Status: Signed — legally binding, audit trail captured

What we capture at the moment of signing, in one atomic database transaction: (1) Identity assertion: client's typed name and email, matching the client record on file (signer_name, signer_email in the SignatureAudit row); (2) Possession proof: 4-digit PIN entry, proving access to the email inbox where it was sent — per the running code (HIGH-BE-002 hardening, audit 2026-04-28), 5 wrong PIN attempts within a sliding 1-hour window lock the proposal slug for 24 hours, with a separate 10/min per-IP rate limit on the same endpoint; (3) Technical context: ip_address (GenericIPAddressField), user_agent string, full request headers in raw_event JSONB, signed_at timestamp; (4) Consent record: the consent field captures the affirmative confirmation that the signer is authorised to bind the named party. This is the SES + audit trail stack defined in [A-007] (DECISIONS.md): "e-Signature: eIDAS SES (Simple Electronic Signature) — click-to-sign + email confirmation. Store IP + timestamp + email chain for 10 years."

The signing path does not compute a SHA-256 hash of the rendered PDF and does not cryptographically bind the signature to document content in the way Art. 26(d) requires for an Advanced Electronic Signature. RFC 3161 trusted timestamping is on the [D-111] roadmap (Phase 4) but is not part of the v1 signing path. What we have is integrity at the storage layer: the rendered PDF is written to Cloudflare R2 (EU region) with the legal_hold flag enabled, which prevents overwriting or deletion within the retention window — necessary but distinct from a cryptographic seal. For Qualified Electronic Signatures (QES) under Art. 3(12) you'd need a hardware token from a Trust Service Provider (e.g., Bundesdruckerei in Germany, FNMT in Spain). QES is required for some specific contract types (real-estate notarised acts, certain financial-services products, court submissions in some Member States, and public-sector contracts under eIDAS Art. 27 where the receiving body explicitly demands it); for the vast majority of freelancer work — design, development, consulting, photography, copywriting — SES backed by Clozo's 10-year SignatureAudit row is sufficient and enforceable.

The ten-year retention is enforced by GoBD §147 AO (Germany), Wet OB Art. 52 (Netherlands), CGI Art. L102 B (France), Codice Civile Art. 2220 (Italy), and parallel rules in other EU countries: tax-relevant documents must be available for inspection for a decade. Clozo stores the signed PDF on Cloudflare R2 with legal_hold so it cannot be deleted even by you or by an admin until the retention window expires. Right-to-erasure requests under GDPR Art. 17 are honoured within the bounds of Art. 17(3)(b), which allows retention where required by a legal obligation.