Help center
Security & legal

What's a Certificate of Completion?

A separate PDF documenting the full signing history. Attached to every completion email, downloadable from the dashboard, and the canonical evidence record for legal disputes.

3 min read

The Certificate of Completion (CoC) is a 2-page PDF generated automatically when every required signer completes a document. It travels alongside the signed document as a separate attachment in the completion email and is downloadable from the document detail page at any time.

What's in it

Page 1 — Summary

  • Document details: title (English + Arabic), Envelope ID (the industry-standard term for the document's unique identifier), creation + completion timestamps
  • QR code linking to the public verify URL
  • Audit trail: rich timeline of every meaningful event — invitation sent, email link clicked, document viewed, OTP sent, OTP verified, document signed, completion. Each row carries the actor name + email, IP address, user agent (for the initiating step), and authentication method
  • Signers summary: compact list of who signed when, with signature level (SES)
  • Document integrity: SHA-256 hashes (original and signed), audit chain validity, total event count, RFC 3161 timestamp from a trusted TSA, PKCS#7 seal confirmation
  • Certified seal (green, bottom-right): rendered when audit chain validates; suppressed entirely when chain is invalid

Page 2 — Per-signer forensic detail

For each signer:

  • Email verification status (Verified via OTP)
  • Signature level
  • IP address used at signing
  • Time zone reported by the signer's browser
  • Internal session ID (truncated for readability)
  • Signed-at timestamp
  • Full user agent string
  • Every captured field value (inline signature image, full name, date, checkbox state, etc.)
  • Typed signatures render in the same script font the signing UI uses, so the cert visually matches what the signer saw

Why it matters

The CoC is the document you produce when someone challenges a signature. It's designed to answer every forensic question a court / arbitrator / regulator asks:

  • "Did the signer agree to use electronic signatures?" — Audit trail shows disclosure_agreed event with the disclosure version they accepted
  • "Did they receive the email?" — Audit trail shows document_sent
  • "Did they click the link in the email?"email_link_clicked event with timestamp + IP
  • "Did they read the document?"document_viewed event
  • "Did they verify their identity?"otp_sent and otp_verified events with the method used
  • "What did they actually sign?" — Captured field values + signed PDF hash that the verify URL can re-validate

Verifying after the fact

Every CoC carries the verify URL at the bottom — both human-readable and as a QR code. Anyone with the URL can open /verify/{document-id} on SahlSign and see the document's current state + audit chain validity. The verify page is public (no auth required) so external counsel or auditors can independently confirm the chain.

What if the cert is invalid?

If the audit chain ever returns INVALID, the Certified seal is suppressed from the CoC entirely. We don't slap "Certified" on a tampered document — the absence of the seal IS the signal. The verify page also surfaces the invalidity loudly.

Back to help center