Privacy-first eSigning
Seamless Identity Check
Digital Twin
Lifecycle Updates
Simple API Integration
Real estate
Financial Services
Healthcare
Education
All industries
Sales
HR
Procurement
Legal
Legal Validity
Blog
News
There is no doubt that eSignatures provide huge benefits over the traditional wet signatures: They can vastly improve the workflow of document handling and, especially in times of remote work, enable seamless cooperation between not only internal teams but also companies and their customers.
Unfortunately, legitimate concerns over privacy force many companies to take drastic measures when signing documents online, often eradicating most of the benefits of using eSignatures in the first place.
So-called “no-sign lists” are implemented to prevent sensitive documents from being signed online. Their mere existence speaks to the lack of trust in the eSignature provider – an issue that can only be solved by using a provider which offers full, end-to-end encryption for all documents.
But why would companies go through the hassle of creating no-sign lists in the first place?
Why Do “No-Sign Lists” Exist for eSignatures
Cybersecurity is a topic that’s front and center for many companies, especially as more and more of their operations move online. As much as there are many benefits to working online, the change of environment comes with risks that have to be addressed in order to maintain the privacy of sensitive information.
For example, a company might be ok with their employees using the average eSignature provider to sign an order for a new printer in the office – there are few concerns for privacy. However, any document containing personal or business-critical information that would allow a reader to directly identify either employees or customers and build, say, a digital marketing profile on them are off-limits – not to be sent digitally for signature, ever.
Therefore, employees are forced to check the no-sign list for documents they want to send and decide which category it falls into. This presents an inherent dichotomy: On one hand, efficiency is a priority for most companies, steering employees to use eSignatures more often. On the other hand, cybercrime is on the rise, steadily increasing the types of documents that could be abused if a breach of privacy was to occur.
Being aware of the hassle of such lists, some companies try to circumvent the issue by only sending the signature pages online and having the countersigning party sign a waiver for the rest. While it certainly solves the privacy issue, using this method creates another set of problems: If you’re signing a page without the corresponding content, what are you really signing for?
Whether it’s an active no-sign list or a resourceful way to circumvent creating one – the process is prone to human error and creates an unnecessary privacy risk.
Here’s Why “No-Sign Lists” Should Be a Thing of the Past for eSignatures
If you’re forced to use a no-sign list, there’s a fundamental flaw in the process. Trust is of the essence when it comes to eSignatures, and it should not have to be subject to any manual procedure or workaround at all. No-sign lists shouldn’t exist at all – and here is why:
| Why no-sign lists should not exist | How that issue affects you |
| They prove there is a lack of trust | You should trust in your provider |
| They show your provider does not prioritize privacy | Your privacy should be of the utmost importance to your provider |
| No marketing like the “rule of least privilege” can overcome the underlying issue | You don’t have any say over the “privilege” |
| They prove there are serious privacy concerns in the process | Your privacy should not be threatened at any stage using eSignatures |
| They create more work and are prone to human error | You want to increase efficiency and decrease human error, not the other way around |
| They cannot be circumvented without creating even more issues | You’re forced to circumvent an issue that should not exist in the first place… |
How many of these issues sound familiar? Let’s take a deep dive into why they all point towards only one possible solution: Opting for proper end-to-end encryption.
No-sign lists prove there is a lack of trust
If there is a lack of trust with someone handling your signature documents, you have a serious issue. By definition, documents that require signatures are legally binding and often contain sensitive information. If the party handling those documents can not be trusted 100%, there is a fundamental issue that should be addressed.
Just like you express trust with your signature, you should be able to express trust in the party handling the signature process. Out of all the suppliers you work with, your eSignature provider potentially handles the most sensitive information – and therefore, absolute trust should be a no-brainer.
No-sign lists speak to a lack of privacy awareness of eSignature providers
By failing to implement the only trustworthy solution – full end-to-end encryption – many eSignature providers display a lack of respect for the privacy of their customers. And while many would argue that their elaborate systems and processes provide so much benefit that a little less trust should not be an issue, it’s a fact that privacy is a binary issue: It’s either preserved – or not.
Would you use a bank that’s known to be quick and fancy but somewhat careless with your money? No matter the number of fancy benefits promised, every business serves a fundamental purpose first, and the purpose of eSignature providers just happens to be to provide a trustworthy, or – even better – a trustless platform for their customers.
Not even the “rule of least privilege” helps eliminate no-sign lists
Frequently, the ominous “rule of least privilege” is meant to instill a sense of trust and eliminate no-sign lists. But even though it’s certainly a noble approach, albeit one that should be the default anyway, at the end of the day, it does not do anything to guarantee your privacy and therefore remove the need for no-sign lists.
You don’t define “privilege” – your provider does. Job descriptions change, and so do the people behind those descriptions. You’ll never know who exactly has access to your documents under the “rule of least privilege,” and therefore you have to assume your privacy has been compromised from the start.
Most eSignature providers justify the existence of no-sign lists
No-sign lists exist because there are several real, highly likely threats to your privacy with most eSignature providers. Whether that’s legitimate access by someone with a high enough job title, the government asking for your unencrypted documents as part of an agreement like the CLOUD Act, a fancy tool like “document life-cycle management and analytics” requiring access to your data, or illegitimate access as the result of a security breach – a privacy breach is not a question of “if,” but rather “when.”
If there is a way to access your data unencrypted, somebody will make use of it. Murphy’s law dictates as much, and even the slightest chance of a privacy breach is more than you should have to accept. Access to your documents should be limited to you and your recipient – nobody else.
No-sign lists create issues in themselves
There is no universal rule which documents belong to a no-sign list. Someone needs to make that decision, which means it’s prone to human error. Document types constantly change, which means a no-sign list must be updated regularly. And even if the rules are clear – honest mistakes can still be made by the employee actually sending the document.
No-sign lists create a lot of unnecessary work and are prone to human error. In essence, they add a complex step to a process that should be streamlined and flawless, with no risk of human error at all.
Circumventing no-sign lists creates even more issues
Any attempt to circumvent the issue of no-sign lists usually creates an even bigger problem. The popular solution of only sending the signature page in order to maintain the privacy of the actual content of the document seems smart – but contains a fundamental flaw: You’re essentially asking someone to sign an empty page, entering into a legal agreement. But a legal agreement about what, if the content is not in the same document?
The lack of trust cannot be overcome, no matter how cunning the idea is to circumvent the issue. You’re either stuck with cumbersome no-sign lists or forced to adopt an even worse solution to even use your eSignature provider at all. You should never be forced to choose between bad and worse, especially when it comes to maintaining your privacy.
The Bottom Line
Thankfully, the issue at hand is binary: If a no-sign list (or a workaround like sending only the signature page) exists at all, there is an issue. It’s a very black-or-white scenario, with no shades of grey at all. A no-sign means a lack of trust, and lack of trust is the last thing you want to deal with when it comes to the party handling all your signature documents.
There might not be any malintent involved at all. In fact, they might sell it as a benefit, such as the “rule of least privilege” or any number of fancy tools with names like “proposal management software.” But at the end of the day, they all spell the same thing:
There is access to the content of your documents.
When, where, who, how, none of it matters, because there is access to be had. Therefore, the only way to prevent the entire issue and once and for all eliminate no-sign lists is by eliminating access altogether.
Luckily, modern technology like asymmetric, end-to-end encryption limits access to you and your recipient, with no way for anyone along the way to read your documents. Your data is encrypted locally, on your device, and decrypted locally, on your recipient’s device, with a private key.
It’s the “rule of no privilege,” often also called a “trustless” or “zero-trust” environment: If there is no possible way to access your data, there is no issue with trust, and therefore any document can be sent digitally. And that’s how eSignatures should work in the first place.
