Vendor Questions. esignatures Request for information AssureSign

Transcription

1 AssureSign Vendor Questions 1. Legal Compliance Questionnaire This section corresponds to legal requirements as outlined in the CSIO esignatures Advisory Report prepared by Fasken Martineau LLP. 1. Signing Ceremony 1.1 Describe your solution s signing ceremony (how does the signing process work, including authentication, signing the document, and delivery of the document). 2. Consent 2.1 How does the solution prove that consent to use electronic means for both signatures and ongoing delivery of information was provided by the user? 2.2 How does the user indicate acceptance (i.e., click a button, provide a signature, etc.) 3. In Writing 3.1 How does your solution provide access to documents? AssureSign has a 100% web browser-based signing interface that complies with esign Laws in over 150 countries (US and Canada included). Signers authenticate in a variety methods imposed by the sender, based on their level of requirements. Signers can type their signature or use a mouse, finger or stylus. Signers must agree to esign terms (presented uniquely based on the document and jurisdiction. Documents are delivered via or API to the sender s data store. AssureSign consent is enforced at the initiation of the signing process and can be unique for each document, if required. This information is stored in perpetuity by AssureSign in association with the document. Signers click-through consent at t basic level, however, consent can also enforce a signature or initials. Documents are accessed by the signers via a web link the document and stored documents are accessed by the senders either by link or API. 3.2 How will documents be stored? Documents processed in the AssureSign SaaS environment are stored in the AssureSign data centers. On-premise deployments have documents stored on local hardware and software. 3.3 In what form will documents be stored? All completed documents are locked and hashed PDFs.

2 3.4 Are the servers located in Canada? Today, North American data centers are in the US (Windows Azure data centers), however, when Microsoft completes its Canadian data center, it is AssureSign s intent to run an instance there. In an onpremise deployment, servers are obviously at the customer location. 3.5 How is access to a document determined/permitted? 3.6 When will access be granted to each contracting party and for how long? 3.7 Access to the documents if user wants to change providers/no longer uses provider? Access is provided by the customers own configuration of AssureSign and documents can be password protected. All documents can be downloaded by the customer and stored in their data environment. AssureSigns stores documents, by default for 2 years (we always maintain document esign data and history), but can store documents longer with optional storage fees. Customers always have the ability to download and store their documents, but can only access them through AssureSign for 90 days after their contract cancellation. This, of course, does not apply to those customers who download their documents via API or have an on-premise deployment. 3.8 Backup/disaster recovery plans? Absolutely! Backup and Disaster Recovery plans can be shared upon request. 4. Original Copy 4.1 Will each contracting party (including any assignee) be able to access, retain, use, print and store a copy of the documents? Absolutely! All documents are accessing to the customer via web interfaces and API integration at any time. 4.2 How is document integrity assured? All signed documents are locked and hashed PDFs and AssureSign tracks the hash for authentication of an original document How does your solution prevent changes to the document content that may occur on communication, storage and display? AssureSign can identify a document that has been tampered with as the hash will be broken. AssureSign has a validation tool to identify a legitimate AssureSign document.

3 4.2.2 Can the document (look/file type/content) be altered during its lifecycle? Who will have the ability to do so? What security measures prevent unauthorized modification? How are changes to the document tracked through its lifecycle? Will there exist a single authoritative copy of the electronic document that is unique, identifiable and unalterable? Can this authoritative copy identify assigned parties as the owner or secured party with a security interest therein? How can the authoritative copy be distinguished from other copies? No, the document cannot be modified (other than signature or data collected point) during its lifecycle. No one will be able to tamper with the document outside of the signing process. As mentioned, documents are locked and hashed for tamper identification. All signing elements and data collected points are tracked through our signing process with signer, date, time, IP address and geolocation identification. It is possible to work with AssureSign partners to create an authoritative version of the document, however, this is a costly endeavor and not generally used in the insurance space. AssureSign essentially keeps the authoritative version. AssureSign would work with a third party for this type of requirement. AssureSign would work with a third party for this type of requirement How does the authoritative copy mark changes as authorized or unauthorized? AssureSign would work with a third party for this type of requirement Who owns the final document? He customer always owns the final documents and has the right to store it in their data store or in AssureSign.

