SMS Validation Page for Responding to Tender Offers

When a company responds to a public or private tender offer, the question of the legal value of the transmitted file is central. A document signed electronically without strong authentication mechanism can be contested in court or rejected by the public buyer. This is precisely where the SMS validation page with code comes in: this authentication step using a one-time password (OTP) strengthens the proof of consent from the bidder, satisfies the requirements of the eIDAS regulation and guarantees full traceability of the signature journey. In this article, we detail why and how to implement this mechanism in your tender offer response workflow, covering technical prerequisites, step-by-step configuration and best practices to follow.

Why integrate SMS code validation in your tender offer response

Evidentiary value at the heart of public procurement

The framework of French public procurement requires that offers transmitted electronically satisfy the requirements set out in Decree No. 2016-360 of 25 March 2016 relating to public procurement. Since 1 October 2018, any call for competition with an estimated value exceeding 40,000 € excluding VAT requires mandatory dematerialisation via an approved procurement platform (buyer profile). In this context, electronic signature combined with an SMS OTP mechanism constitutes an advanced electronic signature within the meaning of the eIDAS regulation, that is:

• linked to the signatory in a unique manner;
• allowing the signatory to be identified;
• created using data which the signatory can use under their exclusive control;
• linked to the signed data in such a way as to allow detection of any subsequent modification.

Without this level of authentication, a simple signature (click or checkbox) may be insufficient to legally bind the bidder, particularly where the buyer requires an advanced or qualified signature for certain sensitive lots.

Reduce risks of challenge and irregularity

A tender offer response file may be declared irregular if the contracting authority considers that the identity of the signatory is not sufficiently established. The addition of an SMS validation page creates a second authentication factor (2FA) which, combined with previously verified identity, forms solid proof. In case of dispute before the administrative court or contract judge, the timestamped audit log (timestamp, masked telephone number, IP address, document hash) constitutes admissible evidence.

For further information on the fundamentals, the complete guide to electronic signature explains the different levels of signature and their legal implications under French and European law.

Technical components of an SMS validation page

OTP architecture and SMS channel

An SMS validation page is based on three interdependent components:

1. OTP (One-Time Password) generator: a TOTP (Time-based OTP, RFC 6238) or HOTP (HMAC-based OTP, RFC 4226) algorithm generates a 6-digit code, generally valid between 5 and 10 minutes.
2. SMS gateway: a certified operator (e.g. Twilio, OVHcloud SMS, Brevo) routes the code to the bidder's telephone number, registered during the invitation or registration phase.
3. Secure input interface: the web page displayed to the bidder must comply with WCAG 2.1 requirements (accessibility), clearly display code expiration and propose a limited resend mechanism (anti-abuse, maximum 3 attempts).

From a security perspective, the telephone number must be validated beforehand (verification during onboarding) and stored encrypted in the database, in compliance with GDPR requirements (Article 32 on processing security).

Integration into the Certyneo signature workflow

In the Certyneo platform, adding an SMS validation page is done directly from the signature journey configuration interface. Here are the steps:

Step 1 — Create or import the response document Upload your technical memorandum, your deed of engagement or any other constituent part of your offer. Certyneo's AI-powered contract generator also allows you to pre-fill certain standard documents.

Step 2 — Configure signatories Enter the name, first name, email address and mobile phone number (E.164 format, e.g. +33 6 XX XX XX XX) of each person authorised to sign the offer. This field is mandatory to enable SMS validation.

Step 3 — Enable SMS OTP authentication In the "Journey Security" menu, tick the "SMS code validation" option. You can configure:

• the code validity period (recommended: 5 minutes);
• the maximum number of attempts (recommended: 3);
• the personalised message sent to the signatory (mention of the tender, reference of the call for competition).

Step 4 — Customise the validation page The Certyneo interface offers a "no-code" page editor allowing you to add your organisation's logo, the title of the call for competition and clear instructions for the bidder. This customisation builds trust and reduces journey abandonment.

Step 5 — Test the journey in sandbox mode Before actual sending, use Certyneo's test mode to simulate SMS receipt and code entry. Verify that the audit log correctly captures: timestamp, SHA-256 hash of the document, masked telephone number and user terminal IP address.

