The free eSign tier is probably fine — until you need to enforce an agreement

Most free eSign tiers do exactly what they say. You upload a PDF, add a signature field, send a link, the other person clicks. Done. For low-stakes internal forms and one-off personal documents, that is perfectly adequate.

The problem surfaces later, specifically when someone decides not to honour what they signed. At that point, your signed PDF is the start of the conversation, not the end. What settles it is the audit trail behind it.

Free tiers are designed to convert users, not to support enforcement. The features that get paywalled first are precisely the ones a court or an arbitrator would want to see: authentication evidence, document hashes, and externally verifiable timestamps. This piece explains what those are, what Section 3A of the IT Act actually requires, and what to ask before you decide a free tier is good enough.

What you get with a free tier

Free eSign products exist on a spectrum. At the minimal end, a user can self-sign a document: no sending, no counter-signatures. A step up and you get a send-and-sign flow: you upload, set fields, send a link to a recipient, they click and sign.

What most free tiers do not give you: authentication beyond email-link control, document hashing, timestamps from a trusted time-stamping authority (TSA), or Aadhaar eSign. These are the features that sit at paid tier entry points.

Email-link signing is the default authentication on every free tier I have seen. The logic is: if the recipient can access the email and click the link, they must be who you sent it to. That is a reasonable assumption when you know the person. It is a weak one when the agreement needs to be enforceable against someone who may later claim they never signed, or that someone else accessed their inbox.

What a defensible audit trail actually records

A minimal audit trail records that a document was signed at a time by a person identified by email address. That is enough to show a signing event occurred. It is not enough to demonstrate that the right person signed, that they signed a specific version of the document, or that the document has not been altered since.

A defensible audit trail records all of the following:

• The authentication method: email OTP, Aadhaar OTP, DSC. This establishes identity proof grade.
• The IP address and device fingerprint at the moment of signing.
• A cryptographic hash (SHA-256 or equivalent) of the document at the moment of signing.
• A hash of the post-signing document, proving no alteration after signature affixing.
• Timestamps from a trusted time-stamping authority, not the vendor's internal clock.
• For Aadhaar eSign: the masked Aadhaar number and the UIDAI authentication transaction ID.

Free tiers typically provide the first two items. The hash chain and TSA-anchored timestamps appear at paid tiers, because both require infrastructure investment — integrating with a TSA and running a cryptographic signing service on every document.

What Section 3A of the IT Act requires

Section 3A of the Information Technology Act, 2000 (as amended) sets the conditions under which an electronic signature is considered reliable. It is worth knowing these precisely, because vendors use "legally valid" loosely.

The Act states that an electronic signature is reliable if:

1. The signature creation data are linked to the signatory and to no other person.
2. The signature creation data were under the sole control of the signatory at the time of signing.
3. Any alteration to the electronic signature made after affixing is detectable.
4. Any alteration to the information made after its authentication is detectable.

Conditions 3 and 4 are the ones free tiers often cannot satisfy. Without a document hash captured at signing time, there is no cryptographic basis for demonstrating that the document presented in a dispute is the same document that was signed. The hash is not optional — it is what "any alteration is detectable" means in practice.

Condition 1 depends on authentication method. Email-link signing proves control of an inbox. Aadhaar OTP signing proves possession of a specific registered mobile number and knowledge of an Aadhaar-linked OTP — a materially stronger link to a specific person. The Act does not prescribe Aadhaar, but it does require that the signature be linkable to the signatory and no one else. How well your chosen authentication method supports that claim is the question.

Three scenarios where a thin audit trail costs you

The contractor who claims they never signed

A freelance engagement, 8 months in. The contractor walks away from a mid-project payment clause and disputes the signed agreement. Your vendor's audit log shows: "Signed via email link on [date]." No authentication event. No document hash.

Their argument: the email may have been forwarded; anyone with inbox access could have clicked. You cannot disprove it with what you have. The document is signed; the signer is, technically, unverifiable.

The vendor who says the document they signed was different

A supply agreement, signed six months ago. A dispute on delivery terms. The vendor claims the version they signed did not include Clause 7. Your audit trail shows the document was signed but does not include a hash of the original.

You have no cryptographic evidence the document is unchanged. You can assert it. So can they. Without a hash, neither claim is independently verifiable.

The ex-employee and the NDA

An ex-employee joins a competitor. You want to enforce a non-solicitation clause from their offer letter. Counsel requests the full signing evidence. Your audit trail shows "signed on [date]" with no Aadhaar authentication record, no IP, and no device fingerprint.

Proving identity depends on the other party's voluntary acknowledgement — which, in this context, is not forthcoming. Your signed PDF is admissible. Its evidentiary weight is another matter.

Aadhaar eSign is the tier gate most Indian businesses miss

For Indian businesses, Aadhaar eSign is the strongest routine identity proof available. When a signer authenticates via Aadhaar OTP, two independent records are created: one at the eSign Service Provider and one at UIDAI's authentication infrastructure. The masked Aadhaar number and the UIDAI transaction reference are both logged.

That dual-log structure is materially harder to dispute than an email-link click. The signer would need to argue that their Aadhaar-linked mobile number was compromised and that the UIDAI authentication record is incorrect — a significantly heavier lift than claiming someone else accessed their email.

Aadhaar eSign is paywalled on every eSign platform, because it carries a real per-transaction cost: the licensed ESP pays UIDAI for each authentication, and that cost appears in the product's pricing structure. Free tiers absorb near-zero cost per signature; Aadhaar authentication cannot be absorbed at zero.

The implication: if you are sending employment contracts, vendor agreements, NDAs, or any document that involves money or IP to Indian signers, the identity-proof gap between a free tier and a paid Aadhaar-enabled tier is not a nice-to-have difference. It is the difference between a signature you can prove and one you can only assert.

Five questions to ask before you pick a tier

Before committing to any eSign tier, run through these. Ask for written or documented answers — not verbal assurances from a sales call.

1. What authentication method does this tier use? Email link, email OTP, Aadhaar OTP, and Class-3 DSC are different levels of identity proof. Know which one you are buying.

2. Does the audit trail include a document hash? Ask for a sample audit certificate from a completed document. If there is no SHA-256 or equivalent hash recorded at signing time, document integrity is unverifiable.

3. Are timestamps from a trusted time-stamping authority? Vendor-internal clocks can be adjusted retroactively. A timestamp from a CCA-accredited or globally recognised TSA is externally verifiable.

4. How long is audit data retained? Some free tiers purge audit data after 30–90 days. A 3-year service contract needs audit data that lasts at least 3 years — ideally longer.

5. Can the audit trail be exported as a standalone document? In a dispute, you will need to produce audit evidence to a court or counsel. If the audit trail only exists inside the vendor's platform, your access to it depends on your continued subscription.

FlowVerify's paid tiers include Aadhaar eSign, document hashing at signing time, TSA-anchored timestamps, and audit certificates exportable as standalone PDFs. If you are sending documents that you might need to enforce, those features are not optional — they are what defensible signing looks like in practice.