4 5. Contract Formation / Electronic Form 6. Timing and Receipt of Electronic Document 7. Electronic Signature Is it possible for the electronic vendor to sell, provide or otherwise use such electronic document without the owner s consent? 5.1 What opportunities will the contracting parties be given to review the contract before submitting? 5.2 If a mistake is found, how can it be fixed prior to submitting? 5.3 Does the solution have notification procedures that allow contracting parties to contact each other and/or your company so that an error can be fixed? 5.4 Does the solution allow the publisher to impose an expiration date on the document, after which it will no longer allow recipients to sign? 6.1 How does the any contracting party or assignee become aware when documents have been sent / viewed / signed / finalized? When it is not delivered? 7.1 How will the digital signatures applied by parties to the contract meet the definition of an electronic signature? How does your solution generate electronic signatures? (i.e., what standards are used as part of the Absolutely not! AssureSign document originators can allow a signer to modify limited content in any document. A signer can only modify data that has been pre-configured to allow such modification. Documents cannot be edited or modified once they are sent for signature unless that data has been flagged as part of the signing process. Yes, signers have the ability to provide feedback to the document originator to clarify items in the document or signing process. Yes, AssureSign allows for document lifecycle and expiration. It is possible to send reminders throughout the process with unique notifications based on urgency, etc. Yes, AssureSign provides the signer as well as sender the progress of the document(s). This is accomplished in the AssureSign web portal and also via API integration. AssureSign meets all esign laws for an Advanced Electronic Signature as defined in UNCITRAL for international electronic signatures. As stated above, AssureSign provides an Advanced Electronic Signature which adheres to the UNCITRAL standard. This is the standard by which 150 countries unique laws are established,

5 process?) How is the electronic signature linked with the document? 7.2 Is your solution flexible with regards to technological advances and future legal requirements concerning electronic signatures as they arise? 7.3 How may a contracting party provide a signature (e.g., scribe, click, etc.) 7.4 Does your solution support multiple signatures within the same document from multiple parties? 8. Authentication 8.1 How can it be proven that the documents are contracts entered into by the contracting parties (e.g., , SMS, etc.)? How and where is the proof thereof stored? specifically for this requirement US and Canadial esign laws. These standards are essentially a process, not necessarily the signature itself. AssureSign authenticates, gains consent, captures date, time, IP address and geolocation and then places either a type-written or mouse/finger/stylus hand written signature in the document. It is more the process than the signature that is important. The process is associated with the document and the image of the signature is placed in the final locked and hashed PDF. Absolutely, while AssureSign has always led the market (first to offer mouse/finger/stylus-based signing) and now responsive design. AssureSign will continue to lead the market. As stated above, signers can sign by typing their name/initials or by using their mouse/finger/stylus depending upon the device. Yes, AssureSign offers the ability to collect multiple signatures and data from a virtually unlimited number of signers either in series or parallel. AssureSign provides the ability for a variety of authentication options that are used based on customer requirements. Types of authentication can include any combination of: , password, multi-factor password ( , SMS text or phone), presence of x.509 digital certificate or Knowledge-based Authentication (KBA). AssureSign captures and stores authentication, regardless of the level, in the evidentiary data associated with each document. AssureSign also produces a Document Completion Report containing all this data.

6 9. Electronic Evidence How can it be accessed and by whom (e.g., contracting parties, assignees, etc.)? 8.2 What safeguards are in place to verify the identity of the contracting parties? 8.3 Can recipients of an electronic document forward signature requests to others? How is authentication maintained? 8.4 What is the workflow for maintaining authentication when signing in person? 9.1 How will the integrity of your solution be provable? What mechanisms are in place to track system operations and downtime? What are the system maintenance practices? This data is accessible only by authorized users of the document originator AssureSign account or system. These safeguards would be established by the AssureSign customer using standard AssureSign security controls. Yes, AssureSign documents can be forwarded. All authentication methods can be transferred to signers assignees. The same authentication methods (2-factor or KBA) can exist in an inperson signing process. It is also possible to request an attachment to the document as proof (i.e. photo of the signer from the local device or driver s license, etc. AssureSign is a highly scalable and reliable solution in both SaaS and on-premise. AssureSign security procedures and certifications such as SSAE-16 and PCI force our systems integrity to be maintained at the highest levels. In an on-premise deployment, integrity is established by the customer. AssureSign has a 12 year history of running at uptime in SaaS and the same can be configured with on-premise. AssureSign customers, at any time, can view the status of AssureSign systems via our dashboard seen here: AssureSign runs in the Microsoft Windows Azure data centers which allows for highly reliable, scalable and stable environments. There are no maintenance windows or downtime. AssureSign runs on an Agile development methodology and releases are pushed, with no downtime every two- to three-weeks.

