esignatures Request for information - Signority # Legal Items Questions Responses

Transcription

1 Vendor Questions 1. Legal Compliance Questionnaire This section corresponds to legal requirements as outlined in the CSIO esignatures Advisory Report prepared by Fasken Martineau LLP. # Legal Items Questions Responses 1. Signing Ceremony 1.1 Describe your solution s signing Signority is the world s only e-signature solution offering public key ceremony (how does the signing process work, including authentication, signing the document, and delivery of the document). infrastructure (PKI) security in an easy-to-use SaaS format. Our technology was developed in collaboration with the University of Ottawa s Dr. Carlisle Adams, a recognized world expert in cryptography, and former senior cryptographer at Entrust. Signority offers a platform for electronic signature management and secure storage of digitally signed documents. Signority offers three different signing methods: 1. A registered sender can create a one-time use document for signing by entering recipients names and addresses, uploading the document, creating various tags (texts, radio buttons, check boxes, signatures, initials, and dates), which are assigned to different signers, and sending out for signatures; 2. A registered sender can create a regular template that can be used repeatedly. Whenever the template needs to be sent out for signature, the user needs to duplicate the template and make it a document; 3. A registered sender can create a template link for public distribution. An open link is generated after publishing. For each of the above signing method, a flexible signing sequence can be determined by senders. The signing sequence can be parallel, sequential, or a combination of both. Signers receive notifications in the order assigned by the senders.

2 Following any given signing sequence, there may be a request for digital signatures. If this request is in place, the document will be redistributed amongst all of its signers and/or viewers. Each will be prompted to digitally sign the document. In order to sign, signers will require a signing key pair. This requires extra steps of authentication, which include retrieving passcode tokens sent through multiple channels of communication. Once a signer s signing key is verified, they may then append their digital signature. Adding a digital signature using a public key infrastructure does not interfere in the signing flow, it adds to it. For document and regular template signing, signers will receive a notification sent by Signority with a link embedded to access the document. For template link signing, signers can access the document by clicking the link distributed by senders via and/or website post. For document and regular template signing, only signers/viewers authorized by senders have access to the document. Senders also have the options of activating and/or SMS passcode authentication to further enhance the document security. Signority offers optional and award winning Entrust IdentityGuard integration with our service to offer a wide range of single and multi-factor authentication methods. See: When the signing is completed, each party will receive a notification with the finalized document attached. A complete document certificate is included in the document with detailed information (name, address, IP address, time) and the actions of each signer/viewer. During the life cycle of the document, all the actions and modifications are logged. The document senders can also check the real-time status updates in Signority system. 2. Consent 2.1 How does the solution prove that People including signers and viewers who are granted access must

3 consent to use electronic means for both signatures and ongoing delivery of information was provided by the user? How does the user indicate acceptance (i.e., click a button, provide a signature, etc.) 3. In Writing 3.1 How does your solution provide access to documents? accept the legal terms by ticking off the check box for consent before proceeding to the next step. This is recorded in the service and can be audited if required. A sender must register an account with a proper address and a password. A confirmation is sent to an that the user specified. The user must confirm the registration by clicking on confirm the link before the account is activated; A signer or a viewer must accept the legal terms by ticking off the check box and click I accept button to proceed. In the case of with password protected signing, the signer or viewer must input a passcode as well. Signority is a web based e-signature solution that is accessible from computers and mobile devices through web browsers. Signority supports IE8, IE9 and above, Chrome, Firefox, and Safari. If this involves integration with a specific application, documents can be accessed through an API. 3.2 How will documents be stored? Signority offers various cloud solutions where the documents are stored: 1. Public cloud: data centre hosted in Canada; 2. Private cloud: customer specifies data centre; and 3. Customer on-premise private cloud: customer stores documents on its premise server. Documents and histories are posted back to the customer backend database. 3.3 In what form will documents be stored? Signority supports multiple formats, including PDF, various Microsoft Office formats, images, and more. The signed document is in PDF format. All tag fields (including data, signature, text) can be in defined data formats. 3.4 Are the servers located in Canada? Yes. Signority s public cloud solution uses a data centre located within Canada. We also offer private cloud solutions where customers can choose a data centre of their own. 3.5 How is access to a document A document signer/viewer receives an invitation sent from

