Document and Contract Management

Is the signature of a witness in a digital contract still necessary?

In Brazil, there are still doubts about the need for witnesses in a digital contract to be valid.

In practice, in some cases it is believed that, as with physical contracts, witnesses are not required for a digital contract to be binding.

In other situations, it is argued that because it is a digital contract, that is, an electronic document, witnesses must be required for it to be considered legal.

In still other cases, it is held that the validity of a digital contract should depend on the jurisdiction in which it is made.

Let’s understand the whole context and clarify all these points.

What is a digital contract?

Digital contracts can be understood as business or agreement concluded by electronic means, that is, formed and signed by means of a mobile device or computer.

In Brazil, since 2006, it has been possible to make valid digital contracts under the law. Law 11.419/06 regulated the use of electronic signatures in the country and allowed contracts to be signed online – without the need for paper or pen.

Since then, digital contracts have been adopted in commercial and personal relationships, whether they be for buying and selling, renting, providing services, or contracting health insurance, among others.

The ease of contracting online is one of the main advantages of the digital contract. All you have to do is access the company’s website or application to do business, without the need to go to a physical store or face lines to contract a product or service.

Another positive point is that digital contracts are stored safely, preventing the loss of important documents. In addition, digital contracts can also be easily shared – just send an email to the contractor.

The role of witnesses when signing a contract

Witnesses are usually required for important contracts and documents, such as records of purchase and sale, rent, and even in the provision of services.

Its role is to make sure that the parties involved in signing the contract are aware of their rights and obligations.

In addition, the witnesses also guarantee that the contracting parties agree with the content of the contract and that there is no mistake or misunderstanding at the time of signing.

However, despite the common use of witnesses in business formalization, there is no mandatory requirement. According to article 104 of the Civil Code, the contract is valid as long as it meets three requirements:

  1. Be performed by a capable agent;
  2. It deals with an object that is lawful, possible, determined or determinable;
  3. Whether performed in a manner prescribed by law or not.

In other words, contracts are legally valid even if they have no witnesses. Even without their presence, the document represents a legal transaction.

However, one point of attention must be emphasized: the contract without witnesses cannot be transformed into an extrajudicial title. This, in practice, means that the parties involved will not be able to enforce the contract in court if one of the parties does not fulfill its duties.

Item III of article 784 of the Code of Civil Procedure states that “to be an extrajudicial enforcement instrument, the contract (in this context, called a private document) must be signed by the debtor and two witnesses”.

However, the requirement of witnesses for digital contracts is still a controversial subject and there is no consensus about this in Brazilian legislation. This is due to the fact that there is still no specific regulation on digital contracts in the country.


Conheça as vantagens da assinatura eletrônica para empresas brasileiras


Witnesses in digital contracts: is it necessary?

Is the signature of a witness in a digital contract still necessary? This is a very common doubt among people who want to contract products and services over the Internet.

Virtual contracts are, in fact, a reality in Brazil. The ease and practicality of contracting products and services online make this modality one of the most preferred by consumers.

The digital signature is a technological resource that guarantees the authenticity of the contract and the legal validity of the contractual clauses. However, for the contract to be valid, the parties involved in the negotiation must be identified and have a valid digital certificate.

In practical terms, just as witnesses are not required for physical contracts, they are not required for digital ones either. However, it is worth remembering that the electronic signature of a digital contract has the same legal value as the physical signature.

What does the law say about the role of witnesses when signing a digital contract?

According to the understanding adopted by the Third Panel of the
Superior Court of Justice (STJ)
, in the session of judgment of Special Appeal No. 1.495.920/DF, held on May 15, 2018, the “Electronic contract with digital signature, even without the presence of witnesses, is an enforceable title”.

For Justice Paulo de Tarso Sanseverino, the reporting justice on the appeal regarding the validity of the electronic contract, STJ case law holds that the list of extrajudicial enforcement instruments provided for in article 784 of the
Code of Civil Procedure
(CPC) is exhaustive.

“It is possible to enforce electronic contracts in which the signatures of two witnesses are absent, even though the hypothesis in question is not described by the legal provision”.

It is worth noting that in order for electronic contracts to have the same validity as contracts entered into physically, they must be validated by means of a digital certificate according to the standard required by the
Brazilian Public Key Infrastructure (ICP-Brazil)

The STJ also recognizes the inconvenience of requiring the signatures of two witnesses in the context of electronic contracts, whose greatest virtue “is to enable parties that are distant from each other to maintain contractual relations quickly and inexpensively.

