SMS Validation Page for Tender Response Procedures

When a company responds to a public or private tender, the question of the legal value of the submitted file is central. A document signed electronically without a strong authentication mechanism can be challenged in court or rejected by the public buyer. This is precisely where the SMS code validation page comes in: this one-time password (OTP) authentication step strengthens the proof of the bidder's consent, meets the requirements of the eIDAS regulation and guarantees complete traceability of the signature journey. In this article, we detail why and how to implement this mechanism in your tender response workflow, covering technical prerequisites, step-by-step configuration and best practices to follow.

Why integrate SMS code validation into your tender response

Probative value at the heart of public procurement

The framework of French public procurement requires that offers transmitted by electronic means meet the requirements set out in Decree No. 2016-360 of 25 March 2016 on public procurement. Since 1 October 2018, any procurement with an estimated value exceeding €40,000 (excluding VAT) requires mandatory dematerialisation via an approved deposit platform (buyer profile). In this context, electronic signature combined with an OTP mechanism via SMS constitutes an advanced electronic signature within the meaning of the eIDAS regulation, namely:

• linked to the signatory in a unique manner;
• enabling the signatory to be identified;
• created from data that the signatory can use under their exclusive control;
• linked to the signed data in such a way as to allow the detection of any subsequent modification.

Without this level of authentication, a simple signature (click or tick box) may be insufficient to legally bind the bidder, particularly when the buyer requires an advanced or qualified signature for certain sensitive lots.

Reduce risks of challenge and irregularity

A tender response file may be declared irregular if the contracting authority believes that the identity of the signatory is not sufficiently established. Adding an SMS validation page creates a second authentication factor (2FA) which, combined with the previously verified identity, forms solid evidence. In the event of dispute before the administrative court or contract judge, the time-stamped audit log (timestamp, masked telephone number, IP address, document hash) constitutes admissible evidence.

For further information on the fundamentals, the complete guide to electronic signature explains the different levels of signature and their legal implications under French and European law.

The technical components of an SMS validation page

OTP architecture and SMS channel

An SMS code validation page is based on three interdependent components:

1. OTP Generator (One-Time Password): a TOTP algorithm (Time-based OTP, RFC 6238) or HOTP (HMAC-based OTP, RFC 4226) generates a 6-digit code, typically valid for between 5 and 10 minutes.
2. SMS Gateway: a certified operator (e.g. Twilio, OVHcloud SMS, Brevo) routes the code to the bidder's telephone number, registered during the invitation or registration phase.
3. Secure input interface: the web page displayed to the bidder must comply with WCAG 2.1 requirements (accessibility), clearly display code expiration and offer a limited resend mechanism (anti-abuse, maximum 3 attempts).

From a security standpoint, the telephone number must be validated upstream (verification during onboarding) and stored in encrypted form in the database, in accordance with GDPR requirements (Article 32 on processing security).

Integration into the Certyneo signature workflow

On the Certyneo platform, adding an SMS validation page is done directly from the configuration interface of a signature journey. Here are the steps:

Step 1 — Create or import the response document Upload your technical memorandum, deed of commitment or any other component part of the offer. Certyneo's AI-powered contract generator also allows you to pre-fill certain standard documents.

Step 2 — Configure signatories Enter the name, forename, email address and mobile telephone number (E.164 format, e.g. +33 6 XX XX XX XX) of each person authorised to sign the offer. This field is mandatory to activate SMS validation.

Step 3 — Activate OTP SMS authentication In the "Journey Security" menu, check the option "SMS code validation". You can configure:

• the validity period of the code (recommended: 5 minutes);
• the maximum number of attempts (recommended: 3);
• the personalised message sent to the signatory (mention of the tender, reference to the procurement).

Step 4 — Customise the validation page The Certyneo interface offers a "no-code" page editor allowing you to add your organisation's logo, the procurement title and clear instructions for the bidder. This customisation builds trust and reduces journey abandonment.

Step 5 — Test the journey in sandbox mode Before actual sending, use Certyneo's test mode to simulate SMS receipt and code entry. Verify that the audit log captures: timestamp, SHA-256 hash of the document, masked telephone number and IP address of the user's terminal.

