Why Hedera, not RFC 3161, OpenTimestamps, or DocuSign?
First, the honest part: the chain is the backstop, not the reason to buy Pactbound. You buy it for sealed handoffs and identity-verified sign-offs. The independent timestamp underneath is what stops anyone (us included) from quietly backdating or altering a record later. This page is just for whoever wants to know which timestamp we chose for that job, and why.
It’s the technical sibling to /why-trust-this. If you just want to know whether the receipt holds up in court and chargebacks, start there. If you want the primitive that sits underneath, keep reading.
Up front: each of these tools solves a real problem. None of them solve the sealed handoff and sign-off problem on their own, and most firms already have one of them in production today.
TL;DR
The five properties that actually matter for a handoff or sign-off record, and which option gives you each.
| Approach | Signature | Audit log | Cryptographic | Survives vendor | Structured events |
|---|---|---|---|---|---|
Email + Slack screenshots Default fallback. Easy to fabricate. Worthless in a dispute. | |||||
DocuSign / OpenSign Workflow + signature. The audit log is theirs. Survives them? No. | |||||
RFC 3161 TSA (FreeTSA, DigiCert) Cryptographic. Survives the TSA's company? Tied to the cert chain. | |||||
OpenTimestamps (Bitcoin) Trustless. ~10 min – several hours to confirm. No structured events. | |||||
Pactbound (Hedera HCS) Trustless, public ledger, sub-second consensus, structured events. |
vs DocuSign and OpenSign: “why not just sign a PDF?”
DocuSign and OpenSign are signature workflows. They’re great at collecting signatures and producing a completion certificate. They produce an audit log of who signed when, attached as a PDF.
That audit log lives on DocuSign’s servers (or your self-hosted OpenSign instance). For most use cases that’s fine. For consulting sign-off disputes it’s the wrong trust model:
- If DocuSign goes bankrupt, your audit logs may be inaccessible. A signed PDF in your hands is still a PDF: its provenance now rests on whatever you can recover.
- If you self-host OpenSign and you’re the one being audited, the log is the issuer’s own server. A motivated opposing counsel will argue you could have edited it.
- Signature flows assume a single document. A real consulting milestone is a SOW plus design doc plus deliverable plus a list of in-scope and out-of-scope disclosures: not one PDF to sign, but a bundle to seal.
When DocuSign is right: single agreement, single signer, low-stakes. When Pactbound is right: multi-file milestone bundle, evidence model that has to survive the consultant being the party under scrutiny.
vs RFC 3161 trusted timestamps: “FreeTSA is free, why pay?”
RFC 3161 is the X.509 timestamp protocol. A Time Stamp Authority hashes your document, signs the hash with its private key, and returns a token. Courts in some jurisdictions recognize it, and FreeTSA offers it free.
Two real limitations for our use case:
- A TSA timestamp is only valid as long as the TSA’s certificate chain is trusted. Cert expiry, key compromise, or TSA shutdown all undermine old timestamps unless you re-timestamp on a schedule. Hedera-anchored proofs don’t inherit any single cert’s lifecycle.
- A TSA token is one signed object. Pactbound’s on-chain record is a stream of typed events (
bundle_created,bundle_sent,disclosure_acked,bundle_acknowledged) on a public topic. The chain-of-custody is itself queryable.
When RFC 3161 is right: a single document that needs court-recognized notarization in a jurisdiction that specifically requires it. When Pactbound is right: structured multi-event handoff workflows where you want the chain-of-custody itself anchored.
vs OpenTimestamps (Bitcoin): “but Bitcoin is the most secure ledger”
OpenTimestamps is the closest comparison to Pactbound conceptually. It hashes your document, aggregates many hashes into a Merkle tree, and anchors the Merkle root in a Bitcoin transaction. The proof is a small .ots file. Verification is trustless and free.
For our use case, three differences matter:
- Confirmation latency. A Bitcoin anchor needs at least one block confirmation: typically 10 minutes, sometimes hours. Hedera Consensus Service finality is sub-second. When a consultant clicks “send sign-off” at 4:55 PM and the client’s legal team challenges it at 5:01 PM, you want the event on the ledger already.
- Event structure. OpenTimestamps anchors arbitrary hashes. Pactbound submits structured event messages with typed fields (event type, manifest hash, Merkle root, ISO timestamp, event-specific data), so the on-chain record is a coherent chain-of-custody, not opaque bytes.
- Operational profile. Hedera HCS is run by a council of enterprises with a published service roadmap. Bitcoin is the most-secure-by-hashrate option, but its fee market is unpredictable for high-volume anchoring.
When OpenTimestamps is right: personal-use archival, one-off document timestamps, archival-grade cryptographic guarantee with no SLA needs. When Pactbound is right: high-volume handoff and sign-off workflows with sub-second event capture and structured chain-of-custody.
The trust model: what you actually need to believe
When a Pactbound bundle is challenged in a dispute, the chain of things the opposing party would have to argue against is:
- SHA-256 is collision-resistant. Industry consensus, used by every major government and bank.
- The Hedera public ledger’s consensus timestamps reflect when a supermajority of nodes saw a transaction. Independently auditable via any Hedera mirror node.
- The hash submitted to Hedera matches the hash of the manifest you produced. Our open-source verifier recomputes this from your bundle.
Notice what’s not in that list: trust in Pactbound, in our servers, in our company existing tomorrow, or in our employees. We can’t alter your evidence after the fact because we never could.
Try the open-source verifier
Don’t trust us. Verify a bundle yourself.
Clone the repo. Run the verifier against any sample bundle. Confirm the math from scratch. If our claims hold, sign up. If they don’t, tell us where we went wrong.