ESIGN & UETA Compliance

ZipZign e-signatures comply with the U.S. Electronic Signatures in Global and National Commerce Act (ESIGN) and the Uniform Electronic Transactions Act (UETA).

What ZipZign captures for each signing event

This data is embedded in the PDF and stored in the audit log.

Consent requirement

When signing via the hosted page, signers must check an explicit consent checkbox before signing is enabled. When signing via API, you must pass "consentGiven": true.

Omitting consentGiven or passing false returns a 400 error:

{
  "error": "ConsentRequired",
  "message": "consentGiven must be true to proceed with signing"
}

Tamper evidence

After all parties sign, ZipZign computes a SHA-256 hash of the final PDF and stores it. This hash can be used to prove the document has not been altered since signing.

Public verification

Anyone can verify a document's integrity without an API key:

curl https://zipzign.com/api/documents/doc_abc123/verify

{
  "id": "doc_abc123",
  "verified": true,
  "hash": "e3b0c44298fc1c149afbf4c8996fb924...",
  "signedAt": "2026-04-15T16:00:00Z"
}

"verified": true means the current PDF hash matches the stored hash — the document is unaltered.

Full audit trail

Retrieve the complete signing event history (API key required):

curl https://zipzign.com/api/documents/doc_abc123/audit \
  -H "Authorization: Bearer YOUR_API_KEY"

{
  "events": [
    {
      "event": "document.created",
      "timestamp": "2026-04-15T12:00:00Z"
    },
    {
      "event": "document.viewed",
      "signerEmail": "alice@example.com",
      "ip": "203.0.113.5",
      "userAgent": "Mozilla/5.0...",
      "timestamp": "2026-04-15T14:30:00Z"
    },
    {
      "event": "document.signed",
      "signerEmail": "alice@example.com",
      "ip": "203.0.113.5",
      "consentVersion": "v2",
      "timestamp": "2026-04-15T14:35:00Z"
    }
  ]
}

Retention

Audit logs are retained indefinitely for completed documents. API request logs are purged after 90 days.

Updated on: 16/04/2026