Signature Audit Trail: What Is It For?

What is an audit trail

The audit trail (or proof log) is the timestamped record of all actions performed on an electronic signature document: sending, opening, OTP entry, signing, refusal, expiration.

It is the equivalent of a digital "logbook", which constitutes the main evidence that can be relied upon in case of dispute.

Typical content

Each recorded event includes:

• precise date and time (generally qualified timestamping)

• action (sending, opening, OTP sent, OTP entered, signing, refusal)

• actor (signatory, system)

• IP address of the signatory

• user-agent (browser and OS used)

• metadata (document size, hash, etc.)

The audit trail before the judge

French courts recognise the audit trail as a determining factor in case of dispute, provided that it is:

• produced by an eIDAS-compliant platform

• complete and consistent

• timestamped by a trusted third party

• retained according to legal periods

The combination of audit trail + PDF signed with cryptographic hash makes good faith contestation extremely difficult.

Where to find the audit trail

Two typical locations:

• Embedded in the PDF: often on the last page, summary visible

• Accessible via the platform: detailed audit trail exportable

Some platforms provide a public verification link allowing anyone to view the audit trail without an account.

Practical use

In internal audit

• verify signature compliance

• check date consistency

• identify anomalies (unusual IP, suspicious times)

In dispute

• produce the audit trail as evidence before the court

• refute a signature contestation

• establish a precise chronology

In regulatory control

• URSSAF, labour inspectorate, CNIL

• export of the audit trail for affected contracts

Best practices

• Preserve the audit trail for the entire legal duration of the document

• Export periodically to avoid platform dependency

• Never modify the audit trail manually (invalidates the proof)

• Train your legal teams in audit trail use

Common mistakes

• Keep only the PDF, not the audit trail

• Store the audit trail in a non-exportable proprietary format

• Forget to include qualified timestamping

• Fail to anonymise audit trails when transmitting to third parties

Concrete case: signature contestation

A dismissed employee contests having signed their non-compete amendment. The employer produces the audit trail:

• precise date: 15 March 2024, 14:32

• IP: consistent with home address

• OTP SMS entered on the employee's phone (number in their file)

• PDF hash unchanged since

The labour tribunal rejects the contestation — audit trail is decisive.

How Certyneo helps you

Certyneo automatically generates a complete audit trail for each signed envelope. Exportable in PDF or JSON, embedded in the final PDF, retained for 10 years, and available via public verification link for third parties.

Discover the Certyneo electronic signature solution

FAQ

Is the audit trail admissible in court?

Yes, provided it is produced by an eIDAS-compliant platform.

Can I modify the audit trail?

No, any modification makes it invalid.

How long should I keep it?

At least as long as the signed document (10 years for commercial contracts).

Does the audit trail reveal personal data?

Yes (IP, user-agent, times). Protect its access according to GDPR.

Can you share it with a third party?

Yes, via a verification link or PDF export.

Conclusion

The audit trail is the legal key to electronic signature. Keep it carefully, and you will have a strong position against any contestation.

Try Certyneo to send, sign and track your documents online simply, quickly and securely.