the file transmitted is central. A document signed electronically without a strong authentication mechanism can be contested in court or rejected by the public buyer. This is precisely where the SMS validation page with code comes in: this authentication step using a one-time password (OTP) strengthens the proof of consent from the bidder, meets the requirements of the eIDAS regulation and guarantees complete traceability of the entire signature process. In this article, we detail why and how to implement this mechanism in your tender response workflow, covering technical prerequisites, step-by-step configuration and best practices to follow.

Why integrate SMS code validation into your tender response

Probative value at the heart of public procurement

The French public procurement framework requires that bids submitted electronically meet the requirements set by decree no. 2016-360 of 25 March 2016 relating to public procurement. Since 1 October 2018, any tender with an estimated value exceeding €40,000 (excluding VAT) requires mandatory dematerialisation via an approved deposit platform (buyer profile). In this context, electronic signature combined with SMS OTP represents an advanced electronic signature within the meaning of the eIDAS regulation, that is:

• linked to the signatory in a unique manner;
• enabling the signatory to be identified;
• created using data that the signatory can use under their exclusive control;
• linked to the signed data in such a way as to enable detection of any subsequent modification.

Without this level of authentication, a simple signature (click or checkbox) may be insufficient to legally bind the bidder, particularly when the buyer requires an advanced or qualified signature for certain sensitive lots.

Reduce the risks of challenge and irregularity

A tender response file may be declared irregular if the contracting authority considers that the identity of the signatory is not sufficiently established. Adding an SMS validation page creates a second authentication factor (2FA) which, combined with the previously verified identity, forms solid proof. In case of dispute before the administrative court or contract judge, the timestamped audit log (timestamp, masked telephone number, IP address, document hash) constitutes admissible evidence.

For more information on the fundamentals, the complete guide to electronic signature explains the different levels of signature and their legal implications under French and European law.

Technical components of an SMS validation page

OTP architecture and SMS channel

An SMS validation page is based on three interdependent components:

1. OTP Generator (One-Time Password): a TOTP (Time-based OTP, RFC 6238) or HOTP (HMAC-based OTP, RFC 4226) algorithm generates a 6-digit code, usually valid for 5 to 10 minutes.
2. SMS Gateway: a certified operator (e.g. Twilio, OVHcloud SMS, Brevo) routes the code to the bidder's telephone number, registered during the invitation or registration phase.
3. Secure input interface: the web page displayed to the bidder must comply with WCAG 2.1 requirements (accessibility), clearly display the code expiration and offer a limited resend mechanism (anti-abuse, maximum 3 attempts).

From a security perspective, the telephone number must be validated beforehand (verification during onboarding) and stored in encrypted form in the database, in accordance with GDPR requirements (article 32 on the security of processing).

Integration into the Certyneo signature workflow

In the Certyneo platform, adding an SMS validation page is done directly from the signature workflow configuration interface. Here are the steps:

Step 1 — Create or import the response document Upload your technical memorandum, deed of commitment or any other document constituting the offer. Certyneo's AI-powered contract generator can also pre-fill certain standard documents.

Step 2 — Configure signatories Enter the name, first name, email address and mobile phone number (E.164 format, e.g. +33 6 XX XX XX XX) of each person authorised to sign the bid. This field is mandatory to activate SMS validation.

Step 3 — Enable SMS OTP authentication In the "Workflow Security" menu, tick the "SMS code validation" option. You can configure:

• the code validity period (recommended: 5 minutes);
• the maximum number of attempts (recommended: 3);
• the personalised message sent to the signatory (mention of the tender, reference of the consultation).

Step 4 — Customise the validation page The Certyneo interface offers a "no-code" page editor allowing you to add your organisation's logo, the consultation title and clear instructions for the bidder. This customisation builds confidence and reduces process abandonment.

Step 5 — Test the workflow in sandbox mode Before actual deployment, use Certyneo's test mode to simulate SMS receipt and code entry. Verify that the audit log captures: timestamp, SHA-256 hash of the document, masked telephone number and IP address of the user's terminal.