7 9.1.3 What information is backed up and what is the disaster recovery plan? What system security measures are in place? Who will have control over the documents? Is there any reason to doubt the integrity of the system? 9.2 Will the electronic signatures of your solution meet the federal legislative requirements for a secure electronic signature? Will the prescribed process be followed? If not, detail any variations How will signature certificates be validated? How is it known if the certificate has expired or been revoked? Will signature certificates be supported by other signature certificates? AssureSign s Windows Azure environment backs up all data instantaneously in blob storage. There are multiple data and disaster recovery programs in place. A detailed Disaster Recovery plan can be provided upon NDA. AssureSign s Microsoft Azure data centers utilize the utmost in security and are highly certified in security and data storage. The customer has ultimate control over all their documents in an Azure or on-premise deployment. There is no reason to doubt the integrity of the AssureSign systems as they have been providing SaaS services for over 12 years with zero document or data loss. AssureSign has processed over 300 million transactions. Yes, AssureSign meets all UNCITRAL (United Nations International Standards) for esign law. Yes all prescribed processes are followed and AssureSign has an independent audit explain such. There are no variations. AssureSign can point to any certificate authority for authentication. Certificate validation is done at the certificate holder level and AssureSign only validates against the prescribed certificate authority. It is possible, but there would need to be collaboration on this item.

8 9.2.5 Who is the certification authority? Have they passed the vetting process of the Treasury Board? How does an individual receive public and private keys? What controls are there on receiving public and private keys? What controls are there on issuing public and private keys? Do you use a hash algorithm to create a message digest? If so, describe. 9.3 What support do you provide to clients in the event of a legal dispute? AssureSign can point to any certificate authority as we do not act as such, therefore it is up to the customer to identify the certificate authority and establish their vetting. This is up to the certificate authority. This is up to the certificate authority. This is up to the customer and certificate authority. AssureSign documents are hashed, however, to provide details requires a special NDA. Yes, AssureSign would provide legal support if document or process was challenged in court. 10. Audit Trail 10.1 What is included in the audit trail? AssureSign captures date, time, IP address, geolocation and then authenticates based on customer requirements. Each signing location can have its own instructions. All this data for each signing location, along with consent, is capture in the evidentiary trail and the document completion report that is attached to this response Where is the audit trail for the document stored, and how may it be accessed by contracting parties? 10.3 Does your solution have the ability to reproduce the transaction from start to finish? The audit trail is accessible by the document originator (customer) but can be shared with the signer if allowed. Yes, the AssureSign solution tracks the entire signing process.

9 10.4 How is electronic evidence provided to a third party (e.g., courts) in the event of a dispute? 10.5 Does your solution conform to legislated evidentiary requirements (e.g., Canadian General Standards Board s Electronic Records as Documentary Evidence CAN/CGSB )? 11. Privacy 11.1 How will the privacy of contractors and their personal information be assured? (e.g., PIPEDA compliance, etc.) What information is stored by the system? The Document Completion report is the detailed evidentiary data required for dispute resolution. Yes, absolutely! AssureSign adheres to the most stringent security and privacy standards. All documents and data are encrypted at rest and in motion. The keys are controlled by AssureSign in SaaS and by customer when on-premise. Documents and associated signer information is stored in the AssureSign system. Sensitive data can be masked for presentation on the physical PDF Where is it stored? All related data is stored in AssureSign data centers (North America and Western Europe) Who has access to the information? What security procedures exist? What is the information used for and by whom is it used? Only the customer has access to their data in both SaaS and onpremise deployments. There are a variety of AssureSign and Microsoft security practices in place that can be shared after mutual NDA. No data is ever used by AssureSign or anyone else for any purpose other than getting a document signed.

10 How long is the information stored? In what form is the information stored? Only signer and signing data is stored as it relates to the signed document for whatever the contract term might be. All data in AssureSign is encrypted in motion and at rest. 2. End-User Functionality Questionnaire This section corresponds to the operational aspects of your esignature solution. # Functionality Items Questions Responses 1. Field Overlay 1.1 Can a signature field be overlaid on top of a form? 1.2 Does your solution support multiple signatures within the same document from multiple parties? Yes, this is typical practice. Yes, AssureSign provides for unlimited signing/data collection locations and unlimited signers, either in series or parallel.

