The digital identification form shall be authenticated by all relevant actors required to sign the identification form by a reliable, legally valid digital signature that ensures the linkage to the digital identification form. Unless otherwise demonstrated, a method of digital signature shall be deemed reliable if the digital signature:
- is uniquely linked to the signer;
- provides the ability to identify the signatory;
- is created by means under the exclusive control of the signer;
More about electronic signature
OVAM definition of electronic signatures:
Signatures
The digital identification form must be signed via ubiDOCS in 2 places:
-
- the COLLECTOR before the transport activity can start
- the waste processor (or the driver if there is no employee at the waste processor site) when unloading the waste.
The means of signature are different in these 2 steps:
Signature of the COLLECTOR
-
- Physical person: See further – ‘Digital KYC / Verified users’.
-
- Automated system: See further ‘Contractual KYC method’ -> Ubidata will contractually ask its customers to link a physical person who is legally responsible for the daily activities to the automated processes, e.g. a TMS system that sends new contracts to ubidata servers in an automated manner will in parallel create an electronic signature linked to the specified person (see attachment).
The STATUS can be set to ‘SIGNED’ only if all required fields have been completed and the COLLECTOR has provided a valid signature.
SOMEONE IS AVAILABLE AT THE WASTE PROCESSOR
The person is known in the Ubidata system (existing user_id):
Signature = QR code or SIGN ON GLASS
The link to the company is done automatically from the signature screen.
The person is unknown in the Ubidata system:
Signature = SIGN ON GLASS with insertion of first name + last name.
The link to the company is done automatically from the signature screen.
NO ONE IS AVAILABLE AT THE WASTE PROCESSOR:
- Driver signs instead of the waste processor
- The driver is known in the system and is registered in the application.
- The signature is associated with his user_id.
- The driver can enter a comment and/or take a picture to illustrate the delivery or a possible anomaly.
Audit of signatures: Audit Trail
An audit trail is a process by which supervisors can easily obtain confirmation from the system that person x or y signed the document at some point.
In our solution, we attach a clickable QR code to the pdf identification form.
A scan of this code, or click on the QR code queries the servers and opens a web page as in the database.
A scan of this QR code or one click on the QR code opens a url link (web page) that shows the record of the signature in the database with information about the registered electronic signature:
- Name + first name of signer
- Company and role
- Time and date of signature
- Type of signature
User authentication - general
Users and their login credentials are handled according to OWASP best practices/
- identification data is salted and hashed.
- Password reset is only possible through a one-time link sent by email.
- Password reset requests are time limited.
Minimum password length is maintained according to NIST guidance.
- User changes are logged for auditing.
Users authenticate to our API using a JWT (Json Web Token).
- This token contains the user roles and an expiration date.
- The API provides a logout endpoint to invalidate a token before it expires naturally.
- That endpoint will add the token to a replay cache that is checked for each API response.
The method of digital signing
ubiDOCS identifies all users based on login password credential.
ubiDOCS users are thoroughly verified through a KYC – Know Your Customer – process:
(a) Contractual KYC.
A contract is signed between the end user and Ubidata, making official the link between a login credential and a physical person working for the customer’s company. This person has the legal rights to sign as an IHM or AZRT.
Once the contract is signed, the username is deemed to be linked to the physical person and any document signed with this username is deemed to be signed by the physical person.
This process is especially necessary for automated processes, e.g. receiving data from third-party software such as a TMS (Transport Management System).
(b) Digital KYC / Verified Users.
Users that are not created through a contractual KYC must be a “verified user.” This means that a contractual relationship exists between the company and its employee who uses the system and signs a digital document.
The company must grant this particular user access to the system to access the application. The end user is asked to choose a password and can change it at any time.
An authenticated user can fully interact with ubiDOCS depending on their role in the company. Any change made by an authenticated user is thus tracked in the change log.