4 determined/permitted? 3.6 When will access be granted to each contracting party and for how long? 3.7 Access to the documents if user wants to change providers/no longer uses provider? Signority. A secure link is embedded, giving the signer/viewer the access to the document. Access to a document is determined/ permitted through web browser, with or without password, but also optionally with SMS, third-party authentication solution (using open standards), or Entrust IdentityGuard product. Yes. During the contract signing process, the access will be granted as soon as the document sender sends an invitation to each contracting party. The access remains in force until the document sender removes the document from the folder or the document expires. The expiration date is determined by the document sender before he/she sends out the document. If a signing sequence is used, the access to a signer will only be granted after the previous signers in the sequence have finished signing. After signing cycle completion, the document sender establishes the amount of time that is available for other signers to access the document. Yes. Signority offers a standard of 90 days for users to gain access to their documents after they terminate the service. See Signority Terms of Service ( These terms are negotiable. 3.8 Backup/disaster recovery plans? We have implemented a high availability (HA) cluster solution across two data centres, both located within Canada. The backup servers are mirrors of the master servers. In the event that a master server fails, the IP will be automatically switched to the redundant server with minimal loss of service. With each data centre, we have implemented backup servers to handle on-site, ongoing backup requirements. 4. Original Copy 4.1 Will each contracting party (including any assignee) be able to access, retain, use, print and store a copy of the documents? Yes. Each party is granted the access to the document for the period of time the document owner defines. Each access activity is recorded in the system log and is displayed in the signature certificate document for full traceability. 4.2 How is document integrity assured? The document is in PDF format during editing and signing process. The

5 document integrity is assured by document hashing as well as our private and public key technology How does your solution prevent changes to the document content that may occur on communication, storage and display? Can the document (look/file type/content) be altered during its lifecycle? Who will have the ability to do so? In the absence of the SaaS PKI solution, SHA (Secure Hash Algorithm) hashing technology is used, placing a tamper-evident seal onto documents to ensure their integrity. During communication, the solution utilizes web-based SSL/TLS encryption. The document is in PDF format. The document sender defines tag fields that signers will complete. When signers confirm their responsible fields and submit their inputs, Signority does not allow any further changes. When a SaaS PKI solution is selected, the document certificate will be generated with a cryptographic hash to maintain the integrity. In the absence of a PKI, document integrity is still ensured. Using hashing and encryption technology, tamper-evident seals are placed on all documents. If any tamper-evident seals are broken (they are no longer verifiable using SHA-1 technology), at any point during the document s transaction lifecycle, this change is automatically detected, the document becomes invalid and the transaction ends. The document sender must then decide whether to recreate the document and related transactions, or not. Wherever the document is displayed, it has to be identical to the authoritative copy stored within Signority's secure data centres. Signority encrypts all the documents, preventing changes to the document content. No, Signority includes various mechanisms to prevent this from happening. If there is authorized modification, Signority will track previous history and modification history. Signority doesn t permit any unauthorized parties to change the document once the document invitation has been sent out to contract parties. All document activities will be logged and are fully traceable.

6 What security measures prevent unauthorized modification? Signority is designed to maintain very high document integrity through every step of signing and post signing activity: During the signing process, Signority provides two (2) role options to recipients, signer and viewer. The signer has restricted privileges. Generally, the signer is only able to fill in document sender s required tag fields. The viewer doesn t have any ability to modify a document. As soon as document is finalized, high integrity Signority workflow will ensure that no modifications can be made to a document. Signority has full traceability covering to access activities from all parties are logged in to the solution. The traceability also covers every aspect of the signature certificates. When a SaaS PKI method is utilized, the document integrity is protected finalized document key pair hashing. This is also recorded within the certificate. The signed document can be uploaded to the Signority service for integrity validation. Signority PKI solutions comply with standard X.509 Certificate standard. Without a PKI, document integrity is still ensured through the use of hashing and encryption technology. Tamper proof seals are placed on the document using SHA-1 and thorough audit trails. If a seal on the document is ever broken, all parties will be notified and the document will no longer be valid. All Signority APIs are protected by strong authentication and authorization. The Signority solution deploys the latest secure 256 bits TLS 1.2 encryption (where a user's web browser will allow - otherwise the solution will automatically default to a user's level of web browser encryption) to prevent communication link cyber attacks. All documents are stored within secure, trusted Canadian data centres Signority subjects its software code to periodic third-party security

