Home » Security

Identity-as-a-Service (IDaaS) is a relatively new—and somewhat nebulous—concept in today’s market.  Gartner, a global research and advisory firm, has a category defined as “identity management as a service” but most Software-as-a-Service (SaaS) companies providing identity and identity management functionality tend to define IDaaS to their own strengths and capabilities, so it is hard to find a consistent definition.


Yet the world of digital data we engage today requires digital identities for access and operations. Using digital identities we can trust is at the heart of modern cybersecurity—and hacking, phishing, or stealing identity credentials is one of the most common attack vectors for cybercriminals seeking to penetrate digital systems. As such, IDaaS has a very well-defined need, if not yet a well-defined category.


Atos, a French multinational IT service and consulting company, summarizes the space as such: “Digital identities are essential for continued digital growth. If digital services were insecure or data were inaccurate or irrelevant we couldn’t trust them. At the center of digital transformation, the international mobility and e-business issues are becoming more and more essential for today’s organizations to remain competitive.”


What is IDaaS?

At a basic level, all IDaaS platforms are created to enhance online user experiences, secure access to critical enterprise applications, and reduce IT resource-related expenses with efficient identity and access management (IAM) and privileged access management (PAM).


“There’s no way around it: sound identity management is essential,” writes Mark Diodati at Gartner. “Without good IAM, you are at real risk for data breaches and denial of service attacks. And IAM is hard to get right.”


The overarching goal of IDaaS solutions is to ensure users are who they claim to be—and to give users access to applications, data, systems, or other digital resources as authorized by their organizations.


Why Organizations Need IDaaS?

Foremost, IDaaS solutions can improve data security and cybersecurity. Knowing with confidence who your digital users are can elevate privacy and security across all digital systems. With an estimated 81% of hacking-related breaches leveraging either stolen and/or weak passwords, effective IDaaS solutions can eliminate one of the most glaring gaps in cybersecurity.


For government agencies and public-sector organizations, IDaaS is quickly becoming a critical need. “Cyber attackers always target government agencies to gain access to confidential government data,” explains Markets and Markets™, the world’s largest revenue impact company, headquartered in Pune, India.


Another key advantage of IDaaS is operational cost savings. Provisioning IAM with onsite solutions can be expensive:  IT teams have to manage servers and software—purchasing, installing, upgrading, and managing backup data. Plus, onsite teams must shoulder the burden of monitoring network security and endpoint device management.


With IDaaS, however, costs can be minimized to subscription fees and administration. In one-ready example, secure single sign-on to applications can significantly reduce IT help desk costs related to password resets.


Besides security and savings, the ROI for IDaaS solutions can include improved user experiences with saved time via faster logins and fewer password resets. “Whether a user is signing in from open WiFi at an airport or from a desk in the office, the process is seamless and secure,” notes Fabrice Berté, director at Weborama.“The improved security can keep companies from facing a hack or breach that might topple their business.”


Today, Gartner defines key market drivers for IDaaS as access to SaaS applications, provisioning, managing, vertical communities, ensuring strong authentication, and gaining SaaS efficiency. And trends in IDaaS that Gartner reports include information breach concerns, the broader use of consumer authentication, and reverse-proxy WAMs.


“We’ve been talking about this for a very long time,” said Diodati in a CSO Magazine article. “But didn’t have the big data/analytics capabilities and the mobile platform architectures until recently.”


How ZorroSign Delivers IDaaS to Verify Users

While it used to be acceptable to grant access via username and password, the industry standard is two-factor authentication and rapidly evolving to MFA with password-less logins. Here are ways ZorroSign delivers IDaaS to verify users:

  • ZorroSign technology leverages the biometric capabilities of hardware endpoints to verify user identities.
  • ZorroSign is the first to adopt password-less login amongst our digital signature competitors.
  • ZorroSign MFA provides maximum security, as before a user can sign a document, our platform can validate multiple dimensions of authentication based on the transaction security needs: What you know (i.e., your ZorroSign login password), what you have (e.g., your laptop or mobile device), who you are (e.g., biometrics such as fingerprints or eye iris on the device securing who can access it), etc.


Additionally, ZorroSign users can optionally use our dynamic knowledge-based authentication (KBA) feature provided by LexisNexis. KBA requires the knowledge of private information of the individual to prove that the person providing identity information is the actual person.


These technologies secure the endpoints of our private, permissioned blockchain architecture where only approved nodes (endpoints) are allowed to access our Hyperledger Fabric distributed ledger. Hyperledger emerged as an open-source collaborative effort, hosted by the Linux Foundation, to advance cross-industry blockchain technologies and improve trust, transparency and accountability.


For governments, companies, and individuals that desire to securely transform paper-based workflows, ZorroSign’s digital signature and document management platform can decrease costs, reduce errors, and increase productivity. As a private blockchain, ZorroSign can ensure privacy is always maintained as only approved nodes (endpoint users) can write to ZorroSign’s blockchain. As a result, ZorroSign’s architecture has even tighter privacy and security measures than other blockchains.


Moving forward, ZorroSign will be adding further user verification capabilities, including integrations with U.S. driver licenses via state motor vehicle departments, verification via passports (with approximately 72 countries to start), other government-issued identities (with approximately 100 countries to start), and even tapping U.S. credit union databases for identity verifications.


