May 17, 2026 · Compliance
E-Signature API Compliance Checklist: ESIGN, eIDAS, HIPAA, SOC 2
Your e-signatures are only as defensible as your compliance posture. This is the developer's checklist — covering ESIGN Act, eIDAS, HIPAA, and SOC 2 — with code-level verification for each requirement.
Founder, Signbee
TL;DR
Electronic signatures are legally binding — but only if your implementation meets compliance requirements. This checklist covers the four frameworks developers encounter most: the US ESIGN Act, the EU eIDAS Regulation, HIPAA for healthcare, and SOC 2 for SaaS. Each item has a concrete verification step you can check in your code or your provider's documentation.
Are electronic signatures legally binding?
Yes. This question comes up in every compliance review, and the answer hasn't changed since the ESIGN Act was signed in 2000: electronic signatures have the same legal standing as handwritten signatures in the United States, the European Union, the United Kingdom, Canada, Australia, and most other jurisdictions.
But "legally binding" doesn't mean "automatically compliant." The signature is valid only if your implementation satisfies three universal requirements:
If your e-signature API captures these three elements — with an audit trail to prove it — the signature is enforceable. For a deeper dive into the legal frameworks, see our complete guide to e-signature law.
Checklist 1: ESIGN Act & UETA (United States)
The ESIGN Act (Electronic Signatures in Global and National Commerce Act) and UETA (Uniform Electronic Transactions Act) govern e-signatures in the US. Here's your developer checklist:
| Requirement | What to verify |
|---|---|
| Intent to sign | Signer clicks an explicit "Sign" button |
| Consent disclosure | Signer is informed they're signing electronically |
| Opt-out ability | Signer can decline / request paper |
| Record retention | Signed document is accessible and reproducible |
| Signature attribution | Audit trail links signature to signer |
| Document integrity | Hash proves document wasn't altered after signing |
Signbee handles all of these automatically. The signing page displays a consent disclosure. The signer can decline. The signed PDF includes a certificate of completion with a SHA-256 hash. See our signing certificate deep-dive for how the hash verification works.
Checklist 2: eIDAS (European Union)
The eIDAS Regulation defines three levels of electronic signatures. Understanding which level you need is the first step:
| Level | Definition |
|---|---|
| SES (Simple) | Any electronic data used to sign |
| AES (Advanced) | Uniquely linked to signer, under sole control |
| QES (Qualified) | AES + qualified certificate + creation device |
Most API-based e-signatures are SES or AES. SES is sufficient for the vast majority of business transactions. QES is only required for specific regulated transactions in certain EU member states (e.g., real estate transfers in Italy, public procurement in France). For a complete breakdown, see our AES vs QES guide.
Your eIDAS checklist for SES/AES:
Checklist 3: HIPAA (Healthcare)
If your application handles protected health information (PHI), HIPAA compliance applies to your e-signature workflow. This is the checklist most developers get wrong — not because the requirements are complex, but because they forget that the e-signature provider is a Business Associate.
| Requirement | What to verify |
|---|---|
| Business Associate Agreement (BAA) | Signed BAA with your e-signature provider |
| Encryption at rest | AES-256 encryption for stored documents |
| Encryption in transit | TLS 1.2 or higher for all API calls |
| Access controls | API key scoping, role-based access |
| Audit logging | All access to PHI is logged with timestamps |
| Retention period | 6-year minimum for records containing PHI |
| Breach notification | Provider has incident response process |
Critical: Not all e-signature providers offer BAAs. DocuSign offers them on enterprise plans. HelloSign offers them on premium plans. Check with your provider before sending any documents that contain PHI. For healthcare-specific guidance, see our HIPAA e-signature guide.
Checklist 4: SOC 2 (SaaS & enterprise)
If your company is SOC 2 audited (or your customers require it), your e-signature provider needs to be part of your trust boundary. SOC 2 isn't a law — it's a framework for demonstrating security controls. But for SaaS companies, it's table stakes.
