Zum Hauptinhalt springen

Signatures

Atrium captures digital signatures on the kiosk tablet when visitors acknowledge documents. This page explains what's captured, how it's stored, and what it means legally.

What's captured

When a visitor signs a document on the kiosk, the system captures:

  • Signature image — A PNG image of the signature with a transparent background. This is what gets embedded in the archival PDF.
  • Stroke data — The raw coordinate data of every pen/finger stroke, with timestamps. This is a higher-fidelity record than the rasterized image — it can be replayed to verify the signature was drawn naturally (not pasted or forged).
  • Capture timestamp — When the signature was captured.
  • Device ID — Which kiosk tablet captured the signature.

How signing works on the kiosk

  1. After the visitor reads a document and taps "Read & Proceed to Sign," a signature pad appears on screen.
  2. The visitor draws their signature using their finger or a stylus.
  3. The pad shows the drawn signature in real time.
  4. If unsatisfied, the visitor can clear and redraw.
  5. Once a signature is drawn, the "Sign & Continue" button activates.
  6. Tapping "Sign & Continue" captures the signature and moves to the next document (or completes check-in).

The signature pad uses the full width of the tablet screen to give enough space for a natural signature.

Storage and retention

Signature data is PII and is subject to the same retention policies as visitor data:

  • Stored as a binary artifact linked to both the visitor record and the specific document version that was signed.
  • When a visitor record is deleted (manually or via automatic GDPR retention), all associated signature data is deleted with it.
  • Signature data is not accessible to other tenants — standard tenant isolation (RLS) applies.

Atrium captures digital signatures as evidence of acknowledgment — the visitor saw the document and signed it. This is the common legal standard for NDAs, safety policies, and data processing notices in most jurisdictions.

What Atrium provides:

  • Tamper-evident archival: the SHA-256 hash of the HTML snapshot + signature data is embedded in the PDF and stored separately. Modifications to either artifact are detectable.
  • Timestamp evidence: when the signature was captured, on which device.
  • Version tracking: exactly which version of the document was signed.

What Atrium does not provide:

  • Qualified electronic signatures (per eIDAS or equivalent regulations). These require integration with a qualified trust service provider and are only legally required for specific document types in specific jurisdictions. If your use case requires qualified signatures, this can be added as a post-processing step.
  • Non-repudiation in the cryptographic sense. The current hash-based approach provides integrity verification (the document wasn't tampered with), not non-repudiation (the signer can't deny they signed it). For the typical visitor management use case — acknowledging an NDA or safety policy — this level of evidence is sufficient.
Not a digital signature in the PKI sense

The term "digital signature" in Atrium refers to a handwritten signature captured electronically. It is not a cryptographic digital signature (PKI-based). If PKI digital signatures become a requirement for your documents, contact us about qualified electronic signature integration.