Feature Specification: DocuSign eSignature API Integration

Overview

Feature Name: DocuSign eSignature Integration for Document Management & Approvals
Category: AP Excellence (Phase 1) + Compliance & Strategic Finance (Phase 4)
Priority: High
Target Users: CFOs, Controllers, Approvers, Vendors, Steuerberater
Dependencies: AI Approval Intelligence, Document & Contract Management V1, GoBD-Compliant Storage

Executive Summary

DocuSign is the world's leading electronic signature platform, offering a comprehensive REST API with 400+ endpoints for programmatic document signing, routing, and tracking. By integrating DocuSign into Orcha, we transform our approval workflow from a digital process to a legally binding, audit-compliant signature system that meets German legal standards (eIDAS, BGB §126a) while dramatically accelerating approval cycles.

Key Value Proposition:

Replace email-based "approvals" with legally binding electronic signatures
Enable vendor contract execution directly within Orcha
Create tamper-proof audit trails for Betriebsprüfung compliance
Support complex approval workflows (sequential, parallel, conditional routing)
Maintain GoBD compliance with integrated document archiving

Business Problem

The Challenge: Approvals ≠ Signatures

Current State in Orcha: Our AI Approval Intelligence (Phase 1.1) provides:

4-way matching with full context
AI explainability and decision consequences
70% auto-approval rate
2-4 hour approval times (vs 3-5 days)

What's Missing:

Legal Enforceability: A click in our UI isn't a legally binding signature
External Parties: Vendors and external approvers need secure access
Contract Execution: Purchase orders, master service agreements, amendments
Audit Requirements: Some transactions require qualified electronic signatures (QES)
Non-Repudiation: Proof that a specific person approved at a specific time

The Gap:

Invoice approvals → Currently internal workflow (sufficient for most cases)
Contracts, POs, amendments → Require legally binding signatures (DocuSign needed)
Vendor acknowledgments → Require external party signatures (DocuSign needed)
High-value transactions → May require qualified signatures for audit defense

Real-World Use Cases

1. Purchase Order Approval (Internal)

Department head approves PO in Orcha → Needs legal signature
Vendor receives signed PO → Acknowledges terms (counter-signature)
Both parties have legally binding contract

2. Master Service Agreement Execution (External)

CFO negotiates vendor contract terms
Contract stored in Orcha Document Management
Both parties sign electronically → Legally binding MSA
Contract terms feed into invoice matching rules

3. Invoice Approval with Signature (Compliance-Heavy)

High-value invoices (€50K+) require CFO signature
External auditor needs proof of authorized approval
Electronic signature provides non-repudiation

4. Steuerberater Handoff (Monthly Close)

Controller finalizes month-end close in Orcha
Festschreibung (period lock) requires signature
Steuerberater receives signed package with audit trail

Solution: DocuSign eSignature API Integration

What We Build

A bidirectional integration between Orcha and DocuSign that enables:

Outbound: Send documents from Orcha to DocuSign for signature
Inbound: Receive signed documents back into Orcha storage
Status Tracking: Real-time updates on signature status
Template Management: Reusable templates for common documents
Audit Trail: Complete record of all signature events

DocuSign API Architecture

Core Concepts

1. Envelopes

An envelope is a container for documents requiring signatures.

Envelope
├── Documents (1-n): PDFs, Word docs, etc.
├── Recipients (1-n): Signers, approvers, carbon copies
├── Tabs (fