Captures the signer's pressure, speed and acceleration on a signature tablet or mobile device.
Advanced electronic signature (AES) under art. 26 of EU Regulation 910/2014, with encrypted graphometric evidence and judicial handwriting expert review available.
Deployed in banking, healthcare, HR and automotive, with full GDPR art. 9 compliance for biometric data as a special category.
Banking · Healthcare · HR · Automotive
Updated: 14 May 2026 · Reviewed by the Dokuflex Legal Team
Informational content based on the eIDAS Regulation and GDPR. For specific cases, consult your legal counsel.
A biometric signature (also called grafometric signature) is a type of electronic signature in which the signer draws their handwritten mark on a touch-sensitive surface (a signature tablet, a tablet or a mobile device with a high-resolution capacitive screen) while the system captures, alongside the visible stroke, several dynamic data points that are unique to the signer: pressure, speed, acceleration, pen tilt angle and rhythm. These data points form a behavioural fingerprint that is extremely difficult to reproduce, a digital equivalent of the handwritten signature on paper.
Under article 26 of the eIDAS Regulation (EU) 910/2014, an electronic signature qualifies as advanced (AES) when: (i) it is uniquely linked to the signer, (ii) it allows the signer to be identified, (iii) it is created using data under their sole control and (iv) it is linked to the signed data in such a way that any subsequent change is detectable. Grafometric biometric signature meets all four criteria: the dynamic data identifies the signer, remains under the signer's physical control during the act of signing and is cryptographically sealed to the document.
This is what sets it apart from a simple electronic signature (SES) such as a click on "I accept" or a standalone SMS OTP, which carry weak evidentiary weight. The biometric layer adds something forensically analysable: if the signature is challenged in court, a digital handwriting expert can compare the graphometric pattern against undisputed signatures of the signer, exactly the way handwriting experts work with paper signatures.
Graphometry is not limited to the visible stroke: it records five dynamic dimensions of the act of signing, sampled tens or hundreds of times per second. Every signer has a unique pattern shaped by years of motor habit, virtually impossible to imitate even when the visible signature image is known.
Force exerted on the touch surface at every point. Reveals start zones, pauses and inflection points that are characteristic of each signer.
Instantaneous pointer velocity at each segment. Distinguishes fast, automated strokes from slow imitated movements.
Changes in speed: the acceleration pattern exposes the naturalness of the motor gesture, almost impossible to forge convincingly.
When the stylus supports it, the pen's tilt angle and rotation add another biometric dimension to the captured profile.
Inter-stroke timings, pen lifts and the sequential order of signature components. The full temporal fingerprint completes what the visible image alone cannot convey.
Compared to an SMS OTP (which only proves possession of a phone number) or a digital certificate (which only proves possession of a private key), biometric signature proves something stronger: who signed, not only which credential was used. That is the reason litigation-heavy sectors (banking, healthcare, HR) prefer it.
The eIDAS Regulation (EU) 910/2014 defines three levels of electronic signature with different legal effects across the European Union:
In Spain, Law 6/2020 on electronic trust services implements eIDAS into national law. In civil procedure, art. 326.3 of the Spanish Civil Procedure Act (LEC) governs the challenge of electronically signed documents: if a party denies authorship, verification proceeds under art. 3 of Law 6/2020.
This is where the decisive advantage of biometric signature appears: when challenged, the graphometric data is analysable forensic evidence. A digital handwriting expert compares the dynamic pattern against undisputed signatures of the defendant, exactly as in traditional handwriting expert review on paper. A pure click-through signature or a standalone OTP do not allow that kind of expert review: only server logs and technical traces are available, and they are far easier to attack on cross-examination.
This is why Spanish case law and notarial doctrine assign grafometric biometric signature a reinforced evidentiary value within the AES level of eIDAS, close to that of a handwritten signature.
When a biometrically signed contract ends up in court (a mortgage challenge, an unfair dismissal claim, a consumer dispute), the practical procedure is:
This chain is the decisive difference compared to a simple signature. A click-through acceptance or an SMS OTP provide nothing forensically analysable: only logs and server records, which are easy to attack by claiming device or SIM impersonation. Biometric data, by contrast, is tied to the physical signer: the motor pattern is personal and very hard to reproduce, even when the visible image of the signature is known.
That is why banks and healthcare providers use biometric signature for high-value operations: the marginal cost compared to a simple signature is more than compensated if a single operation ends up in litigation.
The GDPR (Regulation EU 2016/679) classifies biometric data as a special category under art. 9 when used for the unique identification of a natural person. This triggers a reinforced lawful basis and specific technical and organisational measures.
The most common lawful bases for grafometric biometric signature are:
The Spanish Data Protection Agency (AEPD) has sanctioned organisations for biometric processing without a valid lawful basis or without proportionality. To minimise risk:
These measures align processing with the principle of data protection by design (art. 25 GDPR) and reduce the risk of AEPD sanctions or EU supervisory action.
Grafometric biometric signature shines in sectors with high volumes of in-person signing, reinforced evidentiary requirements and recurring litigation. These four account for the bulk of real-world use across Europe.
Mortgage origination, customer onboarding with reinforced KYC, investment fund subscription and MiFID II suitability assessments. Biometric signature strengthens evidence in high-value transactions and reduces the risk of consumer-driven challenges.
Surgical and procedural informed consents, treatment authorisations, electronic health records and hospital admission. Preserves forensic data against claims of inadequate information (Spain's Law 41/2002 on patient autonomy and equivalent EU patient rights legislation).
Employment contracts (permanent and temporary), substantial changes in working conditions (art. 41 of Spain's Workers' Statute), severance agreements and payslips. Enables clear proof of the employee's signature in claims before labour courts.
Consumer finance origination, vehicle leasing and renting, dealership commercial contracts and instalment sales. Removes paper at the point of sale while preserving expert-grade evidence for consumer claims.
All three methods can reach the AES level (advanced signature) under art. 26 eIDAS, but they differ sharply in identification, non-repudiation and expert review. This table helps you pick the right method per use case.
| Criterion | Biometric signature | SMS OTP | Digital certificate |
|---|---|---|---|
| eIDAS legal validity | AES (art. 26) | AES if combined with strong authentication | AES or QES if the certificate is qualified |
| Signer identification | Unique motor pattern (pressure, speed, acceleration) | Possession of the phone number | Possession of the private key and PIN |
| Non-repudiation | High: signature tied to a physical gesture | Medium: depends on SIM control | High: tied to a private key under user control |
| Document integrity | XAdES sealing + document hash | Document hash signed with OTP | Cryptographic signature of the document |
| Judicial expert review | Yes: graphometric analysis equivalent to handwritten signature | Limited: logs and traces only | Limited: cryptographic validation, not of the physical signer |
| eIDAS legal base | Art. 26 (AES) | Art. 26 (AES) if the four requirements are met | Art. 26 / art. 25.2 (QES if qualified) |
Trademarks are property of their respective owners. Public information consulted in May 2026.
Four steps to embed grafometric biometric eIDAS signature in an existing workflow, without rewriting the core system.
Call the signature creation endpoint from your ERP, CRM or customer portal, or embed the JavaScript widget in your website. No client install required.
The signer traces their signature on a professional signature tablet (Wacom, Topaz) or a tablet/phone with active stylus. The SDK samples pressure, speed and acceleration.
The pattern is encrypted at source with the trust service provider's asymmetric key. Decryption requires a court order. Fully aligned with GDPR art. 9.
PDF/A with XAdES signature, embedded graphometric evidence and TSA time-stamp. Automatically filed in the case record, ready for audit.
Grafometric biometric signature is an advanced electronic signature (AES) under art. 26 of EU Regulation 910/2014 (eIDAS): it uniquely identifies the signer, is linked to them, is created using means under their sole control and detects any later modification of the document. It is not a qualified signature (QES) on its own, but it can be combined with a qualified certificate issued by a qualified trust service provider to reach QES level.
Yes. Spain's Law 6/2020 on electronic trust services and art. 3.10 of the eIDAS Regulation recognise legal effect for electronic signatures across the EU. Under art. 326 of the Spanish Civil Procedure Act (LEC), if the counterparty challenges the electronic signature, verification follows art. 3 of Law 6/2020: graphometric data (pressure, speed, acceleration) allows digital handwriting expert review, providing reinforced evidentiary weight compared to a simple click-through signature.
Graphometric data is a special category under art. 9 GDPR. Dokuflex encrypts it at source with the trust service provider's asymmetric key, embeds it in the signed PDF/A in XAdES format, and it is never accessible to the data controller or to Dokuflex. Only an authorised judicial expert, under court order, can decrypt it. Typical lawful bases: contract performance (art. 6.1.b GDPR) or explicit consent (art. 9.2.a GDPR).
Graphometric data travels encrypted from the tablet or mobile device to the final PDF/A document; nothing is stored locally. If the device is lost or stolen, there is no risk of biometric data leakage because nothing remains in device memory after the signature. MDM and remote wipe are still recommended for fleet management.
Banking (customer onboarding, mortgages, investment funds, MiFID II suitability tests), healthcare (informed consents, electronic health records), HR (employment contracts, severance agreements, substantial changes under art. 41 of the Spanish Workers' Statute) and automotive/retail (consumer finance, leasing, dealership contracts). These sectors combine high volumes of in-person signing with heightened evidentiary requirements.
For graphometric capture useful in expert review, an active stylus (pen with pressure sensor) on a signature tablet or high-resolution capacitive tablet is recommended. Finger signing is functionally valid but loses graphometric discrimination (limited pressure, coarser stroke), which weakens the evidentiary strength in court. It remains AES under eIDAS if combined with other identification mechanisms.
Yes, any advanced electronic signature can be challenged. Under art. 326.3 LEC and art. 3 of Law 6/2020, when the signature is contested, verification proceeds. The key difference of biometric signature versus an OTP or a click: there is forensically analysable data (the graphometry) that a digital handwriting expert can compare against undisputed signatures of the signer, equivalent to expert review of handwritten signatures.
A qualified signature (QES, art. 25.2 eIDAS) is created with a qualified signature creation device and a certificate issued by a qualified trust service provider: by law it is equivalent to a handwritten signature. Grafometric biometric signature is AES (art. 26 eIDAS), has full validity but requires the signature to be proven if challenged. For mortgages, notarial deeds and certain public administration procedures QES is usually required; for employment contracts, commercial contracts and consents, biometric AES is sufficient and operationally smoother.
Informational content. For specific cases, consult your legal counsel.
Dokuflex's general digital signature page: SES/AES/QES levels, available methods (biometric, OTP, certificate, qualified) and end-to-end use cases.
See how Dokuflex stacks up against other BPM and digital signature platforms in the market.
We show you how to embed grafometric eIDAS signature in banking, healthcare, HR or automotive workflows. 20-minute demo, no commitment.