What are digital signatures?
Digital signatures are the most advanced and secure type of electronic signature. You can use them to comply with the most demanding legal and regulatory requirements because they provide the highest levels of assurance about each signer's identity and the authenticity of the documents they sign.
Digital signatures use a certificate-based digital ID issued by an accredited Certificate Authority (CA) or Trust Service Provider (TSP) so when you digitally sign a document, your identity is uniquely linked to you, the signature is bound to the document with encryption, and everything can be verified using underlying technology known as Public Key Infrastructure (PKI).
What makes your digital signature so secure?
A digital signature is built to prevent tampering. It’s created, protected, and surrounded by the highest levels of security — from the time your digital certificate is issued to the time your signed documents are archived and beyond. Here are the main reasons your digital signature is so secure.
Your digital ID is trusted.
Compliant, certificate-based digital IDs come from accredited providers. You need to prove your identity before you can get one.
It all gets encrypted.
Your digital signature and the document you sign are encrypted together and bound with a tamper-evident seal.
It’s unique to you.
Every time you sign a document, you use your own unique digital certificate and PIN to validate your credentials and prove you’re who you say you are.
It’s easy to validate.
Both the signed document and your digital signature can be re-validated by a CA or TSP for up to 10 years after the signing event.
We invented the first digital signatures in PDF.
In 1999, we introduced the first digital signatures in Adobe Acrobat and Adobe Acrobat Reader. Then, we worked with experts and certificate providers across the industry to turn it into an open standard. Adopted by ETSI, the international standard known as PAdES (PDF Advanced Electronic Signatures) is now the basis for billions of signature transactions every year.
Today, Adobe is leading the way as the first global vendor to deliver open, standards-based digital signatures for web and mobile. Together with industry experts in the Cloud Signature Consortium, Adobe is setting new global standards — and delivering real-world solutions — so you can work with high-assurance digital IDs that are easy to use, easy to deploy, and internationally compliant.
Understanding Trust Service Providers.TSPs and CAs issue certificate-based digital IDs and timestamps that assure maximum integrity and compliance. Since regulations vary from region to region and industry to industry, trust lists, such as the Adobe Approved Trust List (AATL) and the European Union Trusted Lists (EUTL), are published listing the authorities that meet defined requirements. Currently, there are over 200 providers on these lists. We’re the only e-signature solution that works with all of them. We also offer an Adobe timestamp solution that meets EU eIDAS Qualified requirements and supports long-term document retention for up to 10 years.
How do digital signatures help with compliance?Signer authentication is a compliance essential. But different countries and regions hold signatures to different standards. Adobe Sign digital signatures meet the highest level U.S. FDA CFR 21 Part 11 requirements. As the first global vendor to support European Union (EU) Trusted Lists, we’ve made it possible for organizations everywhere to comply with the EU's eIDAS electronic signature regulation. That’s what makes us the global digital signature leader.
Adobe Sign — Digital Signature FAQ
Is Adobe Sign secure?
Yes. Adobe takes the security of your digital experiences very seriously. In addition to the high assurance methods described above, Adobe Sign is certified compliant with the world’s most rigorous security standards, ISO 27001, SOC 2 Type 2, and PCI DSS used in the Payment Card Industry. It complies with a wide range of privacy regulations, including HIPAA, GLBA, and FERPA in the U.S.
Adobe Sign also employs Adobe Secure Product Lifecycle (SPLC) practices, a demanding set of over 1,000 specific security activities spanning software development practices, processes and tools, integrated into multiple stages of the product lifecycle. Whether related to identity management, data confidentiality, or document integrity, Adobe Sign protects your documents, data, and personal information. To learn more, please visit the Adobe Trust Center.
What problems do cloud signatures solve?
With over 7B mobile devices on the planet, cloud applications gaining broad adoption, and cyber-threats at an all-time high, there is increasing market demand for secure digital solutions that also provide great user experiences. New electronic signature regulations — like the European Union's Regulation on Identification and Trust Services (eIDAS) — are putting a spotlight on the need for high assurance methods of authenticating the identity of people signing documents. The highest levels of compliance require certificate-based IDs stored on USB tokens or smart cards, but they're complicated to enable and install, work with desktop computers only, and don't support today's modern web applications or mobile devices.
To solve this problem, Adobe and other industry-leading organizations formed the Cloud Signature Consortium (CSC). Now, thanks to Adobe Document Cloud and the newly released open standard API specification developed by CSC, organizations can deliver the highest level of compliance and great customer experiences on any device. If you’re a member of the Adobe Approved Trust List (AATL), or your certificates are qualified on the European Union Trusted Lists (EUTL), you can apply to become a cloud signature partner.
Why are cloud signatures significant?
Standards-based digital signatures in the cloud remove the barriers that have hampered adoption of electronic signatures in Europe and around the world. They accomplish the following:
- Bring the highest levels of compliance to web apps and mobile devices.
- Meet market demand for simple-to-use, simple-to-deploy solutions.
- Enable compliance with the most rigorous legal and regulatory requirements (e.g., Advanced Electronic Signatures (AES), and Qualified Electronic Signatures (QES) in the EU eIDAS regulation).
- Eliminate the hassle of installing desktop software, downloading documents, and plugging in USB tokens or smart cards.
- Provide a consistent, interoperable framework for working with digital IDs and signing solutions, so companies can invest in technology confidently, knowing they won't be limited to working with just a few proprietary applications.
