— 01 —The two laws that matter.
In the United States, two pieces of legislation make electronic signatures legally equivalent to wet ink. Both have been in force for over twenty years. Both have been tested repeatedly in court. Both apply to nearly every contract you'd ever want to sign.
The ESIGN Act (2000) — federal
The Electronic Signatures in Global and National Commerce Act, signed into law June 30, 2000. It establishes that a contract or signature cannot be denied legal effect solely because it is in electronic form. It applies to interstate and foreign commerce, which covers most business contracts you'll encounter.
For a signature to qualify under ESIGN, four conditions must be met:
- Intent to sign. The signer must intend to sign the document.
- Consent to do business electronically. The signer must affirmatively consent — and must be able to withdraw that consent.
- Association. The signature must be logically associated with the record being signed.
- Record retention. The signed record must be retained and reproducible.
Vouch satisfies all four for every signature it captures.
UETA (1999) — state
The Uniform Electronic Transactions Act has been adopted by 49 of 50 US states (every state except New York, which has its own substantively similar electronic signature law). It establishes the same equivalence at the state level and provides the framework most state courts use when evaluating electronic signatures.
UETA's core requirement is the same as ESIGN: the four conditions above must be met, and the parties must have agreed to do business electronically.
— UETA § 7(a), the core sentence
What about other countries?
The EU has eIDAS (Electronic IDentification, Authentication and trust Services), which recognizes three tiers: simple electronic signatures, advanced electronic signatures, and qualified electronic signatures. Vouch currently produces signatures equivalent to the simple and advanced tiers. We do not yet support qualified electronic signatures (QES), which require government-issued cryptographic certificates and are mostly used for transactions like real-estate purchases in some EU member states.
The UK's Electronic Communications Act 2000 and Common Law principles produce essentially the same equivalence as ESIGN/UETA. Most other Commonwealth jurisdictions follow similar frameworks.
— 02 —What we actually capture.
The legal usefulness of an electronic signature depends almost entirely on what evidence supports it. A signed PDF on its own is weak evidence. The same PDF accompanied by a detailed audit log is strong evidence. Vouch errs on the side of capturing more than is strictly required.
For every signature event, we record:
- Signer identity. Name, email, and the affirmative consent to ESIGN/UETA captured before signing.
- Network metadata. IP address (IPv4 or IPv6), reverse DNS where available, geolocation derived from IP.
- Device fingerprint. User agent string, operating system, browser engine and version, screen resolution, timezone offset.
- Behavioral metadata. Time spent on each page of the document, scroll depth, time elapsed between events.
- Signature artifact. Either the rendered text signature with chosen font style, or the raster-and-vector capture of a hand-drawn signature, including stroke timing.
- Timestamp. Captured server-side using NTP-synchronized clocks, expressed in UTC. Local browser time is also recorded for cross-checking.
- Document hash. SHA-256 of the document bytes at the moment of signing, before any subsequent modification.
This list is approximately 30% larger than what most major e-signature providers capture. The reason is simple: we'd rather have evidence we don't need than need evidence we don't have.
None of this captured data is biometric, and none of it requires the signer to install anything or grant any unusual permissions. It's all data your browser already provides to every website you visit — we just persist it deliberately, and link it to a specific signature event.
— 03 —The hash chain, and why it matters.
Most e-signature platforms produce an audit log. Few of them produce one that's tamper-evident. Vouch's differentiator is that every event in a document's lifecycle is hashed using SHA-256, and each hash includes the hash of the previous event.
The result is a cryptographic chain: if you alter any single event, every event after it has the wrong hash, and the chain is provably broken. Anyone can verify the chain — including parties who don't trust Vouch.
event_n.previous_hash = event_(n-1).this_hash
event_n.this_hash = SHA256(
event_n.previous_hash,
canonicalize_json(event_n.payload)
)Canonicalization uses RFC 8785 (JSON Canonicalization Scheme), which means the hash is deterministic across implementations. Anyone can re-implement the chain validation in any language and produce the same result.
The practical effect: if Vouch's databases were compromised tomorrow and someone tried to alter a signed document's history, the change would be mathematically detectable by anyone who has the previous hash. We could not silently change a record even if we wanted to.
