OneSpan Sign FAQ

Our developer community is the best place for developers to get up and running quickly with OneSpan Signs API and SDKs.

Yes. There are four ways to get started with OneSpan Sign:

• The provided UI
• The Java SDK
• The .NET SDK
• The REST API

Read our quick-start blog for an overview of how to get started with each.
 

To learn more about how to use document extraction to automatically bring form fields into OneSpan Sign, read this blog: 
OneSpan Sign How To: Document Extraction (.NET SDK)
 

OneSpan Sign Professional is a web-based e-signature service. You use a web browser to send and sign documents. It’s that simple. 

Here’s how it works:

1. Upload your documents
2. Add your recipients
3. Define where the recipients will sign by simply dragging a signature block to the correct location(s) in the document
4. Select the authentication method (username/password, secret question/answer, one time passcode (OTP), third-party authentication services)
5. Click “SEND”

An email will be sent to each signer, inviting them to e-sign the document(s). If you are face-to-face with the signer, you have the option of using your own computer or mobile device to capture their signature. Each signer is guided step-by-step through the signing process. Once the documents are signed, they can be downloaded. The e-signed documents can be stored in OneSpan Sign or downloaded for retention in your own system of record and deleted from OneSpan Sign.

The e-signed documents are standard PDF files that can be viewed in Adobe Reader and other PDF readers.

Adobe Reader is not required to prepare or sign documents. It is only necessary to open and view e-signed documents and to see all the e-signatures. When viewing a document using Adobe Reader, you can verify that a document and its signatures have not been tampered with.

Other PDF viewers will not necessarily display the signature seal. You will need Adobe Reader version 5 and up to view e-signed documents.

No. Signers don’t need anything more than a web browser. When asking customers to sign over the Internet, the best solution is to e-sign documents through a web browser – without asking the customer to download any software. This eliminates the risk that the customer might abandon the process because of frustration and delays caused by software incompatibilities.

Signing with OneSpan Sign is easy. In fact, signers do not even need to create an account. They simply receive an email with a link to a secure site, enter their username and password, and gain access to the e-sign process through the browser.

What’s more, the Mobile Signature Capture feature in OneSpan Sign transforms any web-enabled touchscreen device into a signature capture pad – eliminating the need for hardware for signing. This feature is ideal for remote account opening and customer onboarding processes, if there is a need for a hand-scripted signature and the document review process take place on a desktop/laptop.

• Internet Explorer 11
• Edge
• Safari
• Firefox
• Google Chrome
• Opera

OneSpan Sign offers you the ability to e-sign documents anywhere, anytime from any web-enabled device, including a smartphone, tablet, and laptop.

OneSpan Sign can be deployed:

• On a public cloud anywhere in the world (the most popular option because of speed-to-market and low cost)
• On a private cloud anywhere in the world (often selected because of increased security requirements and for greater control over where and how data is stored)
• On-premises behind your company’s firewall (selected by organizations that require total control over the servers and data)

Regardless of how you deploy, we offer the exact same product, the same code base, and the same user experience without compromising on security or functionality.

Our single SaaS platform means that you can start developing using a common REST API and SDKs and deploy however and wherever you want. If your needs change over time, you have the flexibility to migrate from one deployment to another, as well as implement OneSpan Sign as a shared service to deliver e-signatures company-wide.

For more information about pricing, visit our pricing page.

Yes. Security is always top-of-mind when organizations begin signing online with customers, partners, and suppliers. OneSpan Sign provides three levels of security:

• User authentication: OneSpan Sign offers multiple ways to verify the signers identity, including traditional login/password, secret question/answer, one time passcode (OTP), third-party authentication services (e.g., Equifax), support for CAC/PIV smartcards, and more. To learn more, read the user authentication white paper.
• Document authentication: Once a document is signed with OneSpan Sign, it is locked down with a digital signature (essentially a tamper-proof seal). Unlike paper-based contracts and signatures that require careful attention to detail and that rely on the human eye for verification, e-signed contracts based on digital signatures can automatically flag any errors or alterations. So any attempt to alter the document’s contents will render it invalid. Plus, it is not possible to copy and paste a signature since OneSpan Sign also secures the signature blocks with a digital signature. Even with all this security, we make it easy for you to verify the authenticity of the document and signatures – in just one click.
• Audit trails: OneSpan Sign captures all the digital fingerprints that people leave as they go through a signing process. These are captured in two types of audit trails: a static audit trail (what the signer signed) and a patented visual audit trail (how the signer signed). OneSpan Sign resonates with legal and compliance teams, because these audit trails provide visibility into when and how the transaction took place – something that simply isn’t possible in the paper world.
   

Strong security requires the right mix of people, processes, and technology. Taking a multi-pronged approach to e-signature security in the cloud will ensure your records (and the records of your customers) are handled and managed appropriately. It will also foster customer confidence and protect your organization’s reputation. That is why we recommend taking a broad view of e-signature security that includes:

• The ability to choose the appropriate level of authentication for each of your processes (internal processes require less authentication, while external processes with customers typically require stronger authentication).
• Protecting e-signatures and documents from tampering.
• Making it easy to verify e-signed records – independently of the vendor – to ensure that no changes have been made to the document since it was signed.
• Ensuring the long term reliability of your e-records, independent of your vendor.
• Choosing a vendor with a consistent track record for protecting customer data.

