SMS Validation Page for Tender Response

When a company responds to a public or private tender offer, the question of the legal value of the submitted file is central. A document signed electronically without a strong authentication mechanism can be challenged in court or rejected by the public buyer. This is precisely where the SMS validation page with code comes in: this authentication step via one-time password (OTP) strengthens proof of the bidder's consent, complies with eIDAS regulation requirements, and ensures complete traceability of the signature process. In this article, we detail why and how to implement this system in your tender response workflow, covering technical prerequisites, step-by-step configuration, and best practices to follow.

Why integrate SMS code validation in your tender response

Evidentiary value at the heart of public procurement

The French public procurement framework requires that offers submitted electronically meet the requirements set by Decree No. 2016-360 of March 25, 2016 on public procurement. Since October 1, 2018, any procurement with an estimated value exceeding €40,000 excluding VAT requires mandatory dematerialization via an approved submission platform (buyer profile). In this context, electronic signature combined with an SMS OTP mechanism constitutes an advanced electronic signature under the eIDAS regulation, meaning:

• linked to the signatory in a unique manner;
• enabling identification of the signatory;
• created using data that the signatory can use under their exclusive control;
• linked to the signed data in such a way as to enable detection of any subsequent modification.

Without this level of authentication, a simple signature (click or checkbox) may be insufficient to legally bind the bidder, particularly when the buyer requires an advanced or qualified signature for certain sensitive lots.

Reduce risks of challenge and irregularity

A tender response file may be declared irregular if the contracting authority determines that the signatory's identity is not sufficiently established. Adding an SMS validation page creates a second authentication factor (2FA) which, combined with previously verified identity, forms solid proof. In case of dispute before the administrative court or contract judge, the time-stamped audit log (timestamp, masked phone number, IP address, document hash) constitutes admissible evidence.

For more details on fundamentals, the complete guide to electronic signature explains the different signature levels and their legal implications under French and European law.

Technical components of an SMS validation page

OTP architecture and SMS channel

An SMS validation page relies on three interdependent components:

1. OTP Generator (One-Time Password): a TOTP (Time-based OTP, RFC 6238) or HOTP (HMAC-based OTP, RFC 4226) algorithm generates a 6-digit code, typically valid for 5 to 10 minutes.
2. SMS Gateway: a certified operator (e.g., Twilio, OVHcloud SMS, Brevo) routes the code to the bidder's phone number, registered during the invitation or sign-up phase.
3. Secure input interface: the web page displayed to the bidder must comply with WCAG 2.1 requirements (accessibility), clearly display code expiration, and offer a limited resend mechanism (anti-abuse, maximum 3 attempts).

From a security perspective, the phone number must be validated beforehand (verification during onboarding) and stored encrypted in the database, in compliance with GDPR requirements (art. 32 on processing security).

Integration into the Certyneo signature workflow

On the Certyneo platform, adding an SMS validation page is done directly from the signature process configuration interface. Here are the steps:

Step 1 — Create or import the response document Upload your technical memorandum, deed of commitment, or any other constitutive element of the offer. Certyneo's AI-powered contract generator also allows you to pre-fill certain standard documents.

Step 2 — Configure signatories Enter the name, first name, email address, and mobile phone number (E.164 format, e.g., +33 6 XX XX XX XX) of each person authorized to sign the offer. This field is mandatory to activate SMS validation.

Step 3 — Enable SMS OTP authentication In the "Process Security" menu, check the "SMS Code Validation" option. You can configure:

• code validity duration (recommended: 5 minutes);
• maximum number of attempts (recommended: 3);
• personalized message sent to the signatory (mention of the call for tenders, consultation reference).

Step 4 — Customize the validation page The Certyneo interface offers a "no-code" page editor allowing you to add your organization's logo, the consultation title, and clear instructions for the bidder. This customization builds confidence and reduces process abandonment.

Step 5 — Test the process in sandbox mode Before actual deployment, use Certyneo's test mode to simulate SMS receipt and code entry. Verify that the audit log captures: timestamp, SHA-256 hash of the document, masked phone number, and IP address of the user's terminal.

