Capture and store at minimum: the signer's full name and email, IP address at time of signing, a timestamp (UTC) of each signature event, the document hash (SHA-256 of the final signed document), and the signing platform/method used.
Present the signer with the complete document for review before signature and log that the document was displayed (e.g., record a 'viewed' event with timestamp before the 'signed' event).
Implement an explicit opt-in to electronic signing (a click-wrap or checkbox) and retain evidence of that consent action in the audit log.
For eIDAS advanced or qualified signatures, use a certified trust service provider (TSP) that issues qualified certificates; simple electronic signatures (SES) under eIDAS have a lower bar but less legal weight in EU courts.
Seal the entire audit log and the signed document together in a tamper-evident record, for example by hashing the concatenation of audit log entries and signing with your platform's private key or a timestamping authority (RFC 3161).
Known gotchas
ESIGN and UETA (US) require consent to electronic records and signatures; failing to capture affirmative consumer consent can invalidate the electronic signature for consumer contracts.
eIDAS distinguishes three signature levels (SES, AdES, QES) with different legal presumptions across EU member states; using a simple signature where a qualified one is legally required (e.g., certain notarial acts) renders the signature void.
Audit trail requirements vary by document type and jurisdiction; this guidance describes common practices and is not legal advice — consult an attorney to confirm compliance for your specific use case.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp