Signature Audit Trail: What Is It For?

What is an audit trail

The audit trail (or proof log) is the timestamped record of all actions performed on an electronic signature document: sending, opening, OTP entry, signing, refusal, expiration.

It is the equivalent of a digital "logbook", which constitutes the main evidence that can be relied upon in case of dispute.

Typical content

Each recorded event includes:

• precise date and time (generally qualified timestamping)

• action (sending, opening, OTP sent, OTP entered, signing, refusal)

• actor (signatory, system)

• IP address of the signatory

• user-agent (browser and OS used)

• metadata (document size, hash, etc.)

The audit trail before the court

French courts recognise the audit trail as a determining factor in case of dispute, provided that it is:

• produced by an eIDAS-compliant platform

• complete and consistent

• timestamped by a trusted third party

• retained according to legal periods

The combination of audit trail + PDF signed with cryptographic hash makes good faith contestation extremely difficult.

Where to find the audit trail

Two typical locations:

• Embedded in the PDF: often on the last page, summary visible

• Accessible via the platform: detailed audit trail that can be exported

Some platforms provide a public verification link allowing anyone to view the audit trail without an account.

Practical use

In internal audit

• verify signature compliance

• check date consistency

• identify anomalies (unusual IP, suspicious times)

In disputes

• produce the audit trail as evidence before the court

• refute a signature contestation

• establish a precise chronology

In regulatory inspection

• URSSAF, labour inspectorate, CNIL

• export of audit trail for relevant contracts

Best practices

• Retain the audit trail for the entire legal duration of the document

• Export regularly to avoid platform dependency

• Never modify the audit trail manually (invalidates the evidence)

• Train your legal teams in the use of the audit trail

Common mistakes

• Keeping only the PDF, not the audit trail

• Storing the audit trail in a non-exportable proprietary format

• Forgetting to include qualified timestamping

• Failing to anonymise audit trails when transmitting them to third parties

Concrete case: signature contestation

A dismissed employee contests having signed their non-compete agreement. The employer produces the audit trail:

• precise date: 15 March 2024, 14:32

• IP: consistent with home address

• OTP SMS entered on the employee's phone (number in their file)

• PDF hash unchanged since

The employment tribunal rejects the contestation — audit trail decisive.

How Certyneo helps you

Certyneo automatically generates a complete audit trail for each signed envelope. Exportable in PDF or JSON, integrated into the final PDF, retained for 10 years, and available via public verification link for third parties.

Discover the Certyneo electronic signature solution

FAQ

Is the audit trail admissible in court?

Yes, provided it is produced by an eIDAS-compliant platform.

Can I modify the audit trail?

No, any modification makes it invalid.

How long should I retain it?

At least as long as the signed document (10 years for commercial contracts).

Does the audit trail reveal personal data?

Yes (IP, user-agent, times). Protect its access according to GDPR.

Can it be shared with a third party?

Yes, via a verification link or PDF export.

Conclusion

The audit trail is the legal key to electronic signature. Keep it carefully, and you will have a strong position against any contestation.

Try Certyneo to send, sign and track your documents online simply, quickly and securely.