Skip to main content

Electronic signatures

This page explains how Better Comply captures an electronic signature that an auditor will accept: a signed manifestation, the signer's identity, and the time and IP recorded server-side, written so the record can never be altered afterwards.

Who this is for

Quality and compliance owners and auditors. The signing experience itself is documented in the learner and document-approval task pages.

Where signatures are used

Better Comply captures an electronic signature in two places:

  1. Training evidence - when a training requires a signature, the learner signs at the moment of completion.
  2. Controlled-document approvals - the approver signs to move a document into its approved state.

Both flows reuse the same signature capture and the same server-side guarantees described below.

What a signature records

Every signature event captures, against the evidence or approval record:

  • The manifestation text - the verbatim statement the signer is signing, rendered with their name, the item being signed, the version, and the timestamp. This is what 21 CFR Part 11 §11.50 calls the "meaning of the signature".
  • The signature method - re-authentication, a drawn signature, or click-to-confirm.
  • The IP address - captured server-side (see below).
  • The user agent - recorded for completeness; it is not used as an attestation.
  • The time - server-generated.

Server-side IP capture

The signer's IP is read on the server, never from the client

The signed IP address is read inside the server function that records the signature, from the database connection itself. The browser never sends it and cannot assert it. An earlier design that fetched the IP from a third-party service in the browser was removed: a client-asserted IP is not trustworthy evidence, and a regulator would reject it.

The practical consequence: if you see an IP on a signature record, it is the address the server observed at signing time, not a value the user supplied. The same function writes the signature row and its audit entry atomically, so a signature and its audit trail are created together or not at all.

Identity re-verification

Per 21 CFR Part 11 §11.200, signing should re-verify the signer's identity. The signature dialog supports two strong modes plus a confirmation mode:

ModeHow identity is confirmed
Re-authenticationThe signer re-enters their password, which the server verifies before the signature is accepted.
Drawn signatureThe signer draws on a canvas; the image is stored privately and referenced from the record.
Click to confirmA confirmed manifestation without a second factor, used where a drawn or re-authenticated signature is not required.

In every mode the signer must tick the manifestation confirmation before the signature is accepted. A signature event always emits a sign_evidence (or, for documents, approve_document) audit entry in addition to the completion or lifecycle event.

Signatures cannot be changed

A recorded signature is immutable

Once a signature is written, its fields - the IP, the signature data, the manifestation text, the decision, and the signer - are frozen by a database trigger. They cannot be edited, and the record cannot be deleted. This is enforced at the database level, not by hiding an edit button.

This protects the meaning of the signature over time. The thing the signer attested to is exactly what an auditor will see years later.

Size guards

The server rejects abnormally large signature payloads and manifestation text. These guards prevent a malformed or abusive client from writing oversized data into a regulated record. They are part of the validated behaviour: a payload over the limit is refused, not silently truncated.

What to tell an auditor

  • The signer's IP is captured server-side and cannot be asserted by the client.
  • The manifestation text records the meaning of the signature, signed verbatim.
  • Re-authentication or a drawn signature re-verifies identity at signing time.
  • Signature fields are frozen after they are written and the row cannot be deleted.