When selfhosting it - it's possible to connect AWS S3 to store the documents - AWS with S3 logs could be used as a source of trust to ensure the documents are not altered.
Nothing prevents the person running the software from submitting a "bad document" stating anything they want, with plausible IPs and timestamps etc. That is the problem.
A third party like DocuSign is somewhat comparable to using an escrow company to buy a house. You trust the escrow company to not steal the money, but you don't have to trust the seller. You trust DocuSign to not forge document metadata.
A third party like DocuSign is somewhat comparable to using an escrow company to buy a house. You trust the escrow company to not steal the money, but you don't have to trust the seller. You trust DocuSign to not forge document metadata.