Best practices for optimal configuration

Anticipating operational constraints on the bidder

In the context of a tender, the bidder may be an individual or the legal representative of an SME, a temporary grouping of enterprises (TGE) or a large group. Several operational constraints must be anticipated:

• Telephone number unavailability: if the designated signatory is travelling internationally, the SMS may not arrive in time. Plan for a signature delegation option with prior notification.
• Rotation of responsibilities: in large organisations, the chief executive signatory may change between sending the invitation and the submission deadline. The "telephone number" field must be modifiable by the account administrator up to 24 hours before the deadline.
• Accessibility: some users with disabilities may experience difficulties entering a temporary code. Offer a voice alternative (automated call reading the code) if your infrastructure permits.

Archiving and compliant audit trail

The SMS validation page is only one link in the chain of evidence. For the entire file to be enforceable, archiving must comply with ETSI EN 319 132 (XAdES) or ETSI EN 319 122 (CAdES) standard depending on the signature format selected. Certyneo automatically generates a signature report in PDF/A format including:

• the list of signatories with their authentication level;
• certified timestamps (RFC 3161);
• the complete SMS event log (sending, receipt confirmed, correct or incorrect entry).

This report must be kept for the entire validity period of the contract, and even beyond in case of litigation. For public procurement, the Code of Public Procurement (Articles L. 2194-1 et seq.) provides for retention periods of up to 10 years. Pricing and long-term archiving options are detailed on the Certyneo pricing page.

Integration with dematerialisation platforms (buyer profiles)

When the tender response goes through a third-party platform (AWS Marchés, e-Attestations, Achat Public, Klekoon, etc.), Certyneo can be used upstream to sign and validate internally the documents constituting the offer before submission to the buyer profile. The signed file (in XAdES or PAdES format) is then uploaded to the platform, accompanied by the Certyneo signature report as authentication justification.

If your organisation is already using a competing solution, the migration to Certyneo page explains how to transfer your existing journeys without loss of data or service interruption.

Security, GDPR and telephone data management

Processing personal data of the telephone number

The mobile telephone number is personal data within the meaning of Article 4 of the GDPR. Its use in the context of OTP validation requires:

• a clearly identified legal basis: performance of a contract (Article 6.1.b GDPR) or legitimate interest (Article 6.1.f GDPR) depending on the relationship between the tender issuer and the bidder;
• prior information to the bidder on the use of their number (mention in the terms and conditions or in the invitation email);
• a limited retention period: the number must not be retained beyond the end of the signature journey, except where justified by legal archiving requirements.

Legal teams and data protection officers will find additional resources in our electronic signature glossary, which references key GDPR definitions applied to signature workflows.

Attack resistance and anti-fraud

SMS validation is vulnerable to certain attack vectors (SIM swapping, SS7 interception). For high-stakes markets (amounts > €500,000 excluding VAT), Certyneo recommends combining SMS OTP with:

• upstream identity verification (KYC documentary or IDnow);
• a qualified timestamp provided by an eIDAS-accredited trust service provider (TSP);
• real-time alerting in case of telephone number change within 48 hours before signing.

These additional measures elevate the signature to the qualified eIDAS level, the highest recognised by the European regulation, and provide maximum assurance for sensitive or classified public markets.

Legal framework applicable to SMS validation in tender procedures

eIDAS Regulation No. 910/2014 and its signature levels

Regulation (EU) No. 910/2014 of the European Parliament and of the Council (eIDAS) forms the regulatory foundation for electronic signature in Europe. It distinguishes three levels:

• Simple electronic signature (Article 3.10): data in electronic form attached to or associated with other data, used by the signatory to sign. Limited legal value for public tenders.
• Advanced electronic signature (Article 3.11): meets the requirements of Article 26 eIDAS, including the uniqueness of the link with the signatory and the detectability of any alteration. SMS OTP validation, combined with prior identification, enables this level to be achieved.
• Qualified electronic signature (Article 3.12): created using a qualified signature creation device, based on a qualified certificate issued by an accredited TSP. Only level having legal effect equivalent to handwritten signature in all Member States (Article 25.2 eIDAS).

French Civil Code — Articles 1366 and 1367

Article 1366 of the Civil Code states that "electronic writing has the same probative force as writing on paper, provided that the person from whom it emanates can be duly identified and that it is established and kept in conditions designed to guarantee its integrity". Article 1367 specifies that "electronic signature consists of the use of a reliable identification procedure guaranteeing its link with the act to which it attaches".

SMS OTP directly contributes to satisfying the reliable identification condition set out in Article 1367, by creating a link between the registered telephone number and the signed deed.