Best practices for optimal configuration

Anticipate operational constraints of the bidder

In the context of a tender, the bidder can be a natural person or the legal representative of an SME, a temporary grouping of enterprises (GME) or a large group. Several operational constraints must be anticipated:

• Telephone number unavailability: if the designated signatory is travelling internationally, the SMS may not arrive on time. Provide a signature delegation option with prior notification.
• Rotation of managers: in large organisations, the signatory chief executive may change between sending the invitation and the bid submission deadline. The "telephone number" field should be modifiable by the account administrator up to 24 hours before the deadline.
• Accessibility: some users with disabilities may encounter difficulties with temporary code entry. Offer a voice alternative (automatic call with code reading) if your infrastructure permits.

Archiving and compliant audit trail

The SMS validation page is just one part of the proof mechanism. For the entire file to be enforceable, archiving must comply with ETSI EN 319 132 (XAdES) or ETSI EN 319 122 (CAdES) standards depending on the signature format chosen. Certyneo automatically generates a signature report in PDF/A format including:

• the list of signatories with their authentication level;
• certified timestamps (RFC 3161);
• the complete log of SMS events (sending, receipt confirmed, correct or incorrect entry).

This report must be kept for the entire duration of the contract's validity, and even longer in case of dispute. For public procurement, the Public Procurement Code (articles L. 2194-1 et seq.) sets retention periods of up to 10 years. Pricing and long-term archiving options are detailed on the Certyneo pricing page.

Integration with dematerialisation platforms (buyer profiles)

When the tender response goes through a third-party platform (AWS Marchés, e-Attestations, Achat Public, Klekoon, etc.), Certyneo can be used beforehand to sign and validate internally the documents making up the bid before depositing them on the buyer profile. The signed file (in XAdES or PAdES format) is then uploaded to the platform, accompanied by the Certyneo signature report as proof of authentication.

If your organisation already uses a competing solution, the migration to Certyneo page explains how to transfer your existing workflows without data loss or service interruption.

Security, GDPR and telephone data management

Processing of personal data from telephone numbers

The mobile telephone number is personal data within the meaning of article 4 of the GDPR. Its use in the context of OTP validation requires:

• a legal basis clearly identified: performance of the contract (article 6.1.b GDPR) or legitimate interest (article 6.1.f GDPR) depending on the relationship between the tender issuer and the bidder;
• prior information of the bidder on the use of their number (mention in the terms and conditions or in the invitation email);
• a limited retention period: the number should not be kept beyond the end of the signature process, except where justified by legal archiving requirements.

Legal teams and data protection officers will find additional resources in our electronic signature glossary, which references key definitions from the GDPR applied to signature workflows.

Resistance to attacks and fraud prevention

SMS validation is vulnerable to certain attack vectors (SIM swapping, SS7 interception). For high-stakes tenders (amounts > €500,000 excluding VAT), Certyneo recommends combining SMS OTP with:

• upstream identity verification (documentary KYC or IDnow);
• a qualified timestamp provided by an eIDAS-accredited Trust Service Provider (TSP);
• real-time alerting in case of telephone number change within 48 hours prior to signing.

These additional measures elevate the signature to the qualified eIDAS level, the highest recognised by the European regulation, and provide maximum assurance for sensitive or classified public procurement.

Legal framework applicable to SMS validation in tenders

eIDAS Regulation No. 910/2014 and its signature levels

Regulation (EU) No. 910/2014 of the European Parliament and the Council (eIDAS) forms the regulatory basis for electronic signature in Europe. It distinguishes three levels:

• Simple electronic signature (article 3.10): data in electronic form attached to or associated with other data, used by the signatory to sign. Limited legal value for public tenders.
• Advanced electronic signature (article 3.11): meets the requirements of article 26 eIDAS, including the unique link with the signatory and detectability of any alteration. SMS OTP validation, combined with prior identification, allows this level to be achieved.
• Qualified electronic signature (article 3.12): created using a qualified signature creation device, based on a qualified certificate issued by an accredited TSP. The only level with legal effect equivalent to handwritten signature in all member states (article 25.2 eIDAS).

French Civil Code — Articles 1366 and 1367

Article 1366 of the Civil Code states that "electronic writing has the same probative force as writing on paper, provided that the person from whom it emanates can be duly identified and that it is established and maintained in conditions such as to guarantee its integrity". Article 1367 specifies that "electronic signature consists of the use of a reliable identification process guaranteeing its link with the act to which it is attached".

SMS OTP directly contributes to satisfying the reliable identification condition set by article 1367, by creating a link between the registered telephone number and the signed document.

