Trust & verification
Should I trust FreeSign?
The honest answer: you should not have to take our word for it. A FreeSign signature is built so anyone can verify it independently, without an account and without contacting us. This page lays out what it does and does not claim, how to check everything yourself, and who operates the service.
Do I have to trust FreeSign for the signature to be valid?
No — and that is the whole point of the design. A FreeSign signature is a standard PAdES-B-T signed PDF. Nothing about checking it depends on FreeSign staying online, staying in business, or being trusted by you:
- Verify with tools you already trust. Adobe Reader,
openssl cms -verify, andpyHanko sign validateall parse and check the file with no call to free-sign.com. The browser verifier at /verify runs the same checks locally, with no upload. - The CA certificate is public. FreeSign’s signing CA is published at
/.well-known/free-sign-signing-ca.pem, with its SHA-256 fingerprint alongside it — so you can pin exactly what signed your certificate. - Time is anchored by independent parties. Every signature carries a DigiCert RFC 3161 timestamp and an OpenTimestamps proof that settles against public Bitcoin block headers. Neither depends on FreeSign to confirm when you signed.
- We re-verify before you ever see a receipt. After the PDF is sealed, your browser re-checks the CMS signature and the certificate chain; if either fails, the ceremony aborts and nothing is offered for download.
If FreeSign disappeared tomorrow, every PDF already signed would still verify. That is what “no vendor lock-in” actually means here. Step-by-step: Verify a signed PDF with openssl.
Why does Adobe Reader show a yellow warning?
Adobe Reader colour-codes signatures against the Adobe Approved Trust List (AATL), a commercial allow-list of certificate authorities. FreeSign runs its own HSM-backed signing CA, which is not on AATL — so Adobe shows a yellow signature has problems
banner by default.
That banner is about trust-list membership, not tampering. Open Adobe’s Signature Panel and it still confirms the document has not been modified, shows your typed name, and shows the signing time from the embedded timestamp. A recipient who sees FreeSign PDFs often can add the FreeSign CA to local Adobe trust once — see FreeSign Adobe Trust Setup and the FAQ. An AATL-trusted CA is on the public roadmap.
Is it legally valid? Is it a qualified signature?
A FreeSign signature is an electronic signature valid under the US ESIGN Act and UETA, and is built to the EU eIDAS advanced electronic signature (AES) evidence model. For the vast majority of business and personal contracts — NDAs, employment, vendor agreements, consents — that is the standard people use.
FreeSign is not a Qualified Electronic Signature (QES) and 2Dynamic Games is not a Qualified Trust Service Provider. For the narrow set of documents that legally require QES or notarisation, FreeSign is not the right tool, and we say so rather than blur it. Detailed legal framing is in the FAQ. None of this is legal advice — for a high-stakes document, confirm the required form for your jurisdiction.
Is FreeSign open source? Has it been audited?
The hosted signing service is proprietary and closed-source, offered best-effort with no warranty, and has no third-party SOC or ISO audit published yet. We state that plainly rather than imply otherwise.
But the part that matters most for trust — the verifier — is open source. The exact client-side code served at /verify is published under the MIT licence at github.com/free-sign/verifier. You do not have to trust our word that a signature checks out — you can read, audit and run the code that checks it.
Everything a FreeSign signature is built from is an open standard or a public file, not a FreeSign secret: the PAdES-B-T / CMS PKCS#7 format, the X.509 certificate chain, the published CA certificate, the RFC 3161 and OpenTimestamps proofs, and the documented evidence-JSON schema. Independent tools — openssl, pyHanko, the ots CLI — verify the same file with FreeSign nowhere in the loop.
What does FreeSign store about me?
Never the PDF. The document bytes never reach the server — the browser hashes the file locally and sends only a 32-byte SHA-256. There is no upload route in the API, and the MCP contract advertises documentUpload: false.
What FreeSign does keep is the standard signing-act audit trail: the OTP-verified email (stored as an HMAC, not plaintext), the typed legal name, the consent payload, a hash-chained audit log, and the cryptographic seal evidence. That evidence is retained for about 10 years and then purged. It is the same audit surface DocuSign and Adobe Sign keep for a signing event — the privacy invariant is no document bytes server-side, not no metadata. Full detail: privacy policy.
When should I not use FreeSign?
We would rather lose a signer than have a signature fail later. Do not use FreeSign when:
- A law or counterparty requires a Qualified Electronic Signature or notarisation.
- Procurement mandates an AATL-listed vendor.
- You need multi-party routing, reminders, templates, dashboards, or enterprise SSO.
- The other side simply insists on DocuSign, Adobe Sign, Autenti, or Docuten.
FreeSign is a focused single-signer tool, not an enterprise platform. The honest side-by-side is on the comparison page.
Who is behind FreeSign?
FreeSign is operated by 2Dynamic Games sp. z o.o., a limited company based in Kraków, Poland — in the European Union, entered in the national Register of Entrepreneurs on 5 December 2013 (over a decade of corporate history). Registration: KRS 0000489269, NIP 5272716666, REGON 147232452; registered office at ul. Wadowicka 7, 30-347 Kraków. The service runs under the Coder AI brand.
About the company name. “2Dynamic Games” is the operator’s long-standing registered legal name, carried over from the company’s earlier activity — it does not describe this product. FreeSign is a serious cryptographic electronic-signature service, with no connection to games or entertainment software. Judge it on the standards it implements and the verification you can run yourself, both set out above.
Be precise about what is new. The free-sign.com service is recent — it is young, focused software, and we say so plainly. The company operating it is not new. When you weigh a service, the age and accountability of the legal entity behind it matters as much as the launch date of the product. Full operator and GDPR-controller details are on the imprint page.
The bottom line
Trust a signing service in proportion to how little you have to. FreeSign is deliberately built so that the proof outlives the provider: open formats, a published CA, independent timestamps, and a verifier you can run yourself. Check it, do not assume it — verify a PDF now, read the full FAQ, or see the machine-readable summary at llms.txt.