7 How are changes to the document tracked through its lifecycle? Will there exist a single authoritative copy of the electronic document that is unique, identifiable and unalterable? Can this authoritative copy identify assigned parties as the owner or secured party with a security interest therein? How can the authoritative copy be distinguished from other copies? How does the authoritative copy mark changes as authorized or unauthorized? testing to ensure the highest level of coding integrity. Signority has strict internal security operational policies, standards and procedures. All of Signority s system admins undergo mandatory Canadian government security screening to minimally enhanced reliability status. Signority is ready for Canadian government PKI cross-certification should a customer require it. Signority offers a document certificate with full document history. All the changes are tracked and recorded through the document s life cycle. Yes. A single authoritative copy will exist which is identified by its own unique GUID (Globally Unique Identifier). Each document checksum and hash value to the document is unique and is unalterable without detection due to full traceability and document integrity protocols including the use of standards based, strong PKI based digital signatures. Yes. The document can have several parties assigned to the document, such as a sender, a group of viewers and a group of signers. The privileges of the members of the various parties are dependent on the attributes set by the document owner. The authoritative copy will have a tamper proof seal placed on it after each authorized change within the signing workflow. The authoritative copy is uniquely identified through its GUID. Any changes made to the document must be requested by the document sender. If the changes are approved, they will be marked as authorized. If any changes are made to the document after the owner has approved all of the changes with a digital signature, all further changes will be noted as unauthorized Who owns the final document? A digitally signed document can be distributed to any party as required. The document with a digital signature belonging to the original document owner will be the final document. The final document may

8 5. Contract Formation / Electronic Form 6. Timing and Receipt of Electronic Document Is it possible for the electronic vendor to sell, provide or otherwise use such electronic document without the owner s consent? 5.1 What opportunities will the contracting parties be given to review the contract before submitting? 5.2 If a mistake is found, how can it be fixed prior to submitting? 5.3 Does the solution have notification procedures that allow contracting parties to contact each other and/or your company so that an error can be fixed? 5.4 Does the solution allow the publisher to impose an expiration date on the document, after which it will no longer allow recipients to sign? 6.1 How does the any contracting party or assignee become aware when documents have been sent / viewed / signed / finalized? When it is not delivered? be shared with any party without risk of undetected alteration. No. Signority s Terms of Service does not allow sell, trade or rent your personal information to any third party. See detailed information: Before submitting, the contracting parties can retrieve the document, review it, and partially complete it. Prior to submitting, the contracting parties can fix the mistake and reenter the revised information. After submission, the input cannot be further modified. Yes. When the sender sends out the document for signature, signers and/or viewers will receive a notification , sent from Signority. The sender s name and address are included in the . The signers and/or viewers can contact the sender directly if an error is found. Yes. On the Document Design page, the sender can specify the expiration date of the document. This information is included in the notification received by the signers/viewers. Before the expiration date, the recipients will receive reminder s notifying them the expiration date is approaching. Signority has real-time status updates for each document. Whenever the document is sent, opened, viewed, signed, and finalized, the actions will be recorded with name, address, IP address, and time associated with each action. If any contracting party fails to receive notification s, the document is not delivered.

