Privacy-first eSigning
Seamless Identity Check
Digital Twin
Lifecycle Updates
Simple API Integration
Real estate
Financial Services
Healthcare
Education
All industries
Sales
HR
Procurement
Legal
Legal Validity
Blog
News
In an age of global connectivity and sheer endless computing power, privacy becomes increasingly important. Encryption is a significant step to improve privacy of any data transmitted – but not all encryption is created equal. And if (or when) that dreaded data breach occurs, you need to make sure you’re on the safe side no matter what.
Without full end-to-end encryption, your documents are at risk, no matter the provider. Unencrypted documents are easy targets, but partially encrypted data and even encrypted data with shared keys are an open book for anyone with malicious intent and/or the means to crack basic protection.
Sometimes, opting for a provider that offers proper encryption seems like a lot of effort. Oftentimes, just going with a simple password seems enough. But with ever-increasing computing power, cracking anything but full end-to-end encryption has become too easy a task to ignore.
Why the Level of Your Encryption Matters
Maybe you haven’t considered the level of encryption as an important factor for your electronically signed documents (sensitive or not) yet. And maybe the level of encryption and therefore security has only played a minimal role in the choice of your eSignature provider. But that decision might just make the difference between complete privacy and a total data breach.
Let’s look at the typical levels of encryption of eSignature providers, and how they each affect the privacy of your documents in the case your provider gets hacked.
| Levels of encryption | What happens to your contracts |
| No encryption | Your contracts are a free-for-all, no skills or tools required. |
| Partial encryption | You feel safe – but it’s a deception: Your privacy is still severely limited. |
| End-to-end encryption, but with shared keys | Your data is not publicly exposed, but still at risk of breach. |
| Proper end-to-end encryption | Your privacy is 100% guaranteed, no matter what. |
Four choices – but three of them can have fatal consequences for your privacy. Let’s dive into what they mean in detail.
The Four Levels of Encryption
Going from worst to best (and, frankly, the only option you should consider), these are the four levels of encryption of most eSignature providers.
Worst: No encryption
Not technically part of any encryption level, this option still deserves a spot on the list because it’s still the default for some providers.
Not using any encryption at all means simply storing all documents in their plain format, without any measures implemented to prevent access by anyone. This is the digital equivalent of leaving your personal diary on the table when you leave the coffee shop – opened up to the most intimate entry.
Just because files are unencrypted does not mean they’ll be accessed. But when that hack occurs, unencrypted data is exactly the kind of thing the protruding party is after. Depending on the type of eSignature document you store, having that data fall into the wrong hands unencrypted could have devastating consequences for your business.
Easily compromised: Partial encryption
A (small) step up from no encryption at all, this is a popular option for deceptive marketing. “Your data is encrypted” is a typical vague way this type of encryption is advertised.
Encrypted data sounds good – but it’s where the encryption occurs that makes all the difference. If you upload your documents in plain format and then wait for your eSignature provider to encrypt them once they’re fully transferred to their infrastructure, you’re exposed until that step actually takes place.
If your documents travel anywhere unencrypted, they can be intercepted and read in plain format. If you write a contract on your local computer and then upload it to your eSignature provider waiting for them to encrypt, not only does your document travel across your internet provider (with countless possible stations in between) unencrypted, it’s also fair game for any hacking attack between the time of upload and when the actual encryption happens.
Possibly compromised: End-to-end encryption with a shared key
Also known as symmetric encryption, this method provides good basic protection – but still falls short when it comes to fully ensure the privacy of your documents.
Symmetric encryption does encrypt any data right at the start of the journey, but it uses one single shared key to encrypt and decrypt. To make matters worse, that key is sometimes sent along with the documents themselves, essentially rendering the encryption useless.
While this encryption method may fence off the innocent bystander, it’s unlikely to resist any coordinated, advanced hack on your eSignature provider. You have to share your encryption key with the receiving party somehow – and how can you guarantee this process will not be intercepted? And worse, if you depend on your eSignature provider to pass the key along to the recipient, you’re literally sending the encrypted documents holding your personal information and the key to decrypt them in the same process, rendering the encryption pointless in the first place.
The holy grail: Full end-to-end encryption with public/private keys
This type of encryption is known as public key or asymmetric encryption, and it’s the only fool-proof way to protect your privacy in case of a data breach with your eSignature provider.
Proper end-to-end encryption is only possible with public and private keys, which prevent any interception of data along the way your documents travel. In this method, a public key is used to encrypt the message – this key can be shared, seen, or copied by anyone without consequence. It only serves to encrypt. Decryption, on the other hand, can only happen with the private key the recipient holds. This private key never leaves the recipients’ ownership and can therefore not be intercepted.
With asymmetric encryption, nobody along the journey can decipher your documents. If your ISP is listening – no problem. If your eSignature provider gets hacked and all data gets leaked – no problem. All the attackers would see are heavily encrypted documents, with no way to possibly decrypt their content and use it against you.
A Hacked eSignature Provider is Your Biggest Risk – But Not the Only One
Anyone storing a lot of data is a potential target for hackers. The more information is stored, the more interesting the target becomes and the more lucrative a successful hack turns out. And while popular eSignature providers also have the means and resources to secure their systems as much as possible, the sheer treasure trove of potentially confidential data such as contracts and legal agreements of any kind on such servers make them highly sought after targets of ever-increasing complex hacks. And no provider is safe – the news is full of even multi-billion dollar companies with entire security departments falling victims to hacks.
Your exposure goes beyond the infrastructure of the eSignature provider, though: If you sign a contract on your computer and then upload it to your provider, you pass across potentially dozens of stations without ever knowing it: Your home internet connection (or, even worse, a public Wifi), your ISP, their different servers or CDNs, and then the final connection to the recipient, assuming they download the document at some stage. Your documents can be intercepted at any of these stages, and you would never know until it’s too late.
Last but not least, your exposure even goes beyond any hack at all: With agreements like the CLOUD Act, participating governments force eSignature providers in their jurisdiction to share their users’ data with other governments, should a valid request be submitted. That means you can use the most secure eSignature provider in the world – when Uncle Sam (or any other uncle) comes knocking, your documents will be handed over. And if nothing else, that’s when you really want proper encryption to be in place to ensure what privacy you have left.
The Bottom Line
Your signature is legally binding and sits on any document from an offer letter to a new member of management to a final contract for the next big acquisition. And more often than not, exposing that kind of document to the public or any outside party can have devastating consequences for your business.
Cybercrime is on the rise globally, and nobody is safe. Not the tiny ISP in your town, not the biggest tech companies, and not even your government. As more and more data is stored online, hackers get better and better at penetrating even the most advanced security measures. At this stage, it’s much more a question of “when” than a question of “if”. Whatever eSignature provider you use, they could get hacked.
But not only hacks happen: Mistakes happen. Bugs happen. New laws happen – time and again chipping away at your privacy. When any of that happens, your only chance to maintain your privacy is full, asymmetric, end-to-end encryption.
