Trust & Security
Every document. Every signature. Cryptographically proven.
Verify a Document
Enter a document ID to check its integrity and view signing details.
How Document Signing Works
Five steps from upload to sealed document
Upload
Upload your PDF document to the platform.
Place Fields
Drag and drop signature fields onto the document.
Send Invitations
Add signers and send secure email invitations.
Signers Sign
Signers receive links and apply their signatures.
Document Sealed
Hashes are recorded and the document is sealed.
Tamper Detection
SHA-3-256 cryptographic hashing creates a unique fingerprint of your document at every stage. Any modification — even a single byte — produces a completely different hash.
Upload
When a document is uploaded, a SHA-3-256 hash of the PDF is computed and stored in the audit trail.
Sign
Each time a signature is embedded, a new hash of the updated PDF is computed and recorded.
Verify
During verification, the current PDF hash is compared against the stored hash. Any mismatch means tampering.
Quantum Resistance: SHA-3-256 (Keccak) uses a sponge construction fundamentally different from SHA-2, providing defense-in-depth against both classical and quantum computing attacks on document integrity.
Digital Signatures
Industry-standard cryptographic signatures embedded directly into your PDF documents.
CMS/PKCS#7 Standard
Signatures follow the Cryptographic Message Syntax (CMS/PKCS#7) standard, the same format used by Adobe Acrobat and other major PDF applications. Signed documents can be independently verified.
Incremental PDF Updates
Signatures are applied using PDF incremental updates, meaning the original document content is never modified. Each signature appends new data, preserving all previous signatures and content.
Cryptographic Timestamps
RFC 3161 timestamps provide independently verifiable proof of when a document was signed.
Proof of Time
A trusted Time Stamping Authority (TSA) cryptographically signs a hash of the document together with the precise time, creating tamper-proof evidence of when the document existed.
Anti-Backdating
Because the timestamp comes from an independent third-party authority, no party can claim a document was signed at a different time than when it actually was.
Independent Verification
RFC 3161 timestamps can be verified by anyone using the TSA's public certificate, without requiring access to our platform or any special software.
Legal Compliance
Electronic signatures on Behest Sign are legally binding under U.S. federal and state law.
ESIGN Act (2000)
The Electronic Signatures in Global and National Commerce Act gives electronic signatures the same legal standing as handwritten signatures for most transactions in the United States.
UETA (49 States)
The Uniform Electronic Transactions Act, adopted by 49 states, provides a consistent legal framework recognizing electronic records and signatures.
What makes an e-signature legally binding
Intent to sign — Signers explicitly choose to sign via the signing workflow.
Consent — E-consent is captured before any signature is applied.
Association — Signatures are cryptographically bound to the specific document.
Retention — Signed documents are stored immutably with full audit trails.
Platform Security
Defense in depth across every layer of the platform.
Authentication
Passwordless magic links and 6-digit OTP codes via email. Optional Google OAuth. No passwords to leak or phish.
Session Security
JWT-based sessions with 24-hour expiration. Tokens are signed server-side and validated on every request.
Rate Limiting & Lockout
IP-based and email-based rate limiting on all authentication endpoints. Progressive lockout after repeated failures.
Token-based Signer Access
Signers receive unique, single-use tokens via email. No account required. Tokens are cryptographically bound to the document and signer.
Immutable Storage
Original PDFs are never modified. Signed versions are saved as new objects with versioning, preserving the complete document history.
Audit Logging
Every action — upload, view, sign, embed — is recorded with timestamps and SHA-3-256 hashes. The audit trail is tamper-evident and publicly verifiable.
Frequently Asked Questions
Common questions about security, compliance, and how it all works.
Are electronic signatures legally binding?
Yes. Electronic signatures are legally binding in the United States under the ESIGN Act (2000) and UETA (adopted by 49 states). For an electronic signature to be enforceable, it must demonstrate intent to sign, consent to do business electronically, association of the signature with the record, and retention of the signed record. Behest Sign satisfies all four requirements through its signing workflow, e-consent capture, cryptographic binding, and immutable storage.
How do you prevent document tampering?
Every time a document is uploaded, signed, or modified, we compute a SHA-3-256 cryptographic hash of the PDF file. This hash is stored in the audit trail. When you verify a document, we recompute the hash and compare it against the stored value. Any modification — even a single byte — produces a completely different hash, instantly revealing tampering.
What is quantum-resistant security?
SHA-3-256 (Keccak) is a cryptographic hash function standardized by NIST that is designed to resist attacks from both classical and quantum computers. Unlike SHA-2, SHA-3 uses a fundamentally different internal structure (sponge construction) that provides defense-in-depth against future quantum computing threats to document integrity.
Can I verify a document's authenticity?
Yes. Use the verification widget on this page or navigate to /verify/[document-id] to see the full verification report. The report shows the document's integrity status, signer details, cryptographic hash, and complete audit trail — all without needing an account.
Do signers need an account to sign?
No. Signers receive a secure, token-based email invitation with a unique link. They can view the document and apply their signature without creating an account. Each token is single-use and tied to a specific signer and document.
How are documents stored?
Documents are stored in Google Cloud Storage with encryption at rest. Original uploaded PDFs are immutable — they are never modified. Each signing event creates a new versioned copy (e.g., signed_v1.pdf, signed_v2.pdf), preserving a complete history of the document throughout its lifecycle.
What happens if someone modifies a signed PDF?
The verification system will immediately detect the modification. When a document is verified, the current PDF hash is compared against the hash recorded at signing time. Any discrepancy — no matter how small — results in a "Tampered" status, alerting all parties that the document has been altered.
What are RFC 3161 timestamps?
RFC 3161 defines a protocol for cryptographic timestamping. A trusted Time Stamping Authority (TSA) signs a hash of the document along with the current time, creating independently verifiable proof that the document existed in its exact form at that specific moment. This prevents backdating and provides non-repudiation.