9 7. Electronic Signature 7.1 How will the digital signatures applied by parties to the contract meet the definition of an electronic signature? Within Canada, PIPEDA Part 2 describes the characteristics of secure electronic signatures : The electronic signature must be unique to the person using it; The person whose electronic signature is on the document must have control of the use of the technology to attach the signature; The technology must be used to identify the person using the electronic signature; and The electronic signature must be linked to an electronic document to determine if the document has been changed after the electronic signature was attached to it. The Signority solution has carefully implemented all four (4) components. Each Signority account is unique to the individual using it. Utilizing Entrust IdentityGuard together with one of Signority s PKI solutions, user identification, strong authentication and non-repudiation is ensured. Any user applying a digital signature will have an account, which is strongly linked to their identity through IdentityGuard How does your solution generate electronic signatures? (i.e., what standards are used as part of the process?) Electronic signatures in the physical form are stamped onto the physical copy of the PDF and are visible to any person that can access the document. Our system generates electronic signatures based on signers input. We convert the signers' action into an image which is merged into the PDF document. It is then made 'read-only'.

10 7.1.2 How is the electronic signature linked with the document? 7.2 Is your solution flexible with regards to technological advances and future legal requirements concerning electronic signatures as they arise? 7.3 How may a contracting party provide a signature (e.g., scribe, click, etc.) 7.4 Does your solution support multiple signatures within the same document from multiple parties? 8. Authentication 8.1 How can it be proven that the documents are contracts entered into by the contracting parties (e.g., , SMS, etc.)? Electronic signatures are merged into the final PDF document. Yes. From its inception, Signority has recognized the need to maintain a flexible, standards-based design - not only to provide a leading solution today, but also to adapt to the ever-changing needs of tomorrow. To this end, Signority purposefully architected its solution on a nimble, modular, highly scalable, and easy to adjust Java Sprint/Hibernate framework. This allows us to add future features to meet future evolving customer advanced requirements, and to evolve with changing legislation and regulations that control electronic signatures. Signority has two U.S. patents pending: real-time sign with audio and video serving as electronic evidence; and Signority SaaS PKI integration, a ground breaking approach to bring PKI to cloud signing services without the need for a customer to deploy traditional PKI technology. The real-time sign workflow meets e-evidence law requirements. The unique Signority SaaS PKI solution meets the most stringent global legal requirements. A contracting party has three methods available to provide a signature. 1. The signer can draw (hand-write) his/her signature using a mouse or a fingertip, 2. The signer can type in his/her name, 3. The signer can upload a signature image from his/her device. Optionally, a signer can provide his/her voice signature. Yes. Document owners can enter multiple parties in the recipient list and assign different tags to different parties. The signing/viewing sequence can also be designed based on specific requirements. It can be proven by password, mobile phone SMS password, IDs using the optional Entrust IdentityGuard solution, photo upload, IP address tracking, and digital signature certificate How and where is the proof Depending on the specific cloud solution customers selected, the proof

11 9. Electronic Evidence thereof stored? How can it be accessed and by whom (e.g., contracting parties, assignees, etc.)? 8.2 What safeguards are in place to verify the identity of the contracting parties? 8.3 Can recipients of an electronic document forward signature requests to others? How is authentication maintained? 8.4 What is the workflow for maintaining authentication when signing in person? 9.1 How will the integrity of your solution be provable? What mechanisms are in place to track system operations and downtime? can be stored within the Canadian date centre or within the Signority solution stored on the customer's on-premise server. Documents whose recipients are specified can be accessed by the secure link embedded in the notification sent to recipients and the required identity. Only the document sender and the contracting parties (signers and viewers) have access to the documents. Open links whose recipients are not specified can be accessed by anyone as long as this person has the open link. The link sender, the link signers, and the subsequent signers specified (if applicable) have the access to the documents. If the enterprise customer chooses to have the document encrypted, the contracting parties must be granted with the decryption key. Signority offers and or SMS passcode ID authentication, or ID authentication from the Entrust IdentityGuard solution. Yes. The recipient can select change signer option if he/she wishes to forward to an additional signer. To maintain the authentication, the owner of the document will be notified. The change signer action will also be logged within the Signority system. The signing host will use signing in person feature for the contracting parties with desired ID authentication methods. When the process starts, it will pop up a screen for one of contracting parties that has an approved ID who will then sign on the computer provided by the signing host. Signority offers several methods: document hash, encryption and PKI digital certificate to maintain document integrity. In addition to our own monitoring controls, and for additional assurance, we utilize a third-party monitoring service to carefully and independently keep track of our system operations. Our system administrators will receive immediate notifications via various duplicated methods, should the system ever go down, for whatever