11 # Functionality Items Questions Responses 2. Document Management 3. Broker Management System (BMS) Integration 4. Compatibility 1.3 Can additional fields be overlaid on top of a form? 2.1 How are the documents organized from a broker's point of view? 2.2 Does your solution support multiple signed documents as a single transaction? 2.3 What is the size limit per document? 2.4 What document formats are supported? 2.5 Can customers attach supplemental documents with the document to be signed? 3.1 Are there APIs available to provide the ability for your solution to integrate with third-party applications such as Broker Management Systems (BMS)? 3.2 How are finalized documents transferred to a BMS (e.g., manual, FTP, etc.) 4.1 What web browsers does your solution support? Yes, a variety of data collection locations can be provisioned such as freeform data collection, drop-down menus, radio buttons and multiple choice options. Documents can be managed in an Agency System, Policy System or in the AssureSign application. AssureSign provides a variety of tools and integration methods to handle single or multiple documents. Yes, AssureSign has two options for multiple documents by either envelopes (one signing process with multiple documents) or via our desktop application that can concatenate multiple documents. No, there is no size limit to a document. AssureSign supports standards like Word, PDF, TIFF, etc., but with desktop print driver tools can support ANY document. Yes, AssureSign allows for the sender to include attachments as well as the signer to attach documents/images during the signing process. Absolutely! AssureSign as the strongest set of APIs in the industry and has integrated with more Insurance applications than another other solution with over 20 standard integrations to Agency and Policy systems and document data storage and ECM applications. AssureSign APIs can transmit documents in an automated way via FTP or by creating web services. AssureSign supports all browsers and is 100% responsive designed for use on ANY desktop or mobile device.

12 # Functionality Items Questions Responses 4.2 What operating systems does your solution support? 4.3 Will users have to install software to sign documents? 4.4 Is your solution compatible with the Citrix environment? From a signer s perspective any operating system is supported. If onpremise deployment, AssureSign sits on the Microsoft stack. No, signers never have to install anything to sign a document. User s/senders do not have to install anything unless they want to use the AssureSign SendToAssureSign application that is print-driver centric and is a Windows desktop application. Yes, AssureSign has many customers working through a Citrix environment. 5. Mobile 5.1 Are customers able to sign using mobile devices (tablets / smartphones)? If so, what does it look like from an enduser perspective? 6. User-Friendly 6.1 Are contracting parties able to partially complete the signing process and finish at a later time? How is security/authentication maintained? 7. Admin Account 7.1 Is there an admin account that has the ability to monitor/control other user privileges? Yes, AssureSign is the most mobile friendly solution with a responsive design, we provide the same signing interface regardless of the device. Yes, AssureSign allows signers to pause/leave the signing process and return. Signers do need to re-authenticate with they return to the document. All the entries and signing attempts are capture in the document evidentiary trail. Yes, AssureSign has many layers of users and roles to allow and disallow feature access for users. Additionally, all AssureSign accounts can create hierarchy of user accounts to support segregation of user communities for security purposes. 8. Reporting Tools 8.1 Are there any reporting features? Yes, please see the reporting collateral attached. 8.2 Are the reports out of the box? Can they be customized? Yes, reports are out of the box and can be configured and stored for future use as needed.

13 # Functionality Items Questions Responses 9. Branding 9.1 How can customers customize and brand the documents they wish to have signed? 9.2 Can users customize s sent by your solution? 10. Reliability 10.1 Has your solution been involved in any security or legal disputes within the past five years? If so, describe. Yes, AssureSign provides the most sophisticated branding available to extend a customer s brand. All s and signing interface pages are completely customizable for verbiage, colors and logos. Yes, s can contain 100% customized content, signature lines and include graphics such as logos, etc. No, AssureSign document have never been challenged in court in the 12 years of providing signature solutions. 3. Services and Pricing Questionnaire This section corresponds to the customer support and pricing models of your solution. # Services and Pricing Items Questions Responses 1. Technical Support 1.1 Is there a help line for customer issues/questions with the solution? Yes, AssureSign has an extensive Knowledgebase for customer support questions, etc. Our Support Line is manned from 7:00 AM EST to 9:00 PM PST time 24/7.

14 # Services and Pricing Items Questions Responses 2. Versions / Pricing Model 2.1 What different versions does the software include? AssureSign only provides one all-inclusive level of services licensing. There are no options and no surprises. 2.2 What deployment options (i.e., cloud, behind firewall, etc.) are available? AssureSign can be deployed in one of three ways. 1) Public SaaS cloud via Microsoft Windows Azure, 2) Private Cloud by installing AssureSign in a private Windows Azure environment, or 3) On-premise installed on the Microsoft Stack (Windows and Sequel) 2.2 What is the pricing model? AssureSign prices, in SaaS either based on a monthly user subscription fee (pay by user). Alternatively, SaaS can have unlimited users and pay per transaction (document or envelope). These models provide the most flexibility for our customers and offers the most cost-effective options in the market. If course, on-premise is licensed with a onetime software fee, installation and support. Years 2 and beyond would only require the annual maintenance.