Best practices for optimal configuration

Anticipate operational constraints of the bidder

In the context of a tender, the bidder may be an individual or the legal representative of an SME, a temporary business grouping (TBG), or a large corporation. Several operational constraints must be anticipated:

• Phone number unavailability: if the designated signatory is traveling internationally, the SMS may not arrive in time. Provide a signature delegation option with advance notification.
• Staff rotation: in large organizations, the signatory CEO may change between the invitation and the submission deadline. The "phone number" field must be modifiable by the account administrator up to 24 hours before the deadline.
• Accessibility: some users with disabilities may encounter difficulties entering a temporary code. Offer a voice alternative (automatic call reading the code) if your infrastructure permits.

Archiving and compliant audit trail

The SMS validation page is only one link in the proof mechanism. For the entire file to be enforceable, archiving must comply with ETSI EN 319 132 (XAdES) or ETSI EN 319 122 (CAdES) standard depending on the signature format chosen. Certyneo automatically generates a signature report in PDF/A including:

• list of signatories with their authentication level;
• certified timestamps (RFC 3161);
• complete journal of SMS events (sending, confirmed receipt, correct or incorrect entry).

This report must be preserved throughout the market's validity period, or longer in case of dispute. For public procurement, the French Public Procurement Code (art. L. 2194-1 et seq.) provides retention periods that can extend up to 10 years. Pricing and long-term archiving options are detailed on the Certyneo pricing page.

Integration with dematerialization platforms (buyer profiles)

When the tender response goes through a third-party platform (AWS Marchés, e-Attestations, Achat Public, Klekoon, etc.), Certyneo can be used beforehand to have the offer's constitutive documents signed and validated internally before submission to the buyer profile. The signed file (in XAdES or PAdES format) is then uploaded to the platform, accompanied by the Certyneo signature report as proof of authentication.

If your organization already uses a competing solution, the migration to Certyneo page explains how to transfer your existing processes without data loss or service interruption.

Security, GDPR, and telephony data management

Processing personal data of the phone number

A mobile phone number is personal data within the meaning of Article 4 of the GDPR. Its use in OTP validation requires:

• a clearly identified legal basis: contract performance (art. 6.1.b GDPR) or legitimate interest (art. 6.1.f GDPR) depending on the relationship between the tender issuer and the bidder;
• prior information to the bidder on use of their number (mention in the terms and conditions or invitation email);
• limited retention duration: the number must not be kept beyond the end of the signature process, except for justified legal archiving.

Legal and DPO teams will find additional resources in our electronic signature glossary, which references key definitions from GDPR applied to signature workflows.

Resistance to attacks and fraud prevention

SMS validation is vulnerable to certain attack vectors (SIM swapping, SS7 interception). For high-stakes markets (amounts > €500,000 excluding VAT), Certyneo recommends combining SMS OTP with:

• upstream identity verification (documentary KYC or IDnow);
• qualified timestamp provided by an eIDAS-accredited Trust Service Provider (TSP);
• real-time alert in case of phone number change within 48 hours preceding signature.

These additional measures elevate the signature to the qualified eIDAS level, the highest recognized by European regulation, and provide maximum assurance for sensitive or classified public markets.

Legal framework applicable to SMS validation in tenders

eIDAS Regulation No. 910/2014 and its signature levels

Regulation (EU) No. 910/2014 of the European Parliament and of the Council (eIDAS) forms the regulatory foundation for electronic signature in Europe. It distinguishes three levels:

• Simple electronic signature (art. 3.10): data in electronic form attached to or associated with other data, used by the signatory to sign. Limited legal value for public tenders.
• Advanced electronic signature (art. 3.11): meets the requirements of art. 26 eIDAS, including unique link with signatory and detectability of any alteration. SMS OTP validation combined with prior identification allows this level to be achieved.
• Qualified electronic signature (art. 3.12): created using a qualified signature creation device, based on a qualified certificate issued by an accredited TSP. Only level having legal effect equivalent to handwritten signature in all Member States (art. 25.2 eIDAS).

French Civil Code — Articles 1366 and 1367

Article 1366 of the Civil Code states that "electronic writing has the same evidentiary force as writing on paper, provided that the person from whom it comes can be duly identified and that it is established and kept under conditions that guarantee its integrity." Article 1367 specifies that "electronic signature consists of the use of a reliable identification process guaranteeing its link with the act to which it attaches."

SMS OTP directly contributes to satisfying the reliable identification condition set by Article 1367, by creating a link between the registered phone number and the signed act.