12 reason What are the system maintenance practices? What information is backed up and what is the disaster recovery plan? What system security measures are in place? Our internal security procedures ensure that we keep track of operational anomalies and should any occur, invoke a standardized root cause analysis (RCA) process, as part of our continuous improvement approach and commitment. We follow our own documented operations process and procedures and keep track of any system changes. Routine maintenance is performed during off-hours or early Sunday mornings. Before any maintenance is undertaken, we ensure that fresh data backups are undertaken. All the documents, audit trail and other related data are backed up. We have high availability cluster solution across two data centres in Canada. Redundant server is a mirror of the master server. In case that master server fails, the IP will be switched to the redundant server to continue the service. We also have another backup server for daily data backup. See Section 3.8. All Signority staff are minimally cleared to Federal Government ERC. We have SSL/TLS in place to protect the communications between client and server, and between the main server and backups. We also encrypt all documents and other sensitive system information. We follow our own internal Security Operations policies, standards and practices, as we strive to meet eventual ISO 27001:2013 certification. Out security philosophy includes the drive to adopt the SANS Top 20 Critical Security Controls as well as the CSEC Top 35 Critical Security Controls, understanding that by adhering to these the Signority Service will provide a high standard of security.

13 9.1.5 Who will have control over the documents? Is there any reason to doubt the integrity of the system? 9.2 Will the electronic signatures of your solution meet the federal legislative requirements for a secure electronic signature? Will the prescribed process be followed? If not, detail any variations How will signature certificates be validated? How is it known if the certificate has expired or been revoked? Will signature certificates be supported by other signature certificates? Who is the certification authority? Have they passed the vetting process of the Treasury Board? How does an individual receive public and private keys? See Section Only end user clients can change/control the documents. No. The integrity of the system is paramount to our business model, and is always fully maintained. Yes. The PIPEDA requirements relative to secure electronic signature are supported by PKI based technology. Signority patent pending SaaS PKI meets all PKI standards. One of primary investors, Dr. Carlisle Adams, is a world-renowned PKI expert, co-developer of the CAST cryptographic algorithm, and is the author of PKI RFC standard. Yes. We follow US, Canadian and EU directives of electronic signature acts. Signature certificates will be validated using the RSA digital signature scheme. The certificate will be signed, and later validated using the public key of the signer. A certificate revocation list will be used. It can be used within a public key infrastructure to verify the validity of any public key certificates issued from Signority. Yes, our signature certificates can be supported by any other signature certificates, which are fully compliant with X.509 standards. When using the Signority certificate, CA is Signority. CSIO needs to request government of Canada to do a cross-certificate. In the event Signority partners with Entrust, the certification authority would be Entrust. There are two (2) authorized CAs listed under the Treasury Board: CRA and Public Works and Government Service of Canada. A user will never be sent his/her private key. It will only exist on his/her client during the instance of certification creation or signature requests.

14 9.2.7 What controls are there on receiving public and private keys? What controls are there on issuing public and private keys? Do you use a hash algorithm to create a message digest? If so, describe. 9.3 What support do you provide to clients in the event of a legal dispute? 10. Audit Trail 10.1 What is included in the audit trail? 10.2 Where is the audit trail for the document stored, and how may it be accessed by contracting parties? 10.3 Does your solution have the ability to reproduce the transaction from Private keys are never sent and/or received. Public keys are only sent wholly when they have been placed inside of a signed certificate. An RSA cryptographic public/private key pair is issued using an algorithm patented by Signority only to users within an enterprise account. Yes. RSA cryptography is used to sign a SHA-256 message digest which is created using the document data. We maintain full traceability of the document activity history and can provide this to clients as required. In the standard audit trail, the time stamp (based on trusted time sources), address, passcodes (either through or SMS), SMS phone numbers, and IP address are included. If third-party authentication methods are used, relevant and related data will be incorporated to the signature certificate and back end as well. For SaaS PKI when a document is digitally signed, any of its digital signatures will be stored and accessible to users that might wish to view the document signature s validity. The audit trail is accessible to users through a readily accessible document history. Each document will have a document history appended in its PDF form. The first way the audit trail, or document history can be accessed by contracting parties is simply by downloading the document and viewing it on the final page of the document PDF. The second way would be to visit the Signority website and request the document status via the web-based interface. The third way would be to simply request the document status from the Signority API, which will return a JSON object containing the audit trail information. Every transaction is unique. Therefore the transaction could not be reproduced from start to finish. However, every step on the transaction