So that the imposition of the requirements that are normally demanded by article 784, CPC, could lead to the invalidation of digital contracts, especially in the scope of commercial transactions.

Although there is no specific legislation regarding the requirement of witnesses when signing a digital contract, the position adopted by the STJ has been used as a basis to ensure the debureaucratization of contractual relations.

evalSign: an important tool in digital contract signing and validation

If you are looking for a fast, easy and secure way to sign documents and adopt an efficient digital workflow, evalSign is the perfect solution for you. The evalSign solution is more than just an electronic signature – it is a digital experience that makes signing documents simple and fast.

Offered by EVAL Technology, to optimize the process of electronically signing or collecting signatures from customers in different industries and company sizes, the evalSign solution is a complete solution for document approval workflows, advanced digital signatures, and document status tracking.

It allows you to electronically sign documents, anywhere and anytime, in a practical, secure, and dynamic way. Designed to quickly optimize the way companies deliver, review, approve, and sign their business documents. And since evalSign is a digital signature, you can be sure that your documents are safe and secure.

evalSign provides a fast and easy digital signature platform for sending, viewing, signing, and returning your electronic documents.

evalSign is the perfect solution for companies of all sizes

Whether you are a small business or a large corporation, evalSign can help you save time and money. In practice, there is no need to print out documents or make copies for each person.

And since evalSign is a digital signature, you can be sure that your documents are safe and secure.

In practice, the evalSign solution presents as practical benefits the management of large numbers of contracts and other documents:

1. improves document organization

By using the evalSign solution, you can organize your documents simply and quickly. You and your company have access to all your documents in one place – just log in to your account and you can access all your signed documents.

evalSign also offers the option of sharing signed documents with others, which makes document management even easier and faster.

2. Increases security in information exchange

With evalSign, you can be sure that your information is secure. This is because all documents are encrypted and stored on secure servers.

The solution offers the option of user authentication, which makes sharing documents even more secure and legally valid.

3. Optimizes processes

By using the evalSign solution, you can optimize your internal processes, and you can sign documents anywhere in the world, at any time – all you need is an Internet-enabled device.

You can create PDF documents and send them for signature with just a few clicks. This means that you no longer have to worry about sending paper documents for signature.

4. It is even more sustainable

By using the evalSign solution, you also contribute to a better world. This is because evalSign is a sustainable solution, which does not use paper or other materials to function.

In addition, the solution is fully digital, meaning no energy is wasted on printing and other paper-related activities.

5. Facilitates process management

By using evalSign, you also make it easier to manage your processes. With the solution you can monitor all signed documents in one place – just log in to your account to track the status of each document.

In addition, you can set up alerts so that you are notified as soon as a document is signed. This means that you don’t have to monitor processes manually.

6. It is a legally valid solution

By using the evalSign solution, you can also be sure that your signature is legally valid. This is because evalSign is ICP-Brasil certified, which means that its signature has the same legal validity as a conventional signature.

In practice, all documents are encrypted and stored on secure servers. This means that your subscription is protected against fraud and invasions of privacy.

For all these reasons, it is clear that evalSign is the ideal solution for companies of all sizes. With the solution, you can save time and money, and contribute to a better world. Try evalSign right now and see how your company can benefit!

If you are looking for a fast, easy and secure way to sign documents, evalSign is the perfect solution for you.

About Eval

EVAL has been developing projects in the financial, health, education and industry segments for over 18 years. Since 2004, we have offered Authentication, Electronic and Digital Signature and Data Protection solutions. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Data Protection

Cryptographic Key Management in Healthcare: A Real Challenge

The use of cryptography and cryptographic key management in healthcare to protect data at rest or media is a reality for medical institutions and users of services such as cloud storage, messaging and many others.

However, those responsible for these services are presented with many options for cryptographic mechanisms and consequently there are many choices to be made.

Poor choices in cryptographic key management in healthcare can result in little or no gain, even loss, creating a false sense of security in a healthcare organization’s data.

For example: encrypt a database and keep the cryptographic key in a file on the server.

In this article we intend to address some relevant aspects for the information security of data in the health area that are related to cryptographic keys.

With this we will show the importance of their correct management for the programming of cryptographic services.

