A signed PDF lands in court three years later. The other side claims they didn't sign it. The judge asks for evidence. What you produce is the audit trail.
What an audit trail contains
A typical e-signature audit trail records:
- Document hash — a cryptographic fingerprint of the PDF at signing. - Signer identity — name, email, sometimes phone or other identifier. - Signing events — sent, viewed, signed, declined, with timestamps. - IP address of each event. - User agent (browser, device). - Authentication method — how the signer was identified. - Consent record — explicit agreement to transact electronically, where required.
Why each piece matters
The document hash proves the file hasn't been altered since signing — change one byte and the hash no longer matches.
The timestamps and IP establish when and from where the signature was applied. Useful for proving the signer wasn't, say, in a different country at the time.
The consent record matters for consumer transactions under ESIGN, which requires affirmative consent to electronic delivery.
Where the audit trail lives
Best practice: bundle the audit trail with the signed PDF as an attached certificate or separate document. Flint's signing flow produces a certificate of completion that travels with the signed file.
Store both together. If they separate, the signature is still legally valid but harder to defend in dispute.
Reading an audit trail
Open the certificate. Match the document hash on the certificate to the hash of the signed PDF (any cryptographic tool can compute this). Check the signer's identity matches who you expected. Check the IP and timestamp are consistent with the signer being in a plausible place and time.
If any of these don't match, raise it before the deal closes — not after.
FAQ
Is an audit trail legally required?
Not by name. But ESIGN, UETA and eIDAS all require attribution — evidence linking the signature to the signer. An audit trail is the standard way to provide it.
Can audit trails be forged?
Reputable platforms cryptographically sign their audit trails — tampering is detectable. Self-produced audit logs are weaker evidence.
How long should I keep an audit trail?
For the limitation period of the contract — usually 6 years in England and Wales for ordinary contracts, 12 for deeds. Longer for regulated documents (tax: 6 years; some medical: lifetime+).
Does Flint produce a downloadable audit trail?
Yes — the certificate of completion is a PDF you can download, archive and attach to the signed contract.
The audit trail is the legal evidence. Use a signing tool that produces one and store it with the signed file.