15 start to finish? 10.4 How is electronic evidence provided to a third party (e.g., courts) in the event of a dispute? 10.5 Does your solution conform to legislated evidentiary requirements (e.g., Canadian General Standards Board s Electronic Records as Documentary Evidence CAN/CGSB )? 11. Privacy 11.1 How will the privacy of contractors and their personal information be assured? (e.g., PIPEDA compliance, etc.) What information is stored by the system? is reviewable from start to finish. We maintain full traceability of the document activity history, backup log file from SAE16 compliance data centre, digital signature certificate with asymmetric cryptography (RSA). We can provide this to clients as required. Yes. Signority customizes our solution to meet enterprise customers' legislated evidentiary requirements. We encrypt all the documents within our servers. Even if an unauthorized person gains the access to the server, they will not be able to access the information and personally identifiable information (PII). On the Signority side, only system administrators who have security clearances can access our servers, helping ensure that the privacy of customers and their personal information will not be compromised. All the contract documents, audit trail history, account information, keys, digital certificates and other sensitive information are stored within the system Where is it stored? All the documents are stored in our redundancy disk arrays. Therefore, no data will be lost in case of any disk failure Who has access to the Only Signority system administrators that hold Canadian Government information? security clearances can access our servers What security procedures exist? Our data centre is highly secure. No one is allowed to access the physical server without permission. We only allow one computer to access the server. System admin will be monitored when accessing this computer. See Section What is the information used The information can be accessed and used by the authorized users only. for and by whom is it used? How long is the information The information is permanently stored for subsequent reference, unless

16 stored? In what form is the information stored? the users delete it. Sensitive information is always encrypted. 2. End-User Functionality Questionnaire This section corresponds to the operational aspects of your esignature solution. # Functionality Items Questions 1. Field Overlay 1.1 Can a signature field be overlaid on top of a form? 1.2 Does your solution support multiple signatures within the same document from multiple parties? 1.3 Can additional fields be overlaid on top of a form? 2. Document 2.1 How are the documents organized Management from a broker's point of view? 2.2 Does your solution support multiple signed documents as a single transaction? Responses Yes. The signature field is overlaid on top of a form. Yes. Within a document, the document editors can insert multiple signatures and assign them to different parties. Only fields assigned to a particular party can be filled by this party. Yes. Apart from signature fields, Signority also supports text fields, checkboxes, radio buttons, dates, and initial fields. A broker can organize the documents into different folders based on clients, geographic locations, and the like. Yes. The document sender can upload multiple documents and merge them into a single one for design. 2.3 What is the size limit per document? Theoretically, there is no size limit per document. However, since Signority uses secure https link, if the size of the document is too big and it takes a longer-than-usual time to upload the document, the system may terminate the uploading process. 2.4 What document formats are supported? 2.5 Can customers attach supplemental documents with the document to be signed? Signority supports various document formats, including PDF, doc, docx, xls, jpeg, png, gif, and txt. This feature is in the development phase and will be available soon. 3. Broker 3.1 Are there APIs available to provide the Yes. The Signority platform has a powerful enterprise grade scalable