Further, we will be implementing a blockchain-based audit trail for all user activities—including profile updates, signature changes, etc.—and will maintain a separate blockchain to maintain users’ signatures. With these immutable blockchain records, we can uniquely validate users in ways no competitive solution can.


Patented 4n6 Token

Finally, ZorroSign’s patented 4n6 (“forensics”) token is a kind of digital seal that captures the complete audit trail and the document’s DNA. The token is encrypted and contains information on all the details about the transaction including timestamps, user authentication, document, and attachments.


ZorroSign’s 4n6 token securely reads the information from the secure ZorroSign servers so it can be accessed by the document originator or third parties (with permission from the originator) when requested. Only the 4n6 token:

  • Allows ZorroSign to manage permissions as to who gets to see what level of information about the transaction and the document
  • Stores the ZorroSign security encryption certificates, which—unlike other digital security certificates—never expire
  • Can verify, validate and authenticate both digital and printed (paper) version of electronically signed documents


Together, this dynamic and integrated set of technologies allows ZorroSign to provide unmatched privacy and security for our users. Our IDaaS capabilities augment our blockchain architecture to ensure users/signers are who they say they are and deliver trusted connections in a zero-trust environment.


Contact us today to learn more.

ZorroSign’s primary focus is the security and privacy of our customers’ data.


Our technology platform was built for the highest levels of security and compliance—from our blockchain architecture to our patented 4n6 token, to our multi-factor authentication—all ensuring our platform is compliant with dozens of international privacy and security standards.



ZorroSign has implemented its own secure instance of Hyperledger Fabric—the world’s most trusted blockchain technology, created by the Linux Foundation—using proprietary technology. This blockchain architecture is permissions-based and requires users to authenticate themselves before making requests to read or write into the distributed ledger (i.e., the “blocks” on the “chain”) or taking any action that adds to the blocks on the ledger.


As a private blockchain, ZorroSign can ensure privacy is always maintained, as only approved nodes (endpoint users) can write to ZorroSign’s blockchain—as opposed to public blockchains (like Bitcoin and Ethereum) where anyone can be an endpoint and write to the blocks. As a result, ZorroSign’s architecture has even tighter privacy and security than other blockchains. If users make a change to the information recorded in one particular block of a blockchain, they cannot rewrite that block—instead, the change is stored or recorded in a new block along with the date and time of the change, permanently capturing the chronological changes to the document.


Further, ZorroSign’s platform was based on the Sherwood Applied Business Security Architecture (SABSA)—a proven methodology for developing business-driven, risk and opportunity-focused security architectures. We leverage Defense in Depth (DiD) mechanisms, such as AI-based Web Application Firewalls (WAFs), Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and border routers. Plus ZorroSign brings personally identifiable information (PII) data security, 24/7 monitoring, business continuity/disaster recovery policies, security logging and incidence response via Elastic search Logstash and Kibana (ELK), and Microsoft Intune for unified endpoint management.



The ZorroSign patented 4n6 (“forensics”) token is a digital seal that captures the complete audit trail and the document’s DNA. The token is encrypted and contains information on all the details about the transaction including timestamps, user authentication, document, and attachments.


The key benefits of ZorroSign’s blockchain and 4n6 token technology include immutability of chronological records, permissions-based private blockchain security and privacy of the users’ information (i.e., PII or PHI), fraud prevention, and lifetime escrow (as ZorroSign issues its own certificates that never expire).



With the growing number of data breaches affecting user authentication, protecting one’s account credentials has become a top priority. Many solutions are now moving towards a Zero Trust model where the user must prove their identity. While it used to be acceptable to rely on a username and password, the current industry standard is two-factor authentication which is rapidly evolving to MFA with password-less logins.


ZorroSign is proud to be the first to adopt password-less login amongst our digital signature competitors—validating what you know (i.e., your ZorroSign login password ), what you have (e.g., your laptop or mobile device), and who you are (e.g., biometrics such as fingerprints or eye iris on the device, securing who can access it).



This unique combination of security architecture and data privacy functionality grants ZorroSign compliance across many international standards for privacy and security, including but not limited to:

  • Canada: The Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Canada: The Uniform Electronic Commerce Act (UECA)
  • EU: Data Protection Regulation (GDPR) for data privacy and security
  • EU: The electronic IDentification, Authentication and trust Services (eIDAS) regulation
  • India: The Information Technology Act 2000 (IT Act of India)
  • International Standard on Assurance Engagements (ISAE) No. 3402, Type II audited
  • International Organization for Standardization (ISO) 27001 certified
  • PDF Advanced Electronic Signatures (PAdES) is a set of restrictions and extensions to PDF and ISO 32000-1
  • UAE: Federal Law No. 1 of 2006 regarding Electronic Transactions and E-Commerce granting electronic signatures legal force and effect
  • USA: American Institute of Certified Public Accountants (AICPA) SOC 2 Type I audit
  • USA: California Consumer Privacy Act (CCPA)
  • USA: Department of Commerce’s National Institute of Standards and Technology (NIST) encryption standards
  • USA: The Digital Millennium Copyright Act (DMCA)
  • USA: The Electronic Signatures in Global and National Commerce Act (E-Sign Act)
  • USA: FDA Title 21 of the Code of Federal Regulations; Electronic Records; Electronic Signatures
  • USA: The Health Insurance Portability and Accountability Act (HIPAA)
  • USA: The Uniform Electronic Transactions Act (UETA)


We invite you to request a copy of our ZorroSign Security Brief for details on our private blockchain architecture, document storage and protection, and platform security measures today!