To facilitate understanding, we will divide the article into three parts. Starting with the basics about cryptography, cryptographic services and finally cryptographic key management.

Cryptographic Key Management in Health and Data Encryption

Cryptography is a set of principles used to ensure the security of information in a healthcare institution.

To this end, cryptographic key management in healthcare employs techniques to transform one piece of information (cipher) into another (cryptogram) that is readable only to those who know the secret (secret key).

By keeping this secret safe, we prevent unauthorized persons from gaining access to the original information (decrypt).

  • Secrecy

The security of cryptographic services is based on the secrecy of the cryptographic key, which allows encryption and decryption, and not on the method of transforming the information, i.e. the algorithm used, which must be public.

  • Symmetric and asymmetric keys

In cryptography there are two basic types of algorithms: symmetric and asymmetric key. The former use a single key to encrypt and decrypt the data, while the latter adopt a pair of keys, one for encryption and the other for decryption.

Cryptographic services

There is really no 100% method, not for health or any other area, but some guidelines can help reduce or prevent attacks.

One of the first steps to be taken into consideration is the confidentiality of each patient’s data. Use a network where only authorized persons have access.

Looking for special storage for your data is also one of the ways to prevent data leakage. There are storages that can help digital health security in this regard.

As mentioned above, it is clear that encryption and cryptographic key management in healthcare are the most efficient ways to prevent data theft in healthcare.

Whether it is to protect data at rest, i.e. that is stored, or even to protect data in transit, i.e. that travels on the network, coupled with strict access control are essential to help the hospital keep data protected.

It is worth remembering that it is super important to protect the perimeter with a firewall on your network and also to protect the desktop / servers with antivirus, among many other tools.

  • Confidentiality

According to studies
email attacks grew by 473%
2017-2019 for health alone. The maintenance of outdated legacy systems is one of the reasons for this high volume of attacks.

Another study estimates that spending on advertising alone, due to image risk,
increases by 64%
in hospitals that suffer data leaks.

Confidentiality has to start with the adoption of an Electronic Patient Record (EPP), which in addition to centralizing the medical data of each care (complete history), facilitates the achievement of prestigious accreditations in the sector, such as HIMSS (Health Information and Management Systems Society), linked to good health IT practices.

You need to train your staff constantly to avoid improper access and use of the applications provided within the institution.

Confidentiality of data through encryption, management of cryptographic keys in health and with proper access control, also ensures that information cannot be viewed by third parties and that only authorized persons have access to it.

  • Integrity

The technique for ensuring integrity is in short, when a given piece of information is not modified in an unauthorized way after its creation, during transmission or storage.

Whether the change is accidental or intentional, the insertion, removal or replacement of data must be detected. Cryptographic mechanisms such as cryptographic digest, also known as hash, and digital signature provide the support for this service.

  • Authentication

The authentication service verifies the identity of a user in order to have some assurance that the person is who they say they really are. There are several authentication mechanisms, user and password is a well-known model, but so is authentication using a digital certificate.

In the digital certificate model, one can use the SSL protocol, or even login digital signatures as an authentication model. The digital certificate is interesting to use the ICP-Brazil model or another that the organization trusts, such as Internal Certificate Authority.

In the ICP-Brasil Certifying Authorities, it is in the process of issuing the digital certificate that the person needs to attend a face-to-face validation, now there is also the remote modality, with original documents that prove the identity of the applicant.

Hybrid Infographic HSM

  • Irretractability

The non-retractability service provides the means to ensure that whoever created information cannot deny its authenticity, or at least that it is difficult to deny.

In this sense, it is linked to the digital signature, in which the owner of the private key cannot deny that he has held it for a particular purpose.

  • Authorization

Additionally, after authentication, it is possible to use the information of the authenticated user in the system to define the authorization of the information. The authorization service provides approval or permission for the execution of an activity.

As an example, the authorization service can be employed to define the permissions to use a cryptographic key that would consequently allow access to a certain piece of information.

Cryptographic key management in health

Cryptographic keys are the foundation of cryptography and the security of encrypted data lies in them. Breaches can lead to the compromise of keys and, consequently, the leakage of sensitive information such as patient records.

The increase in the use of encryption for data protection in healthcare institutions, mainly due to government regulation, means that they have to deal with multiple solutions to encrypt data, see LGPD.

Because of the diversity of vendors, organizations also need to define various procedures for managing cryptographic keys, and these are not always adequate.

