The signature is the easy part — the proof is the product

Two years after a deal closes, an email arrives from the other side's lawyer: our client never agreed to these terms. The signed document is right there in your system — name typed, box ticked, dated. None of that is the question. The question is what you can prove: that this particular person saw these particular pages, agreed to them on that day, and that nothing in the file has moved a comma since. The product you are building is not the moment someone signs. It is the record that answers a challenge long after everyone has forgotten the deal — on a day no demo ever shows you.

The signature itself is the easy twenty percent. E-signature APIs — DocuSign, the open equivalents — turn collecting a signature into a call you can wire in an afternoon. They draw the signing ceremony, route the document to the right inboxes, and hand back a completed envelope. That part is solved, and it demos cleanly: send a document, watch it come back signed. The reason it is not yet a product is that the demo never includes the dispute, and the dispute is the whole reason this category has budgets behind it. People do not pay for the signature. They pay for what the signature lets them prove later.

What "trustworthy" actually has to mean

Strip the idea to what must be true, end to end, for the record to hold up when it is questioned:

The right person has to be the one who signed — not just someone with the link, but an identity you checked and recorded. They have to have seen the exact content that is now in the file — not a draft, not a version that was swapped afterward. The moment has to be fixed in time in a way you can stand behind. And from that moment on, the document and everything around it has to be sealed so that you can later show — not assert, show — that not a byte has changed.

That last property is the one the whole product turns on, and it has a name worth being plain about: tamper-evidence. It does not mean the file cannot be altered — anything on a disk can be altered. It means that if it were altered, the change would be detectable, because you kept a fingerprint of the original and an append-only log of everything that happened to it. A signed PDF with no way to prove it is the original is just a PDF. The proof is the product.

A limit worth stating plainly, because it is the part you have to get right: none of this guarantees a particular legal outcome. Enforceability is a question of law and courts, not of software, and a signing product that implies otherwise is promising something it does not control. What the record is built to do is make the facts checkable — who saw what, when, and whether anything changed — so that proof is available when it is needed. It supports the case; it does not decide it.

What it rides on

Named as the parts a real version needs:

• Accounts and identity — so a signer is a known party, and so the people who manage agreements on your side are who they say they are.
• Durable storage — the signed documents have to live somewhere addressable and backed up, with the metadata (who, what version, when, from where) kept alongside them. This is the same instinct as keeping the bytes somewhere you control while the index and access rules stay yours, aimed at files that happen to be legally load-bearing.
• An append-only audit log — the heart of tamper-evidence: a record of every event in a document's life that can be added to but never quietly edited.
• Background jobs — reminders to unsigned parties, sealing a document once the last signature lands, generating the certificate of completion.
• An admin — where an operator finds one agreement among thousands, sees its full history, and answers "what happened with this contract" without opening the database.

That list is the same foundation the rest of this site is about — accounts, storage, jobs, logging, an admin — and most of it already runs in production under CompanyGraph for unrelated reasons. This is an idea Smallbox has not built, so take the speed with appropriate caution: the foundation carries the plumbing, but signing adds a compliance bar the foundation has never had to clear, and that bar is real work no amount of existing scaffolding removes. What the foundation buys here is honest but bounded — the boring parts are done; the part that makes signing signing is still ahead of you.

What you own, and what you don't

The decision that keeps this product defensible is drawn early.

The signing ceremony stays external. The legal machinery of a recognised electronic signature — the consent flow, the regional compliance with e-signature law, the cryptographic signing itself — is a specialist's domain, and renting it from a provider whose entire business is keeping it lawful is the right call. You are not going to out-compliance DocuSign, and you should not try.

What must be yours is the record. The document bytes, in your storage. The audit trail, in your append-only log. The fingerprint that proves the file is the original. The mapping of which signer is which real party, and what they were shown. If the only durable account of a signed agreement lives in the provider's dashboard, you have not built a signing product — you have built a thin front on someone else's, and the day you leave them, or they change their retention policy, your customers' proof leaves with them. Keep the evidence at home and the provider becomes a part you could swap; keep it at the provider and the provider owns your customers' history.

The hard part

Two of them, and the second is the heavier.

The first is the tamper-evidence itself, and it is engineering rather than mystery: hash the document at the moment of signing, store that fingerprint somewhere it cannot be rewritten, append every event to a log that only ever grows, and generate a certificate that ties it all together. None of that is exotic, but all of it has to be right, because the one time it matters is the one time it is examined by someone trying to break it. It is the kind of work that is invisible until the dispute, and then it is the only thing in the room.

The second is trust, and it is the real wall. You are asking a customer to route their legally binding documents through software they have only just met. That is the slowest, most cautious purchase in business software — long sales cycles, security reviews, questions about where data lives and who can see it, often a compliance certification before anyone serious will sign up. The technology you can build; the credibility you have to earn, slowly, and it is earned by being demonstrably more careful than the customer would have been themselves. This is where an idea that looks like a weekend's work reveals itself as a multi-year commitment to a particular kind of seriousness.

The verdict

This is a real SaaS, and the budgets are real — agreements are where money and obligation meet, and businesses pay well for confidence there. But it is not won on the signing screen, which every competitor can build, and which the API builds for all of them equally. It is won on the record: the boring, defensible, tamper-evident trail that turns "they say they never signed" from a crisis into a query. The narrow versions are the ones that work — a signing product shaped to one industry's specific evidentiary needs, where the generalists are forever a little generic, beats a horizontal "sign anything" tool competing with the incumbents on price and polish.

The way to find out whether a particular version is your business is the same as ever: build the narrow one on a foundation that already carries the storage, the audit log, the jobs, and the admin, so the work goes into the proof that has to hold up rather than into rebuilding the parts that never were the point. Before you write a line of it, though, it is worth being precise about the seam — what the signing provider keeps versus what you must keep yourself — because getting that boundary wrong is the one mistake this product cannot survive.