U.S. law enforcement agencies such as police departments, sheriffs, probation offices, prisons, prosecutors, and district attorneys are relying more and more on digital records.  In serving the public, LE agencies need to ensure data privacy and security no matter if their records are paper or digital.


ZorroSign offers a technology platform built on blockchain to support law enforcement, including digital signatures, documents, workflows and archives to enhance the privacy, security, and efficiency of any LE administrative process.


“Law enforcement increasingly needs to have access to data residing in remote data centers, and investigators frequently face multiple barriers in this process.  As more data routinely collected by investigators have come to reside in remote locations, these barriers have become a growing challenge for stakeholders.”


~Michael J. D. Vermeer, Dulani Woods, Brian A. Jackson
Identifying Law Enforcement Needs for Access to Digital Evidence in
Remote Data Centers
(Rand Corporation white paper)


ZorroSign can help LE agencies with:

  • Digital signatures across personnel records, payroll, budgeting, contracts, and finances
  • Digital documents related to court commitments, jurisdictional and warrant transfers, and supporting depositions
  • Expediting the collection of Uniform Crime Reporting (UCR) statistics—providing officers in the field with an easy-to-use tool to scan licenses and automatically populate a digital ledger with all required UCR data
  • An immutable audit trail for all LE, administrative, and legal documents in digital formats


Chain of Custody

Perhaps ZorroSign’s greatest value to law enforcement is protecting the chain-of-custody.


According to a 2020 white paper issued by the National Center for Biotechnology Information (NCBI), “Maintaining the chain of custody should be considered a professional and ethical responsibility by those in charge of the evidence. It is imperative to create appropriate awareness regarding the importance and correct procedures of maintaining the chain of custody of evidence among the people dealing with such cases… it must remain in mind that it is the most critical procedure which ultimately decides the admissibility of evidence in the court of law.”


ZorroSign’s platform can place all aspects of evidence documentation—audit trail, chain of custody, documents and attachments, user authentication information, and digital signatures) on a private permissions-based blockchain to create an immutable and legally-binding record.  This ensures the highest levels of security are observed, all evidence is legally defensible, and gives LE agencies a high level of confidence in every step of the evidence documentation process.


Further, ZorroSign’s technology can easily be integrated into a law enforcement organization’s existing document management system—augmenting their ability to protect and secure all sensitive data, while delivering operational efficiencies that can lower costs and raise administrative productivity.


The Security of Blockchain Plus the Privacy of Hyperledger Fabric

Blockchains are a distributed ledger technology (DLT) using digital cryptography to secure information records (blocks) distributed across users (nodes) on peer-to-peer (P2P) networks.  They can be run publicly (open to anyone becoming a node, used for cryptocurrencies like Bitcoin) or privately (permissioned to limit who can become a node, used for business applications like Hyperledger Fabric).


ZorroSign’s platform is built entirely on a private, permissioned Hyperledger Fabric to protect identities and data—uniquely authenticating users, encrypting communications, and securing digital data immutably through that data’s lifetime.


For LE agencies that desire to securely transform paper-based workflows, ZorroSign’s digital signature and document management platform can decrease costs, reduce errors, and increase productivity. As a private blockchain, ZorroSign can ensure privacy is always maintained as only approved nodes (users) can write to ZorroSign’s blockchain.


Uniquely, ZorroSign also uses a patented 4n6 (“forensics”) token—a kind of digital seal that captures the complete audit trail and the document’s DNA. The token is digitally encrypted and contains all the details about the transaction including timestamps, user authentication, document, and attachments. As a result, ZorroSign’s architecture has even tighter privacy and security measures than other blockchains.


Committed to the Men & Women in Blue

ZorroSign strongly supports the men and women in law enforcement who put their lives on the line every day to defend our communities and protect our freedoms.  ZorroSign has partnered with the National Law Enforcement Officers Memorial Fund (NLEOMF) and committed to 10% of ZorroSign’s sales to law enforcement be donated to the Memorial Fund.



We believe our digital signatures and document management solutions to be the most private, most secure available and we are eager to prove it for law enforcement.  Contact us today to learn more!

ZorroSign’s digital signature and document management platform not only brings the privacy and security of a private, permissioned blockchain technology, but our software-as-a-service (SaaS) model can be deployed in various configurations to meet your organization’s data security requirements.


Public Cloud SaaS


Our standard deployment is on Amazon Web Services (AWS) public cloud computing network.  This configuration benefits from AWS data centers and a network architected to protect your information, identities, applications, and devices.Built with the highest standards for privacy and data security, AWS is designed to help ZorroSign deliver secure, high-performing, resilient, and efficient infrastructure for our applications.



Two big advantages of ZorroSign’s public SaaS configuration are our simple pricing model and the ability for new customers to quickly sign-up, login, and start uploading and sending documents for signatures.  Pairing superior security with user-friendly operations, ZorroSign’s public cloud configuration is our most popular deployment.


Private Cloud SaaS


In ZorroSign’s private cloud configuration, all your data and the ZorroSign application run in a private and secure cloud network dedicated to your organization.  This fully managed service is ideal for financial services institutions or any organization requiring that your data resides only in servers where you have full control.



