[alexopensource]

In the hosted version, we sign the document on behalf of the user using our own private key. Our roadmap also has the feature to bring your own cert(not relevant here). As soon as a user signs a document, a copy of the signed document is instantly sent to all the parties involved. This ensures that the signer cannot revoke the documents already signed. If the receiving party tries to modify the document, the signature becomes invalid. This is how we make sure that the docs are "tamper-proof" after signing.

[petertodd]

That's a reasonable, and pragmatic, way to implement this. But I'd still call it "tamper-resistant". One reason why is in situations where senders or recipients have modified something, proving that the _keys_ used to sign the documents were the correct ones can itself be a difficult problem.

[johnfonesca]

>This ensures that the signer cannot revoke the documents already signed. If the receiving party tries to modify the document, the signature becomes invalid

This,fortunately, is a feature of the PDF digital signatures standard.