What are Trust Service Providers (TSPs)?
Trust Service Providers are companies that offer a wide range of secure identity and transactions services, including certificate authority services. For example, the EU eIDAS regulation defines a class of TSPs that are accredited to issue digital IDs in each of the EU member states. Documents signed with these IDs meet the highest level standard called “Qualified Electronic Signature,” which has the same legal value as handwritten signatures and are assured mutual recognition across all member states. Adobe Sign lets you work with your choice of TSPs to sign and timestamp documents, so you can comply with laws or regulations governing your specific country or industry. During the validation process, Adobe also confirms that the authorities being used in the document are trusted providers — approved through global, regional, or industry-specific accreditation. Trust lists, such as the Adobe Approved Trust List (AATL) and the European Union Trusted List (EUTL), are fully supported in Adobe solutions.
What is EUTL?
European Union Trusted Lists (EUTL) is a public list of over 170 active (and 40 legacy) Trust Service Providers (TSPs), including Adobe, that are specifically accredited to provide the highest level of compliance with the EU eIDAS regulation. These providers offer certificate-based digital IDs for individuals, digital seals for businesses, and timestamping services that can be used to create Qualified Electronic Signatures (QES). In eIDAS, only qualified signatures are legally and automatically equivalent to handwritten signatures. And, they are the only type of signature automatically recognized in cross-border transactions among EU member states. Of note: Each EU member state supervises providers in its own country, but once a TSP has been approved in one country, their services can be sold in other countries with the same level of compliance.
What are timestamps?
Timestamps accurately record the time of a signing event. When used in combination with digital signature technology and in compliance with strict legal and regulatory guidelines, they provide strong legal evidence that a transaction took place at a specific point in time. They can also be configured to enable long-term validation (LTV) for up to 10 years to meet extended document retention requirements. Adobe Sign gives you an option to configure your signature solution with a built-in, Adobe timestamp service with LTV that complies with rigorous regulations such as the EU eIDAS Qualified requirements. Your solution can also be configured to work with other third-party timestamp services by request. Learn more about Adobe Trust Services.
What is the difference between digital signatures and electronic signatures?
Electronic signatures, or e-signatures, refer broadly to any electronic process that indicates acceptance of an agreement or a record. The term digital signature is frequently used to refer to one specific type of electronic signature.
- Typical e-signature solutions use common electronic authentication methods to verify signer identity, such as email, corporate IDs, or a phone PIN. Multifactor authentication is used when increased security is needed. The best e-signature solutions demonstrate proof of signing using a secure process that includes an audit trail along with the final document.
- Digital signatures use a specific type of electronic signature. They use a certificate-based digital ID to authenticate signer identity and demonstrate proof of signing by binding each signature to the document with encryption — validation is done through trusted Certificate Authorities (CAs) or Trust Service Providers (TSPs).
Signature types are linked with signature laws and regulatory requirements. Learn how they're used to help create legally-binding electronic signature processes.
Can you provide specific use case examples where digital signatures are used today?
Digital signatures are most commonly associated with higher value, higher risk, or regulated business processes. Use cases include the following:
- A mortgage specialist at a bank who approves large value loans.
- A bank, which issues digital IDs to all of their customers to enable easy digital signing for all-important transactions that require signatures.
- An HR manager responsible in a highly regulated country or industry, responsible for onboarding and off-boarding employees.
- A doctor signing a document that contains medical information or prescriptions for a patient under his or her care.
- A government employee approving a citizen's application for benefits.
- A vendor responding to a bid with assertions of quality and safety of products bid.
Why is an open standard required for cloud-based digital signatures?
Digital signatures use Public Key cryptography, which relies on three types of providers to deliver the required technologies and services: solution, technology, and service providers. Solution providers deliver signature platforms and document solutions. Technology providers deliver essential components like authentication technologies, mobile apps, and hardware security modules (HSMs). Service providers act as certificate, registration, or timestamp authorities and assist with compliance validation. Without a standard, providers are required to build their own proprietary interfaces and protocols. Doing so creates a dizzying array of compatibility questions and deployment limitations. A cloud-based digital signature standard ensures that providers across the industry can create consistent, interoperable experiences across the full range of user applications and devices.
What is a Certificate Authority (CA)?
Certificate Authorities issue and maintain digital identities. CAs confirm a signer’s identity in advance, and then issue the certificate-based digital ID, private PIN, and/or hardware security device (such as a USB token or smart card) used to create digital signatures. The CA assures that the person with the digital ID is who they claim to be. A CA is sometimes a part of a portfolio of trust services offered by a commercial vendor. At other times, a CA is built and maintained internally by IT-provided services in an company or government organization.
What is AATL?
The Adobe Approved Trust List (AATL) is an Adobe-sponsored program that enables millions of people around the world to digitally sign documents in Adobe Document Cloud solutions — including Adobe Acrobat Reader, Adobe Acrobat, and Adobe Sign — using the world's most trusted digital IDs and timestamping services. Members of AATL are Trust Service Providers (TSPs) and Certificate Authorities (CAs) that provide certificate-based IDs and timestamping services to consumers and/or enterprises. In turn, those customers are enabled to sign, certify, timestamp, and validate documents using Adobe Document Cloud software solutions. Each of these providers has met strict criteria before being accepted into the program.