To learn more, check out the Ultimate E-Signature Security Checklist.
 

It really depends on the type of transaction and the risk associated with it. For example, an online mortgage renewal with an existing customer is a transaction with someone who likely already has online banking credentials. In that case, the customer could log in to the banking portal using their existing credentials, access the renewal document, and e-sign it directly inside the online banking portal.

However, if the participant is an “unknown customer,” the bank must have a method of verifying the customers identity documents. This can include a proof of residence, passport, driver’s license, state-issued ID, or other uniquely identifying documents.

There are two methods of ID Verification:

• In-person Verification: This requires the customer to show a bank associate a physical copy of their government-issued photo ID. The associate must then confirm that the ID is genuine and approve the transaction.
   
• Digital ID Verification: With new technology and regulations, such as the U.S. MOBILE Act, organizations can now digitize the ID verification process. Harnessing the power of mobile devices, banks can accept a scanned copy of the customer's photo ID to verify its authenticity, and ask the customer to upload a selfie to match against the scanned ID.

To learn more, read the user authentication white paper.
 

Yes. Data residency is top of mind for organizations today. In addition to existing deployments in the US and Canada, we offer customers around the world access to both public and private cloud instances of OneSpan Sign in Australia, the UK, Germany, Japan, Singapore, and Brazil. For example, many of our Canadian customers are already processing their e-signed documents through data centers in Toronto and Montreal.

The same applies to our connectors. For example, our e-signature app for Salesforce provides organizations with the flexibility to connect to any global instance of OneSpan Sign – whether that’s in the US, Canada, or any of the six countries listed above. So contracts, NDAs, and documents that are delivered to your customers and partners for signature via Salesforce reside wherever your internal IT policies dictate. OneSpan Sign is the only e-signature solution in the market to provide this level of global flexibility. To learn more, read this data residency blog.
 

Security-conscious organizations are looking for assurance that the vendors they work with meet the necessary security requirements. While there are a number of compliance programs in place at the data center level (e.g., HIPAA, SOC 1/SSAE 16, SOC 2, SOC 3, PCI DSS Level 1, ISO 27001, etc.), as well as military-grade physical controls, we wanted to go above and beyond for our customers. OneSpan Sign meets additional security control and compliance requirements, including:

• ISO/IEC 27001:2013: ISO/IEC 27001 is a security management standard that specifies security management best practices and comprehensive security controls following the ISO/IEC 27002 best practice guidance. The basis of this certification is the development and implementation of a rigorous security program, which includes the development and implementation of an Information Security Management System (ISMS) which defines how OneSpan Sign continuously manages security in a holistic, comprehensive manner.

  Learn more

• ISO/IEC 27017:2015: OneSpan takes a structured approach to cloud security by implementing a series of best practices to comply with the ISO/IEC 27017 standard for specific requirements for cloud security services and cloud security controls. ISO/IEC 27017 is designed to assist in the recommendation and implementation of controls for cloud-based organizations. This is not only relevant to organizations which store information in the cloud, but also for providers which offer cloud-based services to other companies who may have sensitive information.

  Learn more

• ISO/IEC 27018:2019: OneSpan meets the standard for protecting customer data in the cloud as an ISO/IEC 27018 certified organization. ISO/IEC 27018 is a code of practice that focuses on protection of personal data in the cloud. ISO/IEC 27018 is a code of practice that focuses on protection and privacy of personal data in the cloud. It is based on ISO/IEC information security standard 27002 and provides implementation guidance applicable to storing of Personally Identifiable Information (PII) in a public cloud. It also provides a set of additional controls and associated guidance intended to address public cloud PII protection requirements not addressed by the existing ISO/IEC 27002 control set.

  Learn more

• SOC 2 Type II: In a security audit by KPMG, OneSpan Sign’s data protection technologies and processes were verified as SOC 2 compliant. 
• FedRAMP: OneSpan Sign allows government agencies to securely leverage e-signatures in the cloud and take advantage of cost-savings and drive employee and citizen engagement.

  Learn more

• Skyhigh: Skyhigh Enterprise-Ready cloud services fully satisfy the most stringent requirements for data protection, identity verification, service security, business practices, and legal protection.

  Learn more

• Health Insurance Portability and Accountability Act of 1996 (HIPAA): For the U.S. healthcare industry, OneSpan Sign is compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA outlines the requirements for the management, storage, and transmission of protected health information in both physical and digital form.

  Learn more

We also meet the government security certification standards issued by:

• The National Institute of Standards and Technology (NIST).
   
• The Joint Interoperability Test Command (JITC). OneSpan Sign has 13 JITC certifications, more than any electronic signature solution provider.
   
• The National Security Agencys National Information Assurance Partnership (NIAP), through our support for FIPS PUB 140-2, a computer security standard used to accredit cryptographic modules.
   
• OneSpan Sign also supports the latest SHA encryption standards.

For more information, see our Trust Center.