Best practices for optimal configuration

Anticipate operational constraints of the bidder

In a tender offer context, the bidder may be an individual or the legal representative of a SME, a temporary joint venture (TJV) or a large group. Several operational constraints must be anticipated:

• Telephone number unavailability: if the designated signatory is travelling internationally, the SMS may not arrive in time. Provide a signature delegation option with prior notification.
• Staff rotation: in large organisations, the CEO signatory may change between sending the invitation and the submission deadline. The "telephone number" field must be modifiable by the account administrator up to 24 hours before the deadline.
• Accessibility: some users with disabilities may encounter difficulties entering a temporary code. Propose a voice alternative (automatic call to read the code) if your infrastructure allows.

Archiving and compliant audit trail

The SMS validation page is only one part of the evidence mechanism. For the entire file to be enforceable, archiving must comply with standard ETSI EN 319 132 (XAdES) or ETSI EN 319 122 (CAdES) depending on the signature format chosen. Certyneo automatically generates a signature report in PDF/A format including:

• the list of signatories with their authentication level;
• certified timestamps (RFC 3161);
• the complete SMS event log (sending, receipt confirmed, correct or incorrect entry).

This report must be kept for the entire validity period of the contract, or beyond in case of dispute. For public procurement, the Public Procurement Code (Articles L. 2194-1 onwards) provides for retention periods of up to 10 years. Pricing and long-term archiving options are detailed on the Certyneo pricing page.

Integration with dematerialisation platforms (buyer profiles)

When the tender offer response goes through a third-party platform (AWS Marchés, e-Attestations, Achat Public, Klekoon, etc.), Certyneo can be used upstream to have the constituent documents of the offer signed and validated internally before their submission to the buyer profile. The signed file (in XAdES or PAdES format) is then uploaded to the platform, accompanied by the Certyneo signature report as proof of authentication.

If your organisation already uses a competing solution, the migration to Certyneo page explains how to transfer your existing journeys without data loss or service interruption.

Security, GDPR and telephone data management

Processing personal data of the telephone number

The mobile telephone number is personal data within the meaning of Article 4 of the GDPR. Its use in the context of OTP validation requires:

• a clearly identified legal basis: contract performance (Article 6.1.b GDPR) or legitimate interest (Article 6.1.f GDPR) depending on the relationship between the call for competition issuer and the bidder;
• prior notification to the bidder on the use of their number (mention in the T&Cs or invitation email);
• limited retention period: the number must not be retained beyond the end of the signature journey, unless justified by legal archiving.

Legal and DPO teams will find additional resources in our glossary of electronic signature, which references key definitions of the GDPR as applied to signature workflows.

Resistance to attacks and anti-fraud

SMS validation is vulnerable to certain attack vectors (SIM swapping, SS7 interception). For high-value markets (amounts > 500,000 € excluding VAT), Certyneo recommends combining SMS OTP with:

• upstream identity verification (documentary KYC or IDnow);
• qualified timestamp provided by an eIDAS-accredited trust service provider (TSP);
• real-time alert in case of telephone number change in the 48 hours preceding signature.

These additional measures shift the signature to the qualified eIDAS level, the highest recognised by the European regulation, and provide maximum assurance for sensitive or classified public procurement.

Legal framework applicable to SMS validation in tender offers

eIDAS Regulation No. 910/2014 and its signature levels

Regulation (EU) No. 910/2014 of the European Parliament and of the Council (eIDAS) forms the regulatory basis for electronic signature in Europe. It distinguishes three levels:

• Simple electronic signature (Article 3.10): data in electronic form attached to or associated with other data, used by the signatory to sign. Limited legal value for public tender offers.
• Advanced electronic signature (Article 3.11): satisfies the requirements of Article 26 eIDAS, including the uniqueness of the link with the signatory and the detectability of any alteration. SMS OTP validation, combined with prior identification, allows this level to be achieved.
• Qualified electronic signature (Article 3.12): created using a qualified signature creation device, based on a qualified certificate issued by an accredited TSP. Only level having legal effect equivalent to handwritten signature in all Member States (Article 25.2 eIDAS).

French Civil Code — Articles 1366 and 1367

Article 1366 of the Civil Code states that "electronic writing has the same probative force as writing on paper, provided that the person from whom it emanates can be duly identified and that it is established and kept in conditions such as to guarantee its integrity". Article 1367 clarifies that "electronic signature consists in the use of a reliable identification process guaranteeing its link with the document to which it is attached".