The benefits of private cloud deployments include unlimited API usage, complete control over privacy and security measures, a system configuration much easier to manage and maintain than on-premise deployments, plus the ability to implement custom ZorroSign features and functionality.  Private cloud deployments require that customers have IT and security staff trained to manage cloud networks, but ZorroSign works closely with such customers to ensure successful and secure configurations.


Hybrid (Public/Private) Cloud SaaS


Sitting between fully-public and fully-private cloud deployments is the option for a hybrid cloud configuration.  Here, storing your data on our private, permissioned blockchain can occur on either ZorroSign data centers or in the private cloud, while the ZorroSign platform and applications run on their standard public cloud configurations.  We collaborate with your organization to configure the right mix of public self-service, scalability, and elasticity with private control and customization available with dedicated hardware.



Like a private cloud, hybrid cloud benefits include unlimited API usage and a system configuration much easier to manage and maintain than on-premise deployments.  Hybrid cloud deployments can be a strong option for financial services institutions, and ideal for healthcare organizations, law firms, legal departments, real estate firms, and other industries where data security is highly regulated.


On-Premise Configurations


Finally, for those customers who require both the ZorroSign platformand their data reside behind their own firewall or demilitarized zone (DMZ)—where a physical or logical sub network contains and exposes your organization’s external-facing services such as ZorroSign digital signatures, workflow management, and identity-as-a-service applications—we support on-premise deployments.



On-premise deployments require your organization to manage and maintain your own data centers, but gain the benefits of unlimited API calls and total control over identity access management (IAM), data privacy and security, and data integrity processes.  On-premise deployments of the ZorroSign blockchain platform can be ideal for government agencies and departments, critical infrastructure organizations, large financial institutions, and other organizations that prefer to fully manage their own IT infrastructure.


Whichever configuration your organization requires, ZorroSign has the staff, the architecture, and the deployment experience to ensure your data privacy and security needs are met.  To learn more about ZorroSign’s cloud configurations for various SaaS deployments, and how we deliver greater privacy and security for digital signatures and documents, contact us today!

Is your organization effectively protecting its information?


Happy Data Privacy Day! Or perhaps a more appropriate greeting: Is your organization employing information privacy best practices today . . . and everyday?


Data Privacy Day focuses on raising awareness among businesses, consumers, and families on the importance of protecting the privacy of their personal information online.


At ZorroSign, our corporate mission is to leverage blockchain technology to deliver a lifetime of security and privacy for your digital signatures and documents that is easy-to-use and legally compliant. Data privacy is one of our core values as we strive to provide the most trusted and secure paperless experience.


A Short History of Data Privacy in the United States


“In recent years, information privacy has emerged as one of the central issues of our times,” notes Daniel J. Solove in a George Washington University Law School publication on information privacy laws. “Today, we have hundreds of laws pertaining to privacy: the common law torts, criminal law, evidentiary privileges, constitutional law, at least twenty federal statutes, and numerous statutes in each of the fifty states.”


Solove traces privacy protections from early American census and government records, through post mail and telegraph communications, to personal papers and information. Then “the development of the computer in 1946 revolutionized information collection. Throughout the second half of the twentieth century, the computer revolutionized the way records and data were collected, disseminated, and used,” writes Solove and “the increasing use of computers in the 1960s raised a considerable public concern about privacy.”


Congress passed the Privacy Act of 1974 to regulate the “collection and use of records by federal agencies, and affords individuals right to access and correct their personal information,” then passed the Electronic Communications Privacy Act (ECPA) of 1986 which “protects wire, oral, and electronic communications while those communications are being made, are in transit, and when they are stored on computers. The Act applies to email, telephone conversations, and data stored electronically.”


The 1990’s saw the rise of the Internet which changed the game for data collection, storage, and dissemination. Initially, the U.S. passed the Children’s Online Privacy Protection Act (COPPA) of 1998—which “prohibits unfair or deceptive acts or practices in connection with the collection, use, and/or disclosure of personal information from and about children on the Internet”—then the Gramm-Leach-Bliley Act (GLBA) of 1999 defining personal identifying information privacy for financial institutions which expanded privacy policies across many industries.


The September 11, 2001 attacks on the United States initially brought challenges to data privacy as the USA PATRIOT Act of 2001 granted federal agencies greater power to collect personal information and expanded the investigative powers of law enforcement based on the Foreign Intelligence Surveillance Act (FISA).


At this time, “the U.S. doesn’t (yet) have a federal-level general consumer data privacy law, let alone a data security law,” notes Varonis, a cybersecurity company.


But individual states are taking up the cause for data privacy and—often emulating policies and practices set by the European Union’s General Data Protection Regulation (GDPR)—defining stronger privacy protections. For example, the California Consumer Privacy Act (CCPA) of 2018 (and copycat laws in other states such as Hawaii, Maryland, Massachusetts, New York, and North Dakota) gives “consumers more control over the personal information that businesses collect about them, including: The right to know about the personal information a business collects about them and how it is used and shared; the right to delete personal information collected from them (with some exceptions); the right to opt-out of the sale of their personal information;  and the right to non-discrimination for exercising their CCPA rights.”


Information Privacy Today


2020 was not a great year for world health or for data privacy. The news was filled with stories of data breaches, and the Great Supply Chain Hack of 2020 may haunt government data systems for years—“This is looking like it’s the worst hacking case in the history of America,” says one U.S. official. “They got into everything.”


