Skip to main content

PDF Archive

After a visitor signs a document at the kiosk, Atrium generates an archival PDF that serves as the permanent legal record. This happens automatically in the background — no manual step required.

How PDFs are generated

PDF generation is asynchronous. It doesn't happen during the check-in flow (which would slow down the kiosk experience). Instead:

  1. The kiosk submits the rendered HTML snapshot and signature data to the server during check-in.
  2. A visitor.documents_signed event is emitted.
  3. A background process picks up the event and sends the HTML to the WeasyPrint PDF generation service.
  4. WeasyPrint converts the HTML to PDF, embedding the visitor's signature.
  5. The PDF is stored as an immutable artifact linked to the visit record.

The PDF is typically available within seconds of check-in, but it's not guaranteed to be instant. If the PDF generation service is temporarily unavailable, the event is retried automatically.

What's in the PDF

Each archival PDF contains:

  • The full document content — The rendered template with all variables filled in (visitor name, date, host, etc.). This is the exact content the visitor saw on the kiosk.
  • The visitor's signature — Embedded as an image in the signature area.
  • Metadata footer — Visitor name, date/time of signing, template ID, template version, device ID (which kiosk), and document hash.
  • Document hash — A SHA-256 hash of the HTML snapshot + signature data, printed in the footer and stored in the PDF metadata.

Tamper evidence

The document hash provides tamper evidence:

  • The hash is computed from the original HTML snapshot and signature data at the time of signing.
  • The same hash is stored independently in the database (not just in the PDF).
  • To verify integrity: recompute the hash from the stored HTML snapshot and signature data, and compare it to the hash in the PDF footer and the database.

If the PDF, the HTML snapshot, or the signature data is modified after signing, the hashes won't match. This makes tampering detectable.

This is integrity verification, not a cryptographic signature. It proves the document wasn't altered after signing. It does not, by itself, prove who signed it (that's established by the visitor record, the kiosk device ID, and the timestamp).

Accessing archived PDFs

Archived PDFs are accessible from the visit detail view in the admin dashboard. Each signed document is listed with:

  • Template name and version.
  • Date and time of signing.
  • A download link for the PDF.

Only users with access to the visit's site can view and download the archived PDFs.

Retention

Archived PDFs are subject to your tenant's data retention policy. When a visitor record is deleted (manually or via automatic retention), all associated PDFs, HTML snapshots, and signature data are deleted with it.

The default retention periods described in the GDPR Data Processing Notice template are: 12 months for visitor records, 36 months for signed documents. These are configurable per tenant. See Data Retention.

PDF generation engine

Atrium uses WeasyPrint for PDF generation — a purpose-built HTML-to-PDF renderer. It runs as a lightweight sidecar container in the Atrium stack. WeasyPrint produces high-fidelity PDF output from standard HTML/CSS without requiring a headless browser.

In self-hosted deployments, the WeasyPrint sidecar is included in the Docker Compose stack. It's stateless: it receives HTML, returns PDF, stores nothing.