PDF Security: How to Protect Your Signed Documents
Learn how to secure your signed PDF documents with encryption, access controls, audit trails, and tamper detection to prevent fraud and unauthorized access.
Why PDF Security Matters for Signed Documents
A signed document is only as trustworthy as the security protecting it. When you sign a contract, the signing itself is just one element of document integrity. You also need to ensure that the document hasn't been altered after signing, that only authorized people can access it, and that there's a verifiable record of who signed what and when.
Document fraud costs businesses an estimated $300 billion annually worldwide. Even if outright fraud isn't your primary concern, regulatory compliance, client trust, and legal defensibility all depend on proper document security.
Understanding PDF Security Layers
PDF security isn't a single feature — it's a combination of layers that work together:
Layer 1: Encryption
Encryption scrambles the document's contents so that only authorized parties can read it. PDFs support two levels of encryption:
- 128-bit AES encryption — Standard protection suitable for most business documents
- 256-bit AES encryption — Military-grade protection for highly sensitive documents (financial records, medical data, legal filings)
When a document is encrypted, anyone who intercepts the file without the decryption key sees only unreadable data. DottiSign applies 256-bit AES encryption to all documents, both in transit and at rest.
Layer 2: Password Protection
PDFs support two types of passwords:
- Open password (user password) — Required to open and view the document. Without it, the document is inaccessible.
- Permissions password (owner password) — Controls what actions can be performed on the document (printing, copying, editing). The document can be viewed but not modified.
Best practices for PDF passwords:
- Use unique passwords for each document — don't reuse a single password across all your contracts
- Share passwords through a different channel than the document itself (e.g., send the PDF by email and the password by SMS)
- Use a password manager to track document passwords
- Avoid easily guessable passwords — "password123" provides no real protection
Layer 3: Digital Signatures and Certificates
A digital signature (not to be confused with an electronic signature) uses cryptographic technology to create a tamper-evident seal on the document. Here's how it works:
- When the document is signed, a mathematical hash of the document's contents is created
- This hash is encrypted with the signer's private key, creating the digital signature
- The signature is embedded in the PDF along with the signer's public key certificate
- When anyone opens the document, the PDF reader verifies the hash against the current document contents
- If even a single character has been changed since signing, the verification fails and the reader displays a warning
This means you can prove, mathematically, whether a document has been altered after signing.
Layer 4: Audit Trails
An audit trail is a chronological record of every action taken on a document. A comprehensive audit trail captures:
| Event | Data Captured |
|---|---|
| Document created | Timestamp, creator identity |
| Document sent for signature | Timestamp, sender identity, recipient email addresses |
| Document viewed | Timestamp, viewer identity, IP address, device type |
| Fields completed | Timestamp, field name, signer identity |
| Signature applied | Timestamp, signer identity, IP address, signature method |
| Document completed | Timestamp, completion status, all signer confirmations |
| Document downloaded | Timestamp, downloader identity |
DottiSign generates a detailed audit trail for every document, which is attached as a certificate of completion. This certificate is admissible in court and provides the evidence needed to prove a document's authenticity.
Layer 5: Access Controls
Control who can access your documents and what they can do with them:
- Role-based access — Only team members with the appropriate role can view, edit, or manage specific documents
- Expiring access links — Signing links that become inactive after a set date prevent unauthorized late access
- View-only sharing — Share completed documents for viewing without granting download or print permissions
- IP restrictions — Limit document access to specific IP ranges (useful for enterprise environments)
Common Security Threats to Signed Documents
1. Document Tampering
The most direct threat: someone modifies a signed document after signatures are collected. Without tamper detection, a malicious party could change prices, dates, or terms after the contract is executed.
Protection: Digital signatures with hash verification. Any change invalidates the signature, making tampering immediately detectable.
2. Signature Forgery
Someone creates a fake signature on a document that was never actually signed by the claimed party.
Protection: Audit trails with IP addresses, email verification, and multi-factor authentication. These elements create a chain of evidence that ties the signature to a specific person, device, and time.
3. Unauthorized Access
Sensitive documents accessed by people who shouldn't have them — whether through poor access controls, shared credentials, or data breaches.
Protection: Encryption, strong access controls, and the principle of least privilege (only grant access to people who need it).
4. Man-in-the-Middle Attacks
An attacker intercepts the document during transmission and modifies it before it reaches the intended recipient.
Protection: TLS/SSL encryption for all document transmissions. DottiSign uses TLS 1.3 to encrypt all data in transit, preventing interception.
5. Phishing and Social Engineering
Attackers send fake signing requests that mimic legitimate e-signature platforms to steal credentials or trick users into signing fraudulent documents.
Protection: Educate your team to verify signing requests. Check the sender's email address, look for HTTPS in the signing URL, and contact the sender through a known channel if anything seems suspicious.
Security Checklist for Your Document Workflow
- Use a reputable e-signature platform — Platforms like DottiSign are built with security as a core feature, not an afterthought.
- Enable all available security features — Don't skip audit trails, encryption, or access controls just because they add a step.
- Verify signer identity — Use email verification at minimum. For high-value documents, add access codes or knowledge-based authentication.
- Store documents securely — Don't download signed contracts to an unsecured local folder. Keep them in the platform's secure storage or a properly encrypted cloud drive.
- Control access rigorously — Review who has access to your document library regularly. Remove access for departed employees immediately.
- Back up critical documents — Maintain backups in a separate, secure location. Cloud platforms can experience outages; don't rely on a single storage point.
- Train your team — Security is only as strong as the humans using the system. Regular training on phishing recognition and secure document handling is essential.
- Audit regularly — Review your audit trails periodically to detect any unusual access patterns or activities.
Regulatory Compliance
Depending on your industry, specific regulations may dictate document security requirements:
- HIPAA (Healthcare): Requires encryption of protected health information (PHI) both in transit and at rest, access controls, and audit logging
- SOX (Financial): Requires document retention, access controls, and audit trails for financial records
- GDPR (EU Data): Requires data encryption, consent management, and the ability to delete personal data on request
- SOC 2: Not a legal requirement but a widely recognized security framework that demonstrates your organization's commitment to data protection
DottiSign's security infrastructure is designed to support compliance with these frameworks, giving you a solid foundation regardless of your regulatory requirements.