In this climate of fear and risk, ZorroSign’s CEO and co-founder, Shamsh Hadi, has built a company culture where “trust is everything.” Private businesses, government organizations, educational institutions, legal departments, real estate companies, and many other industries trust ZorroSign technologies to protect their data and secure their information privacy.


Our private, permissioned blockchain platform is compliant with dozens of international privacy and security standards, including United States eSign Act, Uniform Electronic Transactions Act (UETA), Health Insurance Portability and Accountability Act (HIPAA), Americans with Disabilities Act (ADA) and Web Content Accessibility Guidelines (WCAG 2.1), the Federal Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), Canadian Provincial Uniform Electronic Commerce Act (UECA), the Information Technology Act 2000 (IT Act of India), and GDPR in Europe, and many more.


Request a copy of our ZorroSign Security Brief for details on our unique blockchain architecture, document storage and protection, and platform security measures or contact us today to learn how ZorroSign’s digital business platform can protect your data privacy!

“Modern digital technology that supports information sharing,

communication, collaboration, and learning are

central to daily living and to the function of government.”

~Teri Takai, Executive Director at the Center for Digital Government


Local governments in the United States such as counties, municipalities, and school districts serve the public with codified processes for business, education, health and safety, law enforcement, property development, transportation, utilities, and more. The sheer volume of legal agreements, licenses, permits, records, and reports are daunting to manage, and digital solutions are becoming more and more necessary to effectively administrate public services.


Further, local governments know the value of operating more efficiently both in cost-savings (by reducing administrative costs in paper, printing, reproduction, storage, etc.) and in resource allocation (by being able to serve more constituents with the same resources). Technology solutions that speed clerical work, reduce errors, and lower administrative costs can readily generate a return on investment for the public.


As local governments strive to move paper administration to digital environments, privacy and security become top priorities. Beyond simply digitizing forms, processes, and records, these government organizations must:


  • Validate end users as constituents engage digital public services
  • Authenticate digital data as it is moved between users and offices
  • Secure digital documents for storage, archiving, and retrieval—ensuring immutability with non-repudiation audit trails and post-execution fraud/tamper protection


Digital Benefits for Local Governments

The COVID-19 pandemic has accelerated local governments’ need to move to digital services.


“When offices were forced to close, many local governments were unable
to conduct business without physical access to legacy systems,
holding up everything from building permits to license renewals
and access to land records.”
~Doug Harvey, VMware Head of U.S. State & Local Governments & Education


As local governments add remote administration capabilities, the promise of digital transformation is tremendous. Large municipalities to the smallest administrative districts can leverage digital signature and document management software to protect the chain of custody (CoC) for documents and securely review, approve, archive, and retrieve:


  • Across-agency or inter-department agreements
  • Architecture and engineering drawings/schematics for construction permits
  • Benefits administration programs and processes
  • Certificates of occupancy
  • Court decrees and orders
  • Facilities management forms
  • Housing programs and building permitting management
  • Human resources processes (e.g., employment agreements, expense forms, payroll sign-off sheets, etc.)
  • Licenses for alcohol, auctions, business, construction, farming, plumbing, restaurants, retail, valet services, etc.
  • Logistics and procurement processes
  • Permits for building, carnivals and fairs, exhibit and trade shows, explosives, fireworks, gas, hazardous waste, hospitals, lumber, medical facilities, nursing homes, public assemblies, waste handling, etc.
  • Public health programs administration
  • Purchase agreements for public assets, products, or services


ZorroSign blockchain digital signature, a secure, encrypted platform provides a means for local governments to digitize records—eliminating duplication errors, streamlining clerical work, decreasing costs and time spent, and ensuring public record immutability for legal enforceability and transparency.

In today’s digital world, data privacy and security are critical. At ZorroSign, we are proud to put privacy and security at the heart of everything we do—including how we’ve built our digital transaction management (DTM) platform. With our private, permissioned blockchain foundation, our commitment to security and privacy meets important regulations and standards upheld by countries around the world. Here are some quick examples…




In the United States, there have been many laws and regulations enacted around data privacy and digital security, including:


  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA) set national standards for electronic health care transactions and codes, unique health identifiers, and security—ZorroSign DTM helps organizations meet HIPAA compliance.
  • The Digital Millennium Copyright Act (DMCA) of 1998 is an anti-piracy statute protecting digital rights management—ZorroSign’s digital signatures support DMCA.
  • In 1999, the Uniform Electronic Transactions Act (UETA) established the legal equivalence of electronic records and signatures, with paper documents and manually-signed (wet) signatures—ZorroSign digital signatures meet UETA compliance.
  • In 2000, the Electronic Signatures in Global and National Commerce Act (E-Sign Act) validated electronic records and signatures for commerce across states and countries—ZorroSign digital signatures fulfill ESIGN compliance.
  • The Sarbanes–Oxley Act of 2002 (SOX) set regulations for the financial practice and corporate governance of U.S. public company boards, management, and public accounting firms—ZorroSign DTM helps organizations fulfill SOX requirements.


In Canada, similar laws such as the Personal Information Protection and Electronic Documents Act (PIPEDA) defined how organizations can collect, use or disclose personal information; and the Uniform Electronic Commerce Act of 1999 (ULCC) regulated the provision and retention of electronic information, and the communication of electronic documents. Again, ZorroSign digital signatures meet both Canadian standards for privacy and security.




The European Union has enacted two major regulations for data privacy and security in the General Data Protection Regulation (GDPR) and Electronic Identification and Trust Services Regulation (eIDAS) of 2018. This elaborate set of rules and requirements are also met by ZorroSign’s digital signatures and DTM platform.




In the Middle East region there are two major laws that govern electronic signatures in the United Arab Emirates (UAE) and Saudi Arabia. ZorroSign meets the United Arab Emirates’ Federal Law No. 1 of 2006 regarding Electronic Transactions and E-Commerce granting electronic signatures legal force and effect. ZorroSign also meets the KSA laws in Saudi Arabia as governed by the Electronic Transactions Law, Royal Decree No. (M/8) 8 Rabi’ I- 1428H from 2007.




In 2000, India passed a sweeping Information Technology Act, with further amendments in 2008, providing legal recognition for transactions performed by electronic data interchange, eCommerce, and digital signatures, plus rules for electronic records and certifying authorities. Again, ZorroSign DTM meets the security and privacy requirements of India’s IT Act.




While ZorroSign’s platform ensures compliance with these (and other) regulations around the world, we separate ourselves from our competition by going even further to protect our customers’ data and privacy. ZorroSign’s patent-pending blockchain architecture uniquely ensures:


  • Immutability—maintaining a chronological record of transactions in multiple copies on a ledger to avoid doubt or ambiguity.
  • Legal Enforceability—ZorroSign uses patented and legally-binding electronic signature with real digital information versus competitors who simply superimpose a flat image of a signature on a document… legally distinguishing intent to sign a document vs actually signing a document.
  • Signature Attribution—signatures are protected and validated using ZorroSign’s private permissioned blockchain, plus high-level security provisions and multifactor authentication (including biometrics) to ensure signatory attribution.
  • Fraud Prevention—our proprietary 4n6 token detects document fraud, document tampering and signature forgery (as a tamper seal that runs on the blockchain).
  • Lifetime Escrow—while competitors often use third-party digital security certificates that expire every two years, ZorroSign issues its own certificates that never expire for lifetime document escrow.


We are proud to be the digital signature solution of choice for organizations around the world committed to privacy and security.

If your office becomes inaccessible for any period of time, are you prepared to ensure business continues as normal? Having a Business Continuity Plan (BCP) in place is a great start when preparing for the worst. When COVID-19 started to spread throughout the globe, many companies were not prepared to shift their workforce to a primarily work from home team.


Early on, ZorroSign executives made the decision that all employees across the globe would work from home until further notice. This decision was easy to make, as the organization had a solid BCP in place, so invocation was seamless.


Develop a Business Continuity Plan


A Business Continuity Plan (BCP) is when a company develops a plan for preventing and recovering from any potential harm to the company; knowingly or unknowingly. These could include fire, flood, natural disaster, cyber attack, criminal mischief, global pandemic, etc. The goal of the BCP is to prevent unnecessary damage to organizations assets or personnel and to ensure company assets are recovered and personnel can quickly get back to work after a disaster or crisis.


Wondering if your company is on par with companies around the globe when it comes to disaster preparedness? A recent survey conducted by AvidXchange determined that only 37% of 500 companies surveyed had the appropriate technology in place to abruptly shift employees to telecommute, also known as working from home, in the event of an emergency. This survey was eye-opening and demonstrated a large gap in BCP. Below are a few of those gaps:

  • Only 61.8% of businesses have a BCP in place.
  • 48% of businesses that have a BCP in place can only operate two to three weeks with their current plan.
  • 19% of businesses reported none of their employees have the right company provided technology to work from home.

Based on the survey results above, it’s easy to see that most companies are not prepared for the current global pandemic. Below are some key elements that all companies should include in their BCP.


Business Continuity Plan Elements


Each company’s BCP will be different and unique to the individual business. However, there are four main elements every BCP should include, this will ensure that all business operations have a prevention and recovery plan. The four elements are:

  1. Identify purpose and scope – Clearly identify and state the purpose and scope of the BCP. Include all business operations and detail any exclusions.
  2. Determine responsibilities – Clearly identify who has permission to invocate BCP, along with what employees have authority before, during and after an incident. These identified employees should be given clear roles on the Business Continuity Response Team (BCRT).
    1. Documentation – identify a document owner that will be tasked with keeping track of BCP approvals and change history for company records. The document owner should be responsible for ensuring BCP procedures are reviewed and tested regularly.
    2. Change management – BCRT leaders should control the message and get employee buy-in for the BCP. The BCP document owner should publish it where it is easily accessible to all stakeholders in both digital and hard formats.
  3. Develop Business Continuity Plan – Information in the plan must be understood by and accessible to everyone in the organization, and details of how and when the BCP will be invoked should be included. In order to create a thorough BCP a few items should be addressed:
    • Define potential risks to the company and conduct a business impact analysis.
    • Identify how potential risks will affect company operations.
    • Identify and implement safeguards to mitigate identified risks. Be sure to identify how to recover critical business operations.
    • Practice and test out safeguards to ensure they accomplish the desired outcome.
    • Continually review and update the BCP so it is always up to date.
  4. Communicate and Train – Clearly determine how, and under which circumstances, the pre-identified BCRT will communicate with employees, stakeholders and emergency contacts. The last step is to thoroughly train the BCRT, as well as employees.