Cryptographic key management consists of storing, protecting, organizing and ensuring the proper use of cryptographic keys, managing their lifecycle and maintaining backup copies in a secure and consistent manner.

  • Secure storage of keys

The keys should be stored securely, i.e. encrypted and with access control.

Encryption should preferably be performed by means of keys (
) protected on a cryptographic hardware, preferably.

  • Identification of keys

It should be possible to identify a key, its type, its purpose, who is authorized to use it and the period of use.

Life cycle of cryptographic keys

The lifecycle of cryptographic keys must be controlled so that they are used properly during their validity period – i.e. only authorized persons or systems can use them during a predefined time and with secure mechanisms so that they are not compromised.

We will describe the life cycle of the keys, according to NIST recommendation.

The life cycle of a key starts with generation and ends with destruction, passing through one or more of the states described below:

  • generation: moment of creation of the key, which is not yet ready for use;
  • pre-activation: the key has been generated but is not yet ready for use because it is waiting for the period of use or the issuance of a certificate;
  • activated: the key is available for use;
  • suspended: the use of the key is temporarily suspended. In this state, it can no longer perform ciphering or signing operations, but can be used for data recovery or verification of signatures previously performed.
  • inactivated: the key can no longer be used for ciphering or digital signing, but is kept for processing data ciphered or signed before inactivation.
  • compromised: indicates that the key has its security affected and can no longer be used in cryptographic operations. In some cases, as in symmetric keys, it can be used to recover the encrypted data for later encryption with another key.
  • destroyed: this status indicates that a key is no longer required. The destruction of the key is the final stage and can be achieved due to the end of the key’s usage cycle or the compromise of its security.

Generally speaking, both healthcare institutions and all organizations should focus on continuous improvement while managing their risks at a price that is compatible with their reality.

Companies should critically evaluate how to protect their systems. They should also consider the “root causes” of security incidents in their environments as part of a risk assessment.

As systems become more secure and institutions adopt effective measures to manage their processes, key management becomes increasingly essential. Protecting a healthcare organization’s data is critical to the security of its patients’ information.

About Eval

EVAL has been developing projects in the financial, health, education and industry segments for over 18 years. Since 2004, we have offered Authentication, Electronic and Digital Signature and Data Protection solutions. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Digital Signature

What is the legal value of an electronic signature?

In the past, many people were reluctant to use electronic documents or signatures, questioning their legal validity and ability to use them as evidence in court cases or other legal contexts.

Here in this text the idea is to approach a little of what we have seen in these years, since the MP2200 that gave legal validity to electronic signatures. The idea in this article is a look at a technology company, so we will cover some signature models to help you in the process of defining a type of e-signature that fits well for every business in your institution.

Consulte o departamento jurídico

It is worth remembering that you should always consult with the legal department to find out what type of electronic signature should be used for each business in your organization.

Having made these initial considerations, let’s get to it. In most Western countries this reluctance to use electronic signatures is already unnecessary, as legislation has been updated to recognize electronic documents and signatures. In other words, it cannot be denied legal effect, enforceability, or admissibility as evidence in legal proceedings just because they are in electronic format.

To get an idea of the impact of electronic signatureIn the US the Electronic Signatures in Global and National Commerce Act, the Uniform Electronic Transactions Act, and other (state) laws also regulate in this regard.

Here in Brazil it could be no different. Through Provisional Measure No. 2200 of August 24, 2001, almost 19 years ago, which established the Brazilian Public Key Infrastructure, the ICP-Brasil, the authenticity, integrity, and legal validity of documents in electronic form, support applications, and enabled applications that use digital certificates, as well as secure electronic transactions were guaranteed.

Additionally, he also talks about other forms of electronic signatures without the need for digital certificates, which add value to the business, so it is important that the legal area of the institution validates which electronic signature model should be used in each case.

In addition, we have the Civil Code and the National Tax Code that also serve as the legal basis for the use of the electronic signature in electronic transactions.

E-signatures represent one of the biggest opportunities to start doing digital business

What is an electronic signature? This is a signature made electronically using information systems, in which there are several types, among the best known:

  • Digital Signature ICP-Brasil;
  • Digital Signature;
  • Electronic signature with third-party seal;
  • Behavioral e-signature;
  • Authenticated electronic signature;
  • Basic electronic signature;

Most of them seek to identify the author of the action, others furthermore seek the integrity of the data, and finally, the most secure one also seeks a mechanism that guarantees non-repudiation.

So we are sharing with you different types of existing subscriptions for you to learn about, helping you with the choice of the best alternative – be it your institution. Our goal is to explain and help, not to set absolute rules. Because there may be specific legislation, rules and/or standards for different specializations, performances, and documents to be signed.

Thus, this guide does not assume that it is necessary to choose only one type of signature in the institution; several types of signature can coexist in the same infrastructure, responding to different types of needs and documents, providing a secure and scalable way of digital transformation of the institution.

Conheça as vantagens da assinatura eletrônica para empresas brasileiras

Main Features

In order to reflect the same legal value as a handwritten signature, an online electronic signature must meet the following conditions:

  • The signer must have an associated identity;
  • The intention to sign is also another important question;
  • Integrity is important, so the document to be signed must be original, unalterable and uneditable;
  • Another important point is whether the signature system is auditable, whether it provides important information for future verification;

Anyway, there are other features that can be added and provide even more security, but this should be the basics.

Are electronic signatures legal everywhere?

The answer is that it depends on where you are doing business.

In 27 countries – including Brazil, China, the United States, Russia, Australia, Canada, and European Union countries – the electronic signature is legally binding. Besides believing in the security of electronic signatures, it is essential that you research the laws and the weight of digital or electronic signatures in the country you are in.

If you live in a country that has not yet passed legislation, you can of course fall into a gray area of the law and your electronic signature will be accepted in many if not most contracts, however, it may not be legally binding in court.

So, which electronic documents are really valid?

In short, any electronic version should be considered equal to its equivalent version, ensuring that it meets the functional characteristics of the formal requirements of the applicable law.

Only in specific situations should an explicit paper document be used, for example to buy real estate in most countries you will need to go to a notary or legal representative for an action.

Fortunately, in most personal or business situations, the format of the document is the individual’s choice, even to the extent of a contract written on a napkin, if desired!

Examples of electronic signatures:

Basically there are different types of documents to be signed electronically:

  • Internal Authorizations,
  • E-mails,
  • Commercial contracts,
  • Contracts with suppliers,
  • NDA;
  • Internal memos,
  • HR Processes,
  • Purchase orders.

In short, all processes, forms, contracts that need a signature can use the electronic signature, as long as they do not have legislation mandating the use of handwritten signatures. Finally, it is necessary to pay attention to whether the type of document to be signed has specific legislation for the case. So always consult the legal department.

In addition, there are different file formats for signed documents, including:

  • Word format,
  • PDF,
  • XML,
  • Image formats, like JPG or PNG for example.

The most common file format is PDF, because it is easy to view and there is already a culture of it being a format that does not change. So you can have a prior negotiation of what is going to be signed, and then when everyone is in agreement, the PDF is generated with the content to be signed.

The electronic signature is already a reality

In a survey done by EVAL at CIAB 2019, 92% of decision makers said they use electronic signatures. No wonder that most of today’s transactions can already be signed electronically.

Think of the plethora of online documents formed with the click of an “I Accept” button, or with a name typed at the end of a reply e-mail, or authenticating the user, as well as obtaining a behavioral electronic signature, or even a digital signature.

The latter, the ICP-Brasil digital signature, is always compared to the notary-authenticated handwritten signature, so if you have documents that require notary authentication this may be the recommended electronic signature model. But remember, always consult the legal department to know the best electronic signature model to be used for each business of your institution.

About Eval

A EVAL está a mais de 18 anos desenvolvendo projetos nos segmentos financeiro, saúde, educação e indústria, Desde 2004, oferecemos soluções de Autenticação, Assinatura Eletrônica e Digital e Proteção de Dados. Atualmente, estamos presente nos principais bancos brasileiros, instituições de saúde, escolas e universidades, além de diferentes indústrias.

Com valor reconhecido pelo mercado, as soluções e serviços da EVAL atendem aos mais altos padrões regulatórios das organizações públicas e privadas, tais como o SBIS, ITI, PCI DSS, e a LGPD. Na prática, promovemos a segurança da informação e o compliance, o aumento da eficiência operacional das empresas, além da redução de custos.

Inove agora, lidere sempre: conheça as soluções e serviços da Eval e leve sua empresa para o próximo nível.

Eval, segurança é valor.