An audit trail for an electronic signature is digital evidence of who signed, when, and how. It is a critical part of the signature's validity and dispute resolution. In this article, we will go through what an audit trail includes, how GDPR affects data storage, and how a small business can organize its archive.
What is an audit trail?
An audit trail (also known as a log path) is an automatically collected record of a signature event. It records every step from start to finish. An audit trail is an essential part of the evidentiary value of an electronic signature. Without it, an electronic signature is practically just pixels on a screen – the audit trail makes it legally significant.
What information does an audit trail include?
A comprehensive audit trail includes the following information:
- Signer's name and email address
- Authentication method used (bank IDs, mobile certificate, email confirmation)
- Timestamp (date and time, timezone)
- IP address from which the signature was made
- Device and browser information
- Cryptographic hash of the document – proves that the document has not been altered
- Signature request sent time and opening time
- Signature completion time
What this means in practice: if a client disputes having signed a contract, the audit trail shows that a specific person opened the document from a specific IP address, authenticated with bank IDs, and signed the document at a specific time.
GDPR and retention of electronic signatures
An audit trail contains personal data, so GDPR (EU General Data Protection Regulation) defines how it may be processed and stored. Key GDPR principles for audit trails:
- Purpose limitation: data may only be collected for a specific purpose (verifying the signature)
- Data minimization: only necessary data is collected
- Storage limitation: data is stored only as long as necessary
- Integrity and confidentiality: data must be technically protected
In practice, the retention period for signatures and related audit trail data depends on the nature of the contract:
| Document Type | Recommended Retention Period | Justification |
|---|---|---|
| Commercial contract | 6–10 years from the end of the contract | Expiration period (typically 3 years, Sales Act 5 years) |
| Employment contract | 10 years from the end of the employment relationship | Expiration of employment receivables |
| Accounting materials | 6 years from the end of the financial period | Accounting Act 2:10 |
| Real estate transaction | Permanently or at least 10 years | Requirements under the Land Code |
Small business archive model
A small business can organize its electronic signature archive simply:
- Use a signature service (such as EpicSign) that automatically archives signed documents and audit trails
- Define retention periods by document type (see table above)
- Export the most important agreements to your own backup system as well
- Check once a year for outdated documents that can be deleted according to GDPR
- Document your retention practices in the privacy policy
Practical example: accounting firm and client contracts
An accounting firm in Tampere switched from paper agreements to EpicSign. Previously, agreements were kept in folders – some at the office, some with clients. No one was sure where the latest version was. After switching to electronic signatures, the situation changed:
- All contracts can be found in the electronic archive with a search function
- The audit trail proves who signed and when
- The GDPR privacy policy was updated to include the retention of signature data
- Old agreements are automatically deleted after their retention period expires
Frequently asked questions
How long should the audit trail be retained?
The retention period depends on the type of contract. For commercial contracts, typically 6–10 years; for employment contracts, 10 years from the end of employment.
Does the audit trail contain personal data?
Yes. The signer's name, email, and IP address are personal data according to GDPR. They must be processed in accordance with data protection regulations.
Can the audit trail be edited afterwards?
No. A cryptographic hash ensures that the data cannot be altered unnoticed. This is a fundamental requirement of the audit trail.
How does GDPR affect the retention of signature data?
GDPR requires that data be stored only for as long as necessary. When the retention period expires, the data must be deleted or anonymized.
Does EpicSign automatically save the audit trail?
Yes. EpicSign automatically creates a comprehensive audit trail for every signature event.
Sources
This article is general in nature and does not constitute legal advice.
Try EpicSign
Start a free trial and send your first signature request in under 20 seconds.
See pricing