Aadhaar eSign alone isn't enough for B2B vendor contracts. Here's the gap most teams miss.

When someone signs a vendor agreement via Aadhaar eSign, the certificate embedded in the PDF makes one specific claim: a person with this Aadhaar UID, authenticated via OTP or biometric, applied their signature to this document at this timestamp. That claim is legally sound. It is also limited to what it says.

The authentication is individual. There is no company in the certificate. No designation. No reference to the organisation the signatory works for. For consumer-facing agreements, that limitation is irrelevant — the individual is the party. For corporate vendor contracts, the limitation matters.

What Aadhaar eSign actually proves

The technical standard for Aadhaar eSign is set by the IT (Electronic Signature or Electronic Authentication Technique and Procedure) Rules, 2015, read with Schedule 2 of the IT Act. Under this framework, a reliable electronic signature requires that the authentication mechanism uniquely identifies the signatory, that the data used to create the signature is under their sole control, and that any alteration to the signed document is detectable.

UIDAI's biometric and OTP infrastructure satisfies all three conditions for the individual. The signature is cryptographically linked to the Aadhaar identity: name, Aadhaar UID, and demographic data from UIDAI's database. The audit trail records the authentication reference number, timestamp, and the hash of the document at the moment of signing.

The authorization gap in corporate agreements

In Indian contract law, a company enters into agreements through authorised signatories. That authority typically flows from a board resolution — either naming specific individuals or setting a delegation-of-authority policy for agreement types and value thresholds. Without a valid authorization chain, the agreement may be challenged as executed by someone who lacked the authority to bind the company, regardless of how authentic the signature itself is.

When a procurement lead signs a vendor agreement via Aadhaar eSign, the audit trail proves one thing: that person signed. It does not prove that person had the authority to commit the company to those terms. The Aadhaar certificate is silent on that question.

For individuals acting in their own capacity — sole proprietors, GST-registered freelancers, consultants operating as individuals — this gap does not exist. The party and the signatory are the same person. Aadhaar eSign authenticates and binds simultaneously. For corporate entities, the gap is real.

Three situations where the gap causes actual problems

During fundraising or M&A due diligence

Acquirers and their legal teams audit vendor contracts and verify that each was executed by someone with documented authority. An Aadhaar-signed agreement without a corresponding delegation record creates a documentation gap. In a well-run due diligence process, this generates a finding: at minimum, extra work to locate the authorization evidence; at worst, a representation problem that requires remediation before closing.

For high-value contracts near board-resolution thresholds

Companies often set thresholds: directors only above a certain value, department heads up to a lower amount, managers lower still. If a manager signs something that a director should have signed, the agreement can be challenged as improperly authorized. The Aadhaar certificate shows who signed. It does not catch the threshold violation.

When a counterparty wants to exit

If the other party later wants out of the agreement, contesting the signatory's authority is one of the easier arguments to raise. Proving that authority is your burden. An Aadhaar eSign establishes the who and the when. Whether that person was permitted to sign on the company's behalf is your documentation problem, not theirs.

What to add alongside Aadhaar eSign for corporate vendor contracts

Aadhaar eSign remains the right mechanism for individual authentication in most Indian B2B workflows. The answer is not to replace it — it is to add the corporate-authorization layer alongside it.

Inside the document and the signing envelope

Include a one-line signatory authority declaration in the agreement body: the signatory confirms they have been duly authorised by the company to execute this agreement. This creates a contractual representation by the signatory that the authorization exists, and it appears in the signed PDF itself.

Capture the signer's corporate email address as part of the envelope metadata. A corporate email (not a personal Gmail account) is corroborating evidence that the person signed in their corporate capacity. FlowVerify captures the invitation email automatically in the audit log, so send signing invitations to the signer's work address.

Add a Designation field as a required custom field in your FlowVerify template. When the signer fills it in, the value is captured in the audit log alongside the Aadhaar authentication record. Adding this to an existing template takes about four minutes in the template editor.

Outside the document

Maintain a delegation-of-authority register: who is authorised to sign what, up to what value, and under which board resolution. This does not need to be attached to every agreement, but it must be retrievable. Store it in the same FlowVerify workspace folder as your vendor contracts.

For high-value agreements above your board-resolution threshold, upload the relevant board resolution or power of attorney into the signing folder alongside the executed agreement. Two documents, one folder, one retrievable audit.

At the certificate layer for higher-stakes contracts

A Class-3 DSC issued to a named director in their capacity as an authorised signatory of the company embeds the organisation name and designation in the certificate itself, closing the gap at the cryptographic layer. The trade-off is more signing friction. For contracts above a defined value threshold, that friction is proportionate.

When Aadhaar eSign alone is sufficient for B2B

For routine, low-value vendor agreements, the practical risk from the authorization gap is low. A monthly subscription signed by the ops manager is not going to be challenged on authority grounds in most organisations.

For agreements with sole proprietors and individual freelancers, Aadhaar eSign alone closes both authentication and authority in one step. The individual is the contracting party.

The risk from the authorization gap scales with three factors: the value of the agreement, the probability that the relationship becomes adversarial, and the depth of any due diligence the company may face. Low value, stable vendor, no upcoming fundraise: Aadhaar eSign alone is likely defensible. High value, new counterparty, series A underway: add the authorization layer before the envelope goes out.

What the audit trail for a corporate vendor agreement should capture

A defensible audit trail for a corporate agreement should cover both the individual-authentication evidence and the corporate-capacity evidence. Here is what that looks like in practice:

FlowVerify's audit reports cover the automatically-captured items for every envelope. The designation field and board resolution reference require deliberate workflow design, but both can be added to an existing template and folder structure in under ten minutes.

A complete audit trail does not guarantee enforceability. It makes a challenge substantially harder and shifts the evidential burden toward the party contesting the agreement's validity.