Public Procurement Code

Articles R. 2132-7 et seq. of the Public Procurement Code require that bids transmitted electronically be signed with at least an advanced electronic signature based on a qualified certificate. SMS validation is part of the mechanism allowing this level to be achieved, provided that the entire signature workflow is documented and archived.

GDPR No. 2016/679 — Protection of telephone data

Article 32 of the GDPR requires appropriate technical and organisational measures to ensure the security of data processed, including encryption and pseudonymisation. The telephone number used for SMS OTP must be encrypted at rest and in transit (TLS 1.3 minimum). Article 5.1.e requires retention limitation: the number can only be kept for as long as strictly necessary for the purpose of processing.

Applicable ETSI standards

• ETSI EN 319 132 (XAdES): advanced XML signature format, recommended for public procurement documents in XML format.
• ETSI EN 319 122 (CAdES): advanced CMS signature format, suitable for binary files (PDF, ZIP).
• ETSI EN 319 102-1: procedures for creation and validation of electronic signatures, integrating qualified timestamping RFC 3161.

Non-compliance with these standards exposes the issuer or bidder to a risk of bid rejection for formal irregularity, or to signature unenforceability in case of contractual dispute.

Real-world usage scenarios

Scenario 1 — An engineering firm responding to a design and supervision contract

An engineering firm specialising in infrastructure, with around thirty engineers and managing an average of 15 to 20 tender responses per year, must sign several documents making up a bid: deed of commitment, technical memorandum, tax and social compliance certificates. Before implementing SMS validation, the procedure relied on an exchange of manually signed PDFs, scanned and retransmitted by email, which generated average delays of 48 to 72 hours per file.

By configuring a Certyneo workflow with SMS OTP validation for each internal signatory (technical director, manager), the firm reduced this delay to less than 2 hours. The automatically generated signature report is attached to the file deposited on the buyer profile, meeting advanced signature requirements. Sectoral studies on B2B dematerialisation estimate 60-70% reduction in administrative processing time when transitioning to electronic signature with strong authentication.

Scenario 2 — A temporary grouping of enterprises (GME) on a works contract

As part of a public works contract (earthworks lot + structural works lot), two companies form a joint GME. Each lead contractor must sign the deed of commitment on behalf of their company. The two companies are located in different towns, and the bid submission deadline is 12:00.

Thanks to Certyneo's parallel signature functionality, both signatories simultaneously receive an invitation link by email. Each accesses their validation page, enters their OTP code received by SMS in less than a minute, and affixes their advanced electronic signature. The GME coordinator receives immediate notification of completion and can upload the finalised file before the deadline. This scenario illustrates how SMS validation eliminates the risk of delay due to multi-site coordination, a problem that according to some studies accounts for approximately 30% of late submissions in grouping responses.

Scenario 3 — A local authority issuing the tender

An intermediate-sized local authority (between 50,000 and 200,000 inhabitants) wishing not to respond to a tender but to issue one can also rely on SMS validation to secure internal signature of procurement documents (general technical specifications, specific technical conditions, quality assurance). Before uploading the consultation to the buyer profile, the director of technical services and the elected official responsible for procurement must co-sign the constitutive documents.

By deploying a Certyneo internal workflow with SMS OTP validation for each institutional signatory, the authority creates a traceable record of prior administrative validation. This traceability is particularly useful during legality checks exercised by the prefecture or in case of audit by the regional audit office. The risk reduction associated with unauthenticated signature represents a major compliance issue for public buyers, in view of the requirements of ordinance no. 2015-899 codified in the Public Procurement Code.

Conclusion

Integrating an SMS code validation page into your tender response is not merely a technical formality: it is a legal guarantee, documented proof of consent and a regulatory compliance tool under the eIDAS regulation and the Public Procurement Code. By authenticating each signatory via a timestamped SMS OTP, you achieve the advanced electronic signature level required by the vast majority of public buyers, whilst drastically reducing internal delays and risks of rejection for formal irregularity.

Certyneo allows you to configure this workflow in minutes, without IT development, with an audit log compliant with ETSI standards and archived according to legal obligations. Whether you are a sole bidder, member of a GME or public buyer, the solution adapts to your context.

Ready to secure your next tender responses? Create your Certyneo account for free and configure your first SMS validation workflow today.