You can verify any document's chain at vouch.ink/verify. Paste an audit ID, get the full chain, run the math. No login required.
— 04 —What happens in court.
The honest answer to "will an electronic signature hold up in court" is: almost certainly yes, but the audit trail does the heavy lifting.
Federal courts and all 50 state courts have admitted electronic signatures as evidence routinely since the early 2000s. The relevant case law is voluminous and consistent. The disputes that arise almost never concern whether electronic signatures are valid in principle — they concern whether a particular signature was made by a particular person.
That's where the audit log becomes the entire ballgame. A judge or jury asked "did Sarah sign this?" doesn't care that the signature is electronic. They care that:
- The signature came from an IP address consistent with Sarah's location
- It was made on a device consistent with Sarah's typical device
- Sarah affirmatively confirmed her email and consented to electronic signing
- The document content at the time of signing matches what Sarah claims she saw
- No subsequent tampering has occurred
Vouch's audit log answers all five of those questions, and the hash chain answers the fifth one in a way that is mathematically rather than legally provable.
What about authentication challenges?
If a counterparty claims "that wasn't me, my account was compromised," the audit log gets adversarial. Most e-signature challenges fail because the metadata patterns (IP, device, timing) are inconsistent with the alleged compromise. A small number succeed when the metadata genuinely supports the claim. This is a feature, not a bug — the system is designed to surface those cases.
Knowledge-based authentication (KBA) and government-issued ID verification provide an additional layer for high-stakes documents. Vouch supports SMS-based identity verification today; KBA and ID-document verification are on the roadmap for high-value transactions.
— 05 —What Vouch does not do.
Compliance pages tend to oversell. We try to be specific about what we don't cover.
- We are not a notary. Vouch signatures do not satisfy notarial requirements. If your transaction requires a notary (most real estate closings, some powers of attorney, certain wills), use a remote online notary service or an in-person notary. Vouch can be used for the underlying agreement, not the notarial seal.
- We do not yet support qualified electronic signatures (QES) under eIDAS. If you're transacting in the EU and need QES specifically (some real estate, some financial transactions), Vouch is not sufficient on its own. We support advanced electronic signatures, which cover the great majority of EU business contracts.
- We are not a legal advisor. If you're not sure whether your specific document type requires wet ink, a notary, or QES, ask a lawyer in your jurisdiction. Vouch can satisfy ESIGN/UETA requirements, but those laws explicitly carve out certain transaction types (wills, certain family-law matters, court orders).
- We are not 24/7 court-ready evidence. The hash chain is mathematically robust, but in adversarial proceedings you may need additional supporting evidence (witness testimony, business records). Vouch's audit log is admissible as a business record, but a complex dispute may benefit from expert witness testimony.
If your transaction falls into any of the gaps above, the right move is usually a hybrid approach: use Vouch for the agreement itself, and use the appropriate additional service (notary, QES provider, etc.) for the parts that require it.
— 06 —References and reading.
The text of the actual laws is publicly available, generally not as terrible as you'd expect, and often clarifies questions faster than third-party articles can.
- ESIGN Act (Public Law 106-229) — the full text, federal
- UETA (1999) — Uniform Law Commission, including state-by-state adoption
- eIDAS Regulation (EU 910/2014) — the EU framework
- RFC 8785 — JSON Canonicalization Scheme — what Vouch uses for hash determinism
- NIST FIPS 180-4 — the SHA-256 specification
State-by-state UETA adoption notes (the few exceptions worth knowing about):
- New York — has not adopted UETA but has its own Electronic Signatures and Records Act (ESRA), which is substantively equivalent.
- Illinois — repealed UETA in 2021 and replaced it with the Uniform Real Property Electronic Recording Act, which expanded electronic signature recognition. Practical effect: stronger, not weaker.
- Washington — adopted a modified version of UETA. The differences don't materially affect Vouch's compliance.
Ready to verify your own document?
Every Vouch document gets an audit ID and a final hash. Paste either into the public verifier and confirm the chain yourself. No login required.
This page describes Vouch's compliance posture and the legal framework around it.
It is not legal advice. For specific questions about your transaction, consult a lawyer in your jurisdiction.