Quick List – 5 Actions to Take Today to Prepare for Tomorrow


ZorroSign takes business continuity very seriously. Having 100% of the workforce fully functional independent of location is the standard for the company’s BCP. Here are a few things we recommend any company without a robust BCP implement immediately, in order to prepare employees for an emergency that could result in an extended time away from a physical office:


  • Company Issued Equipment – Issue all employees company laptop at start of employment. Desktop computers are not useful in emergency situations, as work location may abruptly change, not allowing transition of equipment that is not easily portable.
  • Collaboration Software – Implement use of team collaboration software; this allows employees to effectively and efficiently communicate, before, during and after a disaster. Microsoft Teams is an example of a great tool. During a crisis where employees change their work location abruptly, having a communication collaboration tool is essential.
  • Mobile Device Management (MDM) – A MDM tool is software used by IT departments that allows them to identify what company issued mobile devices are accessing, their location, remotely lock a device, and even wipe a device clean if lost or stolen. MDM capabilities are very important with an increase in remote workers, as this can protect company intellectual property, as well as physical assets. An example of an MDM tool is Microsoft Intune.
  • Virtual Private Network (VPN) – Ensure all employees are using a VPN when accessing office network and resources. A VPN is the easiest way to protect company data and be cyber aware, while protecting data security.
  • Employee Internet Connectivity Audit – Make sure all team members have good internet connectivity. This can be accomplished through a simple employee survey. Work to help employee’s with unreliable internet connectivity to either use a secure mobile hot spot or identify solutions for increasing their stability of a reliable internet connection.
  • Cloud Hosting – Host all critical environments in the Cloud. This will allow full continuation of ongoing projects independent of employee location. Cloud hosting should include disaster recovery options.


Communication & Training


Having a BCP in place is a great start to having a business being able to function during a disaster. However, without proper communication with all stakeholders and employees, and without proper training, a company’s BCP will not be effective. It is important to communicate the plan with all employees, not just those on the Business Continuity Response Team. Training employees on what to do in the event of an emergency and when to execute the BCP is a key part of a successful plan.


A tip for maintaining a usual level of communication and efficiency when working remotely is to have team leads prepare daily task lists that include all project dependent variables and ensure they are assigned to appropriate employees. Conducting quick stand-up meetings at the start and end of each day via a collaboration software tool like Microsoft Teams can also identify employees that need a little extra help to achieve their targets. Restricting all communication to trusted tools like Microsoft O365, Outlook and Microsoft Teams can help protect the company’s intellectual property.




Having a Business Continuity Plan is kind of like purchasing insurance, you invest in it hoping to never have to use it. The unprecedented impact that the COVID-19 pandemic has had on the business world is reassurance that a BCP should be a part of all business’ operations plan.  Having a strong BCP in place could mean the difference between being in business once the crisis ends and continuing business operations as usual and not experiencing negative business fallout do to a disaster. It’s not too late, if your business doesn’t have a BCP in place start the process of creating one today. If you have a half-baked BCP in place, take the time and build your plan out completely. Meanwhile, the COVID-19 epidemic is impacting every part of business and society, so we encourage you to stay safe, work smart, stay home.

For most organizations, apps, programs and systems, using a username and password is how they authenticate users, identity and access management (IAM). This protocol often leads people to use passwords that are simple. When passwords get complicated users forget them. As a result, people use the same password or copy and paste passwords.  This leads to cybersecurity vulnerabilities. Passwordless environments provide total security without users having to remember complex passwords.


Multi-factor authentication (MFA) used to be a premier option only offered by organizations highly focused on cybersecurity. Recently this has changed, and more organizations are utilizing MFA within their login protocols. MFA is increasingly becoming a requirement for small, midsize and large organizations, regardless of the industry.


A new methodology incorporating MFA being implemented by IT Leaders is called Passwordless login and authentication, which eliminates potential cybersecurity vulnerabilities. By using this new methodology to login to applications and systems, users can be validated and authenticated in a more secure manner. With software solutions like electronic and digital signature programs, passwordless login allows users not only to sign electronic documents more efficiently and securely while maintaining complete privacy but also have the highest level of confidence that the intended party is the actual party that is executing the document.


According to Verizon’s 2019 Data Breach report, 80% of data breaches are the direct result of compromised or reused passwords. What’s even more astonishing is Lastpass reports in its 3rd Annual Global Password Security Report that 59% of seasoned IT professionals agree that strengthening user authentication is necessary in order to identify their identity capabilities.


Often when password complexity increases, users are more likely to reuse a password. When passwords are reused security risks increase. Ever wonder just how easy it is for someone with ill intent to crack your password using a computer program? The following table demonstrates the correlation between password strength and the potential time it can take to crack using a specialized computer program.



What is Passwordless login?


Passwordless login incorporating multi-factor authentication is a process in which two or more factors are used to verify a user. A passwordless login is an authentication system that uses alternatives to a password to permit the right users’ access to their account. Popular web-based email systems like Gmail use passwordless logins and users can confirm intent to login via a message on their mobile device, thus controlling access to the account.


For those wondering if multi-factor authentication and two-factor authentication are the same thing, they are not. While they are related, two-factor authentication often secures a user’s account using two separate factors like a password and a separate device pin. While two-factor authentication seems like you are using two separate means to authenticate an account, in actuality a single factor is being used, thus making two-factor authentication and multi-factor authentication different. One-Time Password (OTP) functionality is an example of two-factor authentication. Physical security key, Knowledge Based Authentication and biometrics are examples of MFA.


A physical security key is another way passwordless login can be achieved. To complete login with a physical USB security key a user would plug in the token device into their computer. The service would then authenticate the user and validate account access. Knowledge Based Authentication authenticates users by asking secret questions that only the intended user would have the correct answers. Biometric login is when a system uses biometric login procedures to authenticate a user and provide appropriate access using a device with biometric capabilities. Examples of biometrics is using Apple’s Face ID or the fingerprint scanner on an Android or Apple mobile device.


One MFA method gaining popularity is the use of QR codes. Once the QR code is scanned the mobile device prompts the user for biometric verification. If the device doesn’t have biometric capability the user would receive a pin code via email or text. When authenticated the user would be logged in automatically, achieving a passwordless environment for increased cybersecurity.


Why Governments should adopt Passwordless login as the gold standard


Governments should go passwordless and MFA should be the minimum standard because it is more secure. While many agencies currently use Common Access Cards (CAC) or Personal Identity Verification (PIV) cards to authenticate users, these login protocols are useless on mobile devices and sometimes even cloud based applications. With more applications utilizing the cloud and an increase in users relying on their mobile devices it’s easy to see why CAC and PIV cards need a refresh. Another issue with legacy passwordless protocols in many government agencies is the use of dated Public Key Infrastructure (PKI). Technology drastically changes on average about every six months, this is problematic when you think that the average agency PKI stack is at least 15 years old.


Identity as a Service (IDaaS)


Identity as a Service (IDaaS) is an additional security protocol that corporations and governments can adopt to further secure their systems. An example of IDaaS is the use of Knowledge Based Authentication (KBA) in order to validate a user.


Identity as a Service (IDaaS) will have a major impact on how governments and companies verify users in the future. Advancements in technology, specifically in the space of Artificial Intelligence (AI) and Machine Learning (ML) show promise in the ability to use ML in areas like identification, facial recognition and to recognize a true signature on a digitally signed document.


Launch your organization’s passwordless future


The bottom line is that government agencies and the private sector will have to start adopting new technologies to not just keep up with technological advances, but to ensure cybersecurity of their systems and data. It’s important to the public sector and private sector alike to be cyber savvy and have a plan in place to adopt the latest cutting-edge MFA technologies and protocols. For anyone looking for clear benefits of being ahead of the passwordless future, remember that using a passwordless protocol allows an organization to eliminate passwords, which can be a vulnerable access point, while maintaining total control of an organizations access points. Passwordless protocols also increase efficiency by eliminating time spent remembering and recovering lost passwords.


Click here to get in touch with us. You can also email us at [email protected]

The increased popularity of, demand for, and mainstream use of electronic signature is the result of the global “go digital” movement, significant enhancements in the technology, and  governments passing laws to go completely digital in the near future. It does not suffice to use an image of your signature as an “intent to sign” or use incomplete electronic signature solutions that do not include an audit trail. Security, privacy, legal acceptability, signatory attribution, and authenticity of electronic signatures, electronic records, and document transactions have become key decision factors for users in legal, financial services, real estate, insurance, banks, healthcare industries and more.


In this article we outline the clear competitive advantage that ZorroSign has over its competitors, their products and why we believe we have developed the most advanced electronic signature and digital transaction management platform, that was created to meet the past, current and future needs of both the private and public business sector.


ZorroSign Competitive Advantages


ZorroSign is an advanced Digital Transaction Management (DTM) platform. There are less than a handful of competitors who may qualify as DTM providers, but studies show that those solutions do not meet basic DTM requirements of many customers. ZorroSign, on the other hand, is considered an Advanced DTM due to its enterprise-grade workflow automation, workflow builder, content automation, bank-grade security, built-in Document Management System, and intelligent forms.


  1. ZorroSign uses (patented) true legally-binding electronic signature with real digital information vs our competitors who simply superimpose a flat image of a signature on a document. It’s about capturing intent to sign a document vs actually signing a document.
  2. We use high level security provisions and multi-factor authentication (including biometrics) to ensure signatory attribution. This is increasingly becoming a problem when it comes to legal matters.
  3. Our proprietary technology, the Document 4n6 (forensics) Token, detects document fraud tampering and signature forgery. It is  a tamper seal that runs on the Blockchain.
  4. Our competitors use 3rd party digital security certificates that expire every two years. ZorroSign is authorized to issue its own certificates and they never expire. We call it Lifetime Document Escrow.
  5. ZorroSign is a true Advance DTM platform complete with workflow automation and exception handling.
  6. ZorroSign is built on permissions-based private Blockchain technology. We take advantage of its security, privacy and trust features to manage all our customer’s document signature transactions.
  7. For ZorroSign, privacy and security are at the core of everything with do. We think security and privacy first for every product design, policy, and business practice decision. We use bank-grade security protocols, AES Encryption, biometrics, MFA, and other heuristics for handling our customer’s document signature transactions.


For a complete competitive analysis including analysis of a particular ZorroSign competitor, please contact our customer advisors.


Disclaimer: All competitive information is based on publicly available information.  When reviewing competitive information including pricing, please consider that products are continuously enhanced and modified by vendors and pricing published on the website is MSRP. ZorroSign does not disclose product roadmap and features that are in development and not yet released to the general public. ZorroSign also does not disclose feature-by-feature comparison for the same reason.