Compliance just emailed asking you to verify the audit trail on a signed contract from last quarter. You open the certificate of completion and see a wall of fields. Here's what each one means and which ones matter when a signature is questioned.
Document section
Document hash / fingerprint — a long hex string (usually SHA-256). This is the cryptographic identity of the document at the moment of signing. If you re-compute the hash of the signed PDF and it matches, the document hasn't been altered.
Document ID — a unique identifier for the signing transaction. Useful for cross-referencing with the platform's records.
Signer section
Signer name and email — what the signer entered or what the platform pulled from the signer's authenticated session.
Authentication method — how the signer was verified: email click-through, SMS code, ID document upload, knowledge-based authentication.
Consent to electronic transaction — yes/no, with timestamp. Required for some consumer transactions under ESIGN.
Event log
Each event is timestamped with the signer's IP and user agent (browser and device):
- Sent: when the platform delivered the email. - Delivered: when the email reached the recipient's server. - Viewed: when the link was opened. - Signed: when the signature was applied. - Completed: when all signers finished.
Gaps and patterns matter. A document viewed at 3am from an unfamiliar IP raises questions — your contract may have been forwarded.
Verifying the chain
Reputable platforms cryptographically sign the audit trail itself, so the certificate can't be silently altered. Verify the certificate's own signature using the platform's public key (often documented in their trust centre).
For Flint, the certificate of completion is signed and verifiable. Detailed verification steps are in the trust documentation; for most disputes, the document hash match is enough.
FAQ
What if the document hash doesn't match?
The document has been altered since signing. The signature is invalidated. Investigate before relying on the file.
What does 'authentication method' tell me?
How confidently the platform identified the signer. Email click-through is the weakest; ID document verification is stronger. Heavier methods are used for higher-stakes signing.
Are IP addresses always reliable?
They're reasonable evidence but not conclusive. VPNs and corporate networks can mask location. Combined with other signals, they help build a picture.
Can I re-issue an audit trail from a platform?
Yes, usually. Reputable platforms keep audit trails for the contract's lifetime and can re-issue on request.
Reading an audit trail is a five-minute skill that saves disputes. Pull yours from Flint and check before any reliance.