Verify compliance in your code
Here's a practical pattern I use to verify that every document sent through the Signbee API meets compliance requirements before it reaches the signer:
interface ComplianceCheck {
hasConsent: boolean;
recipientVerified: boolean;
contentNotEmpty: boolean;
auditMetadata: Record<string, string>;
}
function verifyCompliance(params: {
markdown: string;
recipientEmail: string;
consentGiven: boolean;
}): ComplianceCheck {
return {
hasConsent: params.consentGiven,
recipientVerified: params.recipientEmail.includes("@"),
contentNotEmpty: params.markdown.trim().length > 0,
auditMetadata: {
initiatedAt: new Date().toISOString(),
initiatedBy: "system",
complianceVersion: "2026-05",
},
};
}
async function sendCompliantDocument(params: {
markdown: string;
recipientName: string;
recipientEmail: string;
consentGiven: boolean;
}) {
const checks = verifyCompliance(params);
if (!checks.hasConsent) {
throw new Error("ESIGN: Consent not captured");
}
if (!checks.contentNotEmpty) {
throw new Error("Document content cannot be empty");
}
const response = await fetch("https://signb.ee/api/v1/send", {
method: "POST",
headers: {
"Content-Type": "application/json",
"Authorization": "Bearer sk_live_your_api_key",
},
body: JSON.stringify({
markdown: params.markdown,
recipient_name: params.recipientName,
recipient_email: params.recipientEmail,
metadata: checks.auditMetadata,
}),
});
const result = await response.json();
// Log for your own audit trail
await auditLog.create({
action: "document.sent",
documentId: result.id,
recipient: params.recipientEmail,
complianceChecks: checks,
timestamp: new Date(),
});
return result;
}This wrapper ensures consent is captured before sending, logs every request to your own audit trail, and attaches compliance metadata to the document. Even though Signbee generates its own audit trail, maintaining your own gives you defense-in-depth for compliance audits.
Provider compliance comparison
| Feature | Signbee | DocuSign |
|---|---|---|
| ESIGN / UETA | ✓ | ✓ |
| eIDAS SES | ✓ | ✓ |
| SHA-256 audit trail | ✓ | ✓ |
| TLS 1.2+ enforced | ✓ | ✓ |
| Webhook signatures | ✓ | ✓ |
| BAA available | On request | Enterprise only |
| SOC 2 Type II | In progress | ✓ |
Common compliance mistakes developers make
| Mistake | Risk |
|---|---|
| No consent capture | Signature may be unenforceable |
| Missing audit trail | Can't prove who signed or when |
| No webhook verification | Spoofed "signed" events |
| PHI in document, no BAA | HIPAA violation, fines up to $1.5M |
| No document retention | Can't produce signed copy in dispute |
The security layer
Compliance is closely tied to security. Make sure your integration follows these security practices on top of the compliance checklist:
API key management. Never embed API keys in client-side code. Use server-side environment variables. Rotate keys quarterly. Use scoped keys when available.
Webhook verification. Always verify the x-signbee-signature header on incoming webhooks. This prevents attackers from spoofing "document.signed" events and tricking your system into thinking a contract was signed when it wasn't. See our webhooks guide for verification code.
Transport security. All Signbee API calls use TLS 1.2+. Verify that your HTTP client doesn't downgrade to older protocols. For a comprehensive security overview, see our security architecture guide.
Frequently Asked Questions
Are electronic signatures legally binding?
Yes. Under the ESIGN Act (US), UETA, and eIDAS (EU), electronic signatures carry the same legal weight as wet-ink signatures. Three conditions must be met: intent to sign, consent to electronic process, and association of the signature with the record.
Do I need HIPAA compliance for e-signatures?
Only if your documents contain protected health information (PHI). If they do, you need a BAA with your e-signature provider, AES-256 encryption at rest, TLS 1.2+ in transit, and 6-year audit log retention.
What's the difference between SES, AES, and QES?
SES (Simple) is any electronic signature data. AES (Advanced) adds unique linkage and signer control. QES (Qualified) requires a certified device and trust service provider. Most business use cases need only SES. See our AES vs QES guide.
What audit trail data should I capture?
At minimum: signer email, IP address, ISO 8601 timestamp, SHA-256 document hash, signing method, and user agent. Signbee captures all of this automatically and includes it in the certificate of completion.
Compliant e-signatures from day one — 5 free docs/month.
Last updated: May 17, 2026 · Michael Beckett is the founder of Signbee and B2bee Ltd. This is a developer compliance guide, not legal advice — consult a qualified attorney for your specific requirements.