SMS OTP directly contributes to meeting the reliable identification condition set out in Article 1367, by creating a link between the registered telephone number and the signed document.

Public Procurement Code

Articles R. 2132-7 et seq. of the Public Procurement Code require that offers transmitted electronically be signed with an electronic signature at least advanced based on a qualified certificate. SMS validation is part of the mechanism for achieving this level, provided that the entire signature journey is documented and archived.

GDPR No. 2016/679 — Protection of telephone data

Article 32 of the GDPR requires appropriate technical and organisational measures to ensure the security of processed data, including encryption and pseudonymisation. The telephone number used for SMS OTP must be encrypted at rest and in transit (TLS 1.3 minimum). Article 5.1.e requires retention limitation: the number may only be retained for as long as strictly necessary for the processing purpose.

Applicable ETSI standards

• ETSI EN 319 132 (XAdES): advanced XML signature format, recommended for public procurement documents in XML format.
• ETSI EN 319 122 (CAdES): advanced CMS signature format, suitable for binary files (PDF, ZIP).
• ETSI EN 319 102-1: procedures for creating and validating electronic signatures, integrating qualified timestamping RFC 3161.

Non-compliance with these standards exposes the issuer or bidder to a risk of offer rejection for formal irregularity, or to the unenforceability of the signature in case of contractual dispute.

Concrete use scenarios

Scenario 1 — An engineering firm responding to a design contract

An engineering firm specialising in infrastructure, with some thirty engineers and managing on average 15 to 20 tender responses per year, must sign several constituent parts of an offer: deed of engagement, technical memorandum, tax and social compliance certificates. Before implementing SMS validation, the procedure relied on an exchange of manually signed PDFs, scanned and retransmitted by email, which generated average delays of 48 to 72 hours per file.

By configuring a Certyneo journey with SMS OTP validation for each internal signatory (technical director, manager), the firm reduced this delay to less than 2 hours. The automatically generated signature report is attached to the file submitted to the buyer profile, satisfying advanced signature requirements. Sector studies on B2B dematerialisation estimate a 60-70% reduction in administrative processing time when switching to electronic signature with strong authentication.

Scenario 2 — A temporary joint venture (TJV) on a works contract

In the context of a public procurement works contract (excavation lot + structural works lot), two companies form a joint venture. Each partner must sign the deed of engagement on behalf of its company. The two companies are located in different cities, and the offer submission deadline is 12:00.

Thanks to Certyneo's parallel signatures feature, both signatories simultaneously receive an invitation link by email. Each accesses their validation page, enters their OTP code received by SMS in less than a minute, and affixes their advanced electronic signature. The TJV coordinator receives an immediate completion notification and can upload the finalised file before the deadline. This scenario illustrates how SMS validation eliminates the risk of delay related to multi-site coordination, a problem that accounts for approximately 30% of late submissions in joint venture responses according to some studies.

Scenario 3 — A local authority issuing the tender

A medium-sized local authority (between 50,000 and 200,000 inhabitants) wishing not to respond to a tender but to issue one can also rely on SMS validation to secure the internal signature of procurement documents (CCAP, CCTP, RC). Before publishing the call on the buyer profile, the director of technical services and the elected official responsible for procurement must co-sign the constituent documents.

By deploying an internal Certyneo journey with SMS OTP validation for each institutional signatory, the authority creates a verifiable trace of prior administrative validation. This traceability is particularly useful during legality controls exercised by the prefecture or in case of audit by the regional court of accounts. Reducing the legal risk associated with non-authenticated signature represents a major compliance issue for public buyers, given the requirements of Ordinance No. 2015-899 codified in the Public Procurement Code.

Conclusion

Integrating an SMS validation page with code into your tender offer response is not merely a technical formality: it is a legal guarantee, documented proof of consent and a regulatory compliance tool within the meaning of the eIDAS regulation and the Public Procurement Code. By authenticating each signatory via a timestamped SMS OTP, you achieve the level of advanced electronic signature required by the vast majority of public buyers, while drastically reducing internal delays and the risk of rejection for formal irregularity.

Certyneo allows you to configure this journey in just a few minutes, with no IT development required, with an audit log compliant with ETSI standards and archived according to legal obligations. Whether you are a sole bidder, member of a TJV or public buyer, the solution adapts to your context.

Ready to secure your next tender offer responses? Create your Certyneo account for free and configure your first SMS validation journey today.