17 Management System (BMS) Integration ability for your solution to integrate with third-party applications such as Broker Management Systems (BMS)? 3.2 How are finalized documents transferred to a BMS (e.g., manual, FTP, etc.) 4. Compatibility 4.1 What web browsers does your solution support? 4.2 What operating systems does your solution support? 4.3 Will users have to install software to sign documents? 4.4 Is your solution compatible with the Citrix environment? 5. Mobile 5.1 Are customers able to sign using mobile devices (tablets / smartphones)? If so, what does it look like from an end-user perspective? 6. User-Friendly 6.1 Are contracting parties able to partially complete the signing process and finish at a later time? How is security/authentication maintained? API architecture that can be integrated with BMS, BPM (business process management), CRM, ERP, etc. Signority has already successfully integrated within and been deployed for an Ontario grant organization through APIs. Finalized documents, histories, and the like will be posted back to BMS through an API post-back link or we can customize to upload through ftp. Signority supports various mainstream browsers, including Internet Explorer 8+, Chrome, FireFox, Safari, and more. Since Signority is a web-based cloud application, there are no restrictions on the type of operating systems. No. There is no download required by Signority electronic signature workflow and the patent pending SaaS PKI. Signority SaaS PKI eliminates traditional installation required by PKI. It meets the stringent global legal requirements and also has ease of use as esignature workflow. This is a breakthrough technology. Yes. Signority was developed using Java technology and can be deployed on various operating systems on physical, virtual, and cloud environments, including Citrix. Yes. Signority workflow is a web browser based solution. It also works on mobile devices as long as they support browsers and have access to the Internet. Tablets are ideal for document signing, as the display size is 7 and above. With smartphones, the display area is very limited which may cause some usability issues for complex and high-density text fields fills. Yes. Contracting parties can save the partially finished document whenever they want and retrieve the saved document later via the link embedded in the notification sent by Signority. Since the link and credential associated with the document are unique, only the parties that are authorized have the access to the partially finished document.

18 7. Admin Account 7.1 Is there an admin account that has the ability to monitor/control other user privileges? Yes. Signority has an administration account available for group users. The privileged account can add, modify, delete, and organize group members. 8. Reporting Tools 8.1 Are there any reporting features? Yes. The Signority Dashboard shows the usage, document status, numbers of draft documents, working in progress documents, and finalized documents, amongst other features. There are folders to monitor documents expiring soon, documents for review, and documents waiting for signer s signature. On the last page of the finalized document, as well as on the Status and History page of Signority website, there is a signature certificate reporting the detailed information of the creation, modification, and finalization of the document. 8.2 Are the reports out of the box? Can they be customized? 9. Branding 9.1 How can customers customize and brand the documents they wish to have signed? 9.2 Can users customize s sent by your solution? 10. Reliability 10.1 Has your solution been involved in any security or legal disputes within the past five years? If so, describe. Yes. The reports can also be customized to suit customers' requirements. Signority offers customized branding option for customers through our APIs. Yes. Prior to sending, senders can input the message they want to include in the notification s. No. We have customers from universities, provincial governments, law firms and online professionals. Our clients have signed millions of dollars worth of contracts and haven t yet had any disputes. 3. Services and Pricing Questionnaire This section corresponds to the customer support and pricing models of your solution. # Services and Pricing Items 1. Technical Support Questions 1.1 Is there a help line for customer issues/questions with Responses Yes. Signority has online support, phone support and dedicated support for enterprise customers who purchase the professional service package.

19 2. Versions / Pricing Model the solution? 2.1 What different versions does the software include? 2.2 What deployment options (i.e., cloud, behind firewall, etc.) are available? Signority offers different plans: Free, Starter, Plus, Unlimited, Group of 5, 10, 15 and 20 and Enterprise. Advanced features and customization options are included in paid plans. Details see Signority offers its standard pubic cloud solution for online users. For enterprise customers, Signority offers optional private cloud solutions including on-premise. 2.3 What is the pricing model? Signority charges monthly or annual subscription fees. There are two (2) pricing models: per user based and per API request based: Per user based: based on the numbers of senders, Number of API request: based on number of API requests. One documentsigning request counts as one API request. Signority charges enterprise customers NRE (non-recurring engineering) fee for customization work, professional services, and enhanced, dedicated support.