French Public Procurement Code

Articles R. 2132-7 et seq. of the Public Procurement Code require that offers submitted electronically be signed with at least an advanced electronic signature based on a qualified certificate. SMS validation is part of the mechanism enabling this level to be achieved, provided that the entire signature process is documented and archived.

GDPR No. 2016/679 — Protection of telephony data

Article 32 of the GDPR requires appropriate technical and organizational measures to ensure data security, including encryption and pseudonymization. The phone number used for SMS OTP must be encrypted at rest and in transit (TLS 1.3 minimum). Article 5.1.e imposes retention limitation: the number can only be kept for as long as strictly necessary for the processing purpose.

Applicable ETSI standards

• ETSI EN 319 132 (XAdES): advanced XML signature format, recommended for public procurement documents in XML format.
• ETSI EN 319 122 (CAdES): advanced CMS signature format, suitable for binary files (PDF, ZIP).
• ETSI EN 319 102-1: procedures for creation and validation of electronic signatures, integrating qualified timestamp RFC 3161.

Non-compliance with these standards exposes the issuer or bidder to a risk of offer rejection for formal irregularity, or signature unenforceability in case of contractual dispute.

Concrete use scenarios

Scenario 1 — An engineering firm responding to a design services market

An engineering firm specializing in infrastructure, with approximately thirty engineers and managing an average of 15 to 20 tender responses per year, must sign several constitutive documents of an offer: deed of commitment, technical memorandum, tax and social regularization certificates. Before implementing SMS validation, the procedure relied on exchanging manually signed PDFs, scanned and resent by email, which generated average delays of 48 to 72 hours per file.

By configuring a Certyneo process with SMS OTP validation for each internal signatory (technical director, manager), the firm reduced this delay to less than 2 hours. The automatically generated signature report is attached to the file submitted on the buyer profile, satisfying advanced signature requirements. Sectoral studies on B2B dematerialization estimate 60-70% reduction in administrative processing time when transitioning to electronic signature with strong authentication.

Scenario 2 — A temporary business grouping (TBG) on a works market

In a public procurement works market (earthworks lot + structural work lot), two companies form a joint TBG. Each principal must sign the deed of commitment on behalf of its company. The two companies are located in different cities, and the tender deadline is 12:00 noon.

Thanks to Certyneo's parallel signatures functionality, both signatories simultaneously receive an invitation link by email. Each accesses their validation page, enters their OTP code received by SMS in less than a minute, and affixes their advanced electronic signature. The TBG coordinator immediately receives a completion notification and can upload the finalized file before the deadline. This scenario illustrates how SMS validation eliminates the risk of delay related to multi-site coordination, a problem that according to certain studies accounts for approximately 30% of late submissions in grouping responses.

Scenario 3 — A local authority issuing the tender

An intermediate-sized local authority (between 50,000 and 200,000 inhabitants) wishing not to respond to a tender but to issue one can also rely on SMS validation to secure internal signature of market documents (special conditions, technical specifications, financial reference). Before the consultation goes live on the buyer profile, the director of technical services and the elected official responsible for procurement must co-sign the constitutive documents.

By deploying an internal Certyneo process with SMS OTP validation for each institutional signatory, the authority creates a traceable record of prior administrative validation. This traceability is particularly useful during lawfulness controls exercised by the regional prefect or in case of audit by the regional audit chamber. Reducing legal risk associated with non-authenticated signature represents a major compliance issue for public buyers, regarding the requirements of Ordinance No. 2015-899 codified in the Public Procurement Code.

Conclusion

Integrating an SMS code validation page into your tender response is not merely a technical formality: it is a legal guarantee, documented proof of consent, and a regulatory compliance tool under the eIDAS regulation and the Public Procurement Code. By authenticating each signatory via a time-stamped SMS OTP, you achieve the advanced electronic signature level required by the vast majority of public buyers, while drastically reducing internal delays and risks of rejection for formal irregularity.

Certyneo allows you to configure this process in minutes, without IT development, with an audit log compliant with ETSI standards and archived according to legal obligations. Whether you are a sole bidder, member of a TBG, or public buyer, the solution adapts to your context.

Ready to secure your next tender responses? Create your Certyneo account for free and configure your first SMS validation process today.