The process to integrate eSign into your application starts with understanding how the eSign online Electronic Signature Service works. It allows anyone who can be authenticated through acceptable e-KYC services to be able to easily sign a document electronically.
eSign Electronic Signature Service can be integrated with various service delivery applications to facilitate digitally signing a document by authenticated through e-KYC (AADHAAR based e-KYC) of eSign user. It is designed for applying Digital Signature based on authenticated responses received from e-KYC service pertaining to the eSign users demographics.
The stakeholders involved in the process include the Application Service Provider (ASP), eSign Service Provider (ESP), the Certifying Authority (CA) and e-KYC Providers. All these players are instrumental in signing of a document through eSign. This blog post details out the entire process for eSign Integration starting from ASP initiating the process by submitting its application up to the ESP granting production access to ASP for performing eSign.
How to Integrate eSign into Your Application (Quick Answer)
To integrate eSign into your application, you need to:
- Apply to an ESP (RISL CA eSign project)
- Submit required documents – Application form signed by Authorized Signatory, and KYC documents of the Authorized Signatories like AADHAAR Card, PAN etc).
- Sign agreement with ESP (On Non-Judicial Stamp Paper of Rs 500).
- Submit Digital Signature Certificate (DSC).
- Integrate eSign API in UAT environment.
- Complete audit (Submit Security Audit Report by a Cert-In Empanelled Auditor).
- Submit go-live checklist.
- Get production access.
After this, your application can offer legally valid digital signatures.
ASP On Boarding Process
Application Service Providers (ASP) are the entities which will offer the end users, various online services through owned or operated application. However, in the case of Central or State Government, its IT department can facilitate eSign service for other departmental applications.
ASP needs to complete the on-boarding procedure with desired eSign Service Provider. On successful completion of on-boarding procedure, ESP shall grant the access to ASP for the production environment of eSign.
ASP Eligibility Criteria
The agency which desires to integrate eSign service should either be:
- A Central/ State Government Ministry / Department or an undertaking owned and managed by Central / State Government, or
- An Authority constituted under the Central / State Act, or
- A Not-for-profit company / Special Purpose organization of national importance, or
- A bank / financial institution / telecom company, or
- A legal entity registered in India
Any legal entity registered in India shall be eligible subject to fulfillment of the criteria given below:
- Should be an organization incorporated under Companies Act, 1956, Registrar of Firms, LLP Registered; OR An association of persons or a body of individuals, in India, whether incorporated or not
- Should not have been blacklisted by any State Government, Central Government, Statutory, Autonomous, or Regulatory body.
Overview of on-boarding process
Below is the overview of the process, to be carried out by ASP in order to integrate eSign.
- Application form submission by ASP.
- Submission of supporting documents by ASP
- Acceptance / agreement to terms of eSign service by ASP.
- Submission of Digital Signature Certificate (public key) by ASP
- Integration of API in ASP application in testing / preproduction environment of ESP.
- Conducting audit and submission of Audit report by ASP.
- Grant of production access by ESP.
Application Form Submission
- Application form should be made specific to particular ESP. For this purpose, each ESP may share a format of application form, or ASP may use this addressing it to specific ESP.
- Application form should be submitted in original, and bear the signature / attestation of Authorized signatory of the organization.
- In case of application form being submitted through paperless mode (email, etc), it shall be digitally / electronically signed by authorized signatory of the organization.
- ESP shall grant the access to eSign only after receiving completed application form from ASP.
- ESP may seek additional information over and above that already included in the application form.
Supporting Documents Submission
ASP shall submit supporting documents towards KYC verification and other requirements of on-boarding. These documents should be duly attested & forwarded by the authorized signatory of the organization. Supporting Documents Link
Acceptance/Agreement to terms of eSign Service:
The ASP should enter / agree to the terms of service with the eSign Service Provider (ESPs) to enable eSign in their application / software. The scope of this process is:
- To define the terms of service between ASP and ESP.
- To define scope and obligation of ASP.
- The terms and conditions for integration and termination of eSign service.
- To define various inputs that are critical for success of process / activities.
Note: The sample agreement is available on CCA website for reference only. The eSign requirements in respect of security, consent, audit and communication shall be enforced through undertaking by ASP or an agreement between ESP and ASP.
At this stage, an ASP is expected to understand the ESP services and agree to fulfill the requirements as per specifications including setting up infrastructure and aligning business process applications to the eSign services.
ASP is also expected to understand that eSign service is a regulated service under the provisions of Information Technology Act.
Integration of API in ASP application in UAT/Production environment of ESP
ASP builds the required infrastructure for adopting eSign service. ESP provides access to pre-production environment and enables the ASP to establish end- to -end connectivity to carry out eSign services testing and integration.
Audit: for integrate eSign into your application
ESP shall ensure that the ASP application is compliant to the requirement mentioned in e-authentication guidelines and all other applicable regulations. For this purpose:
- ASP should submit the report/ certificate to ESP prior to gaining production access. The audit report shall be examined prior to completion of on-boarding.
- ASP shall appoint eligible auditor and perform the audit.
- ASP shall submit the audit report in original to the ESP. Such audit report should not be older than 3 months. In case, ASP is taking service from multiple ESPs, common audit report can be submitted,
- Audit report should comply positively to all Audit requirements. No open comments / objections should be reported by the auditor. A complete detailed checklist for Audit has been provided here.
- ASP Audit report should be carried out by Auditor empanelled by Cert-in /IS Auditor
- ASP should carry out the audit prior to the completion of one year from the date of completion of last audit. Audit report shall also be examined on a yearly basis by ESP by requesting a fresh audit report. ASP should submit annual compliance report with the same audit requirements and procedures provided here, upon request by ESP, within 30 days.
- In special circumstances, ESP can initiate audit or seek audit report from ASP.
- In respect of e-KYC compliance requirements, ESP shall carryout necessary auditing of ASP as applicable separately
Confirmation on readiness to Go Live by ASP
ASP shall notify ESP about its readiness for migration to production environment. Subsequently ASP completes the go live checklist and submits the request for Go Live checklist. ESP shall scrutinize the ASP go live request as per the Go-Live checklist and supporting documentation, before moving forward to production access.
Production Access to Integrate eSign into your Application
ESP shall ensure successful scrutiny of the following before granting production access:
- Application form.
- Supporting documents.
- Acceptance of terms of service.
- Digital Signature Certificate submission.
- Integration / testing completion in preproduction / testing environment
- Audit report
- Go Live checklist
- Internal approvals and clearance within ESP organization
On successful completion, ESP grants the access to production environment in the form of necessary URLs and ASP code. ESP shall ensure that such information is securely shared with the relevant person in ASP organization.