How DocuSign uses iText in their eSignature electronic signature solution

DocuSign is one of the pioneers in the development of e-signature technology. Since 2003 DocuSign has enabled organizations to revolutionize the way they prepare, sign, act on, and manage agreements. Described as the world's #1 way to sign electronically on practically any device, from almost anywhere, at any time; the eSignature service forms a major part of their DocuSign Agreement Cloud solution.

The recent global pandemic has seen a sharp increase in the need to replace traditional wet-ink signatures with secure electronic equivalents which are widely accepted throughout the world as a replacement to handwritten (or wet-ink) signatures. Since some businesses, regions and specific use cases require a higher level of assurance, DocuSign’s robust multiple award-winning eSignature platform also offers digital signatures based on the Public Key Infrastructure (PKI) standard, meaning they are well-placed to meet this demand.  

The iText PDF library plays an essential part in the backend of DocuSign's eSignature service; a platform that allows you to meet the most stringent security, privacy, and data residency requirements, with robust audit trails automatically generated for every agreement. As such, DocuSign eSignatures comply with the U.S. ESIGN Act and UETA, as well as the EU eIDAS Regulation. 

The goal was to ensure the eSignature platform would provide a comprehensive and reliable service for customers who require secure digital signatures for their PDF document workflows. Since these customers may have documents from multiple sources, the platform had to be designed to account for possible irregularities in PDF structure. 

The primary challenge to overcome was the wide variety of PDF documents that may require digital signatures using the eSignature platform. Since there are many ways a PDF document can be created, there can be considerable variation in the internal structure of such PDFs. To be a comprehensive and reliable signing platform, DocuSign’s solution had to be resilient enough to handle PDF documents that display correctly in a PDF viewer, even though the actual file structure itself may not be compliant with the ISO PDF specification. 

Not every PDF creator has the same level of ISO-compliance for which the iText PDF library has become renowned. Certain badly-behaved applications will output malformed PDFs which can result in errors when opened by another application which expects documents to have the correct structure. In addition, the risk of such errors increases when documents have been converted into PDF from a different file format, a common occurrence in modern document workflows. 
 

This potential for variability in the quality of a document’s structure is something that applications such as PDF viewers must allow for. It is common for such applications to have a certain degree of leniency to open and display documents which do not comply with the PDF specification. You might have noticed this yourself when viewing certain PDFs that fail to display correctly in one application but appear to work perfectly in another. 

Some PDF documents do not just have issues with specification compliance though, they may actually be broken or corrupted in some way. To avoid problems when processing such documents, DocuSign designed their eSignature service to utilize the PDF capabilities of a number of different libraries. Rather than rely on a single PDF toolkit to process documents and generate a signature package, for certain documents the service can automatically fallback and use a different library. This process happens in the background and completely transparently to the user, ensuring a simple, yet high-quality customer experience. 

PDF documents can be broken in other ways though. A PDF may be maliciously created in order to crash a PDF parser and cause a Denial of Service (DoS) attack, or worse. Since secure online digital signature services are a prime target, the DocuSign development team has battle-hardened the eSignature platform to prevent against such attacks. 

Naturally, DocuSign prefers to keep the technical details about their security measures and how the eSignature signing platform works private. However, it is safe to say that iText performs an essential role in the eSignature platform as part of the built-in multiple levels of redundancy which ensure high availability and reliable service for its customers. Indeed, DocuSign first began using iText in 2015 to carry out a range of general-purpose PDF functions within their services, including text extraction and the application of watermarks to documents. 

Digital signatures, like handwritten signatures, are unique to each signer. Digital signature solution providers, such as DocuSign, follow a specific protocol called PKI. This protocol requires its providers to use a mathematical algorithm that generates two keys, one public, and one private. To protect the signature's integrity, PKI requires these keys to be created and stored securely by a Certificate Authority (CA). Since DocuSign is a CA as well as a digital signature provider, they can meet the PKI requirements for safe digital signing. 

The eSignature platform supports PDF digital signatures using the PAdES (PDF Advanced Electronic Signatures) standard, which ensures integrity, authenticity, non-repudiation, and assurance for when the document was signed. In addition, PAdES enables the long-term validation of signed documents, with digital timestamps to provide an indisputable record of the document at the time of signing.  
 

DocuSign built the eSignature platform as a .NET solution, and so they primarily use the C# flavor of iText (or as it used to be called, “iTextSharp”) internally, though they also utilize a number of production server licenses for Java. However, since they also offer an eSignature REST API, developers can use the SDKs DocuSign provides to combine it with objects, properties, and methods across a range of other programming languages and platforms. Using the REST API, developers using Node.js, PHP, Python, Ruby, iOS, and Android can easily integrate eSignatures into their own applications in a matter of minutes.  

As a commercial license-holder, DocuSign benefited from iText's world-class customer support to help with their implementation and usage of our PDF library. With access to the iText Support Portal, DocuSign's development team can easily share and discuss issues with our own developers, who are always willing to go the extra mile to answer technical questions or offer solutions. Over the years, we’ve been on-hand to provide expert advice and assistance, such as helping to resolve problems encountered with specific documents. 

That’s not all though, as DocuSign’s development team have actually made their own contributions to the iText codebase. A particularly nice addition allowed users more control over document structure tagging for specific circumstances. This contribution arose from a support ticket and the discussions with our development team which followed. Examples such as this are a great demonstration of the advantages of open-source software, where everyone can benefit from a single person’s bright idea.  

The open-source community thrives on enthusiasts who love working together to help build the next big thing. Indeed, DocuSign themselves recognize this as they supply a wealth of open-source tools to help get projects started. Launched in June 2020, their Open Source Catalog features SDKs, sample apps, and code examples for a wealth of languages. This initiative is just one part of their continuing commitment to being a developer-first company, like iText.

For almost 20 years, DocuSign has been on a mission to accelerate business and simplify life for companies and people around the world. 

With a platform that offers over 350 prebuilt integrations with popular business apps, they have already done much of the hard work for you. In addition, their API enables embedding and connecting DocuSign with customers’ websites, mobile apps, and custom workflows. Today, more than 1,000,000 customers and hundreds of millions of users in over 180 countries use DocuSign to accelerate the process of doing business and to simplify people's lives.