Code of Public Procurement

Articles R. 2132-7 et seq. of the Code of Public Procurement require that offers transmitted electronically be signed by an electronic signature at least advanced, based on a qualified certificate. SMS validation forms part of the mechanism enabling this level to be achieved, provided that the entire signature journey is documented and archived.

GDPR No. 2016/679 — Protection of telephone data

Article 32 of the GDPR requires appropriate technical and organisational measures to ensure the security of processed data, including encryption and pseudonymisation. The telephone number used for SMS OTP must be encrypted at rest and in transit (TLS 1.3 minimum). Article 5.1.e requires retention limitation: the number may only be retained for the time strictly necessary for the processing purpose.

Applicable ETSI standards

• ETSI EN 319 132 (XAdES): advanced XML signature format, recommended for public procurement documents in XML format.
• ETSI EN 319 122 (CAdES): advanced CMS signature format, suitable for binary files (PDF, ZIP).
• ETSI EN 319 102-1: procedures for creation and validation of electronic signatures, incorporating qualified timestamping RFC 3161.

Non-compliance with these standards exposes the issuer or bidder to the risk of offer rejection for formal irregularity, or to unenforceability of the signature in case of contractual dispute.

Concrete use scenarios

Scenario 1 — An engineering firm responding to a project management market

An engineering firm specialising in infrastructure, with about thirty engineers and managing on average 15 to 20 tender responses per year, must sign several constituent parts of an offer: deed of commitment, technical memorandum, certificates of tax and social compliance. Before implementing SMS validation, the procedure was based on an exchange of manually signed PDFs, scanned and retransmitted by email, which generated average delays of 48 to 72 hours per file.

By configuring a Certyneo journey with OTP SMS validation for each internal signatory (technical director, manager), the firm reduced this delay to less than 2 hours. The automatically generated signature report is attached to the file deposited on the buyer profile, meeting the requirements for advanced signature. Sector studies on B2B dematerialisation estimate 60-70% reduction in administrative processing time when moving to electronic signature with strong authentication.

Scenario 2 — A temporary grouping of enterprises (TGE) on a works market

As part of a public works procurement (earth works lot + structural works lot), two companies form a joint TGE. Each partner must sign the deed of commitment on behalf of its company. The two companies are located in different towns, and the tender submission deadline is at 12:00 noon.

Thanks to Certyneo's parallel signatures functionality, both signatories simultaneously receive an invitation link by email. Each accesses their validation page, enters their OTP code received by SMS in less than a minute, and apposes their advanced electronic signature. The TGE coordinator receives immediate notification of completion and can upload the finalised file before the deadline. This scenario illustrates how SMS validation eliminates the risk of delays due to multi-site coordination, a problem that accounts for approximately 30% of late submissions in joint tender responses according to some studies.

Scenario 3 — A local authority issuing the tender

A medium-sized local authority (between 50,000 and 200,000 inhabitants) wishing not to respond to a tender but to issue one can also rely on SMS validation to secure internal signature of procurement documents (Special Conditions, Technical Specifications, General Conditions). Before publishing the procurement on the buyer profile, the director of technical services and the elected official responsible for procurement must co-sign the constituent documents.

By deploying an internal Certyneo journey with OTP SMS validation for each institutional signatory, the authority creates a traceable record of prior administrative validation. This traceability is particularly useful during legality checks exercised by the prefecture or in the event of an audit by the regional chamber of accounts. Reducing the legal risk associated with non-authenticated signature represents a major compliance issue for public buyers, in regard to the requirements of Ordinance No. 2015-899 codified in the Code of Public Procurement.

Conclusion

Integrating an SMS code validation page into your tender response is not merely a technical formality: it is a legal guarantee, documented proof of consent and a regulatory compliance tool within the meaning of eIDAS regulation and the Code of Public Procurement. By authenticating each signatory via a time-stamped SMS OTP, you achieve the level of advanced electronic signature required by the vast majority of public buyers, whilst drastically reducing internal delays and risks of rejection for formal irregularity.

Certyneo allows you to configure this journey in just a few minutes, with no IT development required, with an audit log compliant with ETSI standards and archived according to legal obligations. Whether you are a single bidder, member of a TGE or public buyer, the solution adapts to your context.

Ready to secure your next tender responses? Create your Certyneo account for free and configure your first SMS validation journey today.