Skip to main content

Digital signatures

Phase 2 — Not yet available

Digital signatures are planned for a future release. This page describes how the feature will work when it becomes available. The Digital Signatures section does not currently appear in the Company Portal.

The feature is pending the eIDAS 2.0 Qualified Trust Service Provider (QTSP) technical specifications for Qualified Electronic Seals, expected Q4 2026 – Q1 2027. Traceable's internal SHA-256 document integrity records (a platform-level signature without QTSP backing) are planned for an earlier release. This page will be updated when the first tier becomes available.

For tamper-evidence of documents right now, use the Audit Trail, which records all document upload and version events.

Digital signatures in Traceable certify the contents of a document at a specific point in time, linked to the identity of the person who signed it. A signature creates a verifiable, tamper-evident record that a named individual in your organisation reviewed and attested to a document on a given date.

This is particularly important for Declarations of Conformity, where EU Battery Regulation 2023/1542 requires the responsible operator to formally certify the declaration, and for internally produced compliance documents that need to carry authoritative sign-off.

What a Digital Signature Does in Traceable

A Traceable digital signature:

  • Records the signer's identity (name, email address, and job title from their user account profile)
  • Records the exact timestamp of the signature (UTC, to the second)
  • Records a cryptographic hash (SHA-256) of the document content at the moment of signing

The combination of signer identity, timestamp, and document hash means that the signature can be used to verify, at any future point, that the document has not been altered since it was signed. If the document is modified after signing, the hash will no longer match and the signature will show as invalid.

Traceable digital signatures are not qualified electronic signatures under eIDAS Regulation (EU) 910/2014. They are advanced-level signatures tied to platform identity. For regulated contexts that specifically require a qualified electronic signature (QES), consult your legal team on whether a QES from an accredited trust service provider is additionally required.

How to Sign a Document

  1. Navigate to Compliance > Documents.
  2. Open the document you want to sign.
  3. Confirm the document is in its final state — once signed, any modification to the document will invalidate the signature.
  4. Click Sign Document.
  5. A pre-signing confirmation panel appears showing:
    • Your name and job title as they will be recorded on the signature
    • The document name and version
    • The current UTC timestamp
    • The statement: "By proceeding, I confirm that I have reviewed this document and attest to its accuracy."
  6. Click Confirm Signature. The signature is applied immediately.

After signing, the document record shows a signature badge with the signer name and timestamp. The document detail page has a Signatures section listing all signatures applied to this document.

What a Signature Record Contains

Each signature record stores:

FieldDescription
Signer nameFull name from the signer's Traceable user profile
Signer emailEmail address of the signing user account
Job titleJob title from the signer's profile at the time of signing
TimestampUTC date and time to the second (e.g., 2026-04-07T14:32:05Z)
Document hashSHA-256 hash of the document file content at the moment of signing
Document versionThe version number of the document that was signed
Signature IDA unique identifier for this specific signature event

The signature record is stored separately from the document file. If the document file is updated (creating a new version), the signature on the previous version remains intact and still valid for that version.

Verifying a Signature

To check whether a signature is still valid — i.e., that the signed document has not been altered since signing:

  1. Open the document in the document library.
  2. Go to the Signatures section.
  3. Click Verify next to the signature you want to check.
  4. Traceable recomputes the SHA-256 hash of the current document file and compares it to the hash stored in the signature record.

Result: Valid — The hash matches. The document content is identical to what was signed. The signature record is intact.

Result: Invalid — The hash does not match. The document file has been modified since it was signed. This indicates either that the document was edited after signing (which should not happen — documents should not be edited after signing) or that a document integrity issue has occurred. If you see an invalid result, do not use this signature for compliance purposes. Investigate the document history in the Audit Trail and contact Traceable support if the cause is unclear.

Revoking a Signature

A signature can be revoked if it was applied in error (for example, if the wrong document version was signed, or if you later discovered an error in the document after signing).

Important: Revoking a signature does not delete the signature record. The revocation is recorded in the signature history with a timestamp and the reason provided. This preserves the audit trail while marking the signature as no longer operative.

To revoke a signature:

  1. Open the document.
  2. In the Signatures section, click Revoke next to the signature.
  3. Enter a reason for revocation (required for audit purposes).
  4. Click Confirm Revocation.

Only the user who applied the signature, or an account administrator, can revoke it. Revoked signatures are shown in the signature list with a "Revoked" badge and the revocation reason.

Declaration of Conformity Signing Workflow

The Declaration of Conformity (DoC) has a specific signing workflow in Traceable, reflecting its regulatory significance:

  1. Draft the Declaration — upload the DoC PDF to the document library with category set to "Declaration of Conformity".
  2. Associate with product(s) — link the DoC to the relevant product(s). A single DoC can cover multiple product models if the manufacturer's DoC is structured that way.
  3. Set access control to DPP-visible — the DoC must be publicly accessible on the DPP, per EU Battery Regulation requirements.
  4. Sign the document — the signing user should be the person within the organisation who holds the legal authority to sign the DoC (typically the compliance manager or legal representative).
  5. Publish the DPP — the signed DoC is now linked to the published DPP and visible on the public DPP viewer.

If the DoC needs to be updated after signing (for example, to cover additional product models or to correct an error), upload the updated version using Upload New Version, then sign the new version. The previous signed version is retained in version history.

Multi-Party Signing

Some compliance documents — particularly internally produced audit reports and certain supplier attestations — require signatures from multiple parties. Traceable supports multi-party signing with a defined signing order.

Setting Up Multi-Party Signing

  1. Open the document.
  2. Click Request Signatures.
  3. Add the required signers in order:
    • Enter each signer's email address.
    • Set the signing sequence (Signer 1 must sign before Signer 2 is notified, and so on).
    • Optionally add a note to each signer explaining what they are signing and why.
  4. Click Send Signature Requests.

How Signers Are Notified

Each signer receives an email notification when it is their turn to sign. The email contains:

  • The document name and a description of what they are being asked to sign
  • A direct link to the document in Traceable (signers who are not already Traceable users receive a time-limited guest access link)
  • Any note you added during setup

After signing, the next signer in the sequence is automatically notified.

Tracking Multi-Party Signing Progress

From the document's Signatures section, you can see the full signing sequence and the current status of each signer:

  • Pending — awaiting the previous signer to sign before this signer can proceed
  • Notified — the signer has been notified and it is their turn to sign
  • Signed — this signer has completed their signature
  • Declined — this signer declined to sign (see below)

If any signer in the sequence declines to sign, the signing process is paused. The document creator is notified, and the pending signers in the sequence are placed back into "Pending" state. You can then address the signer's concerns and re-request their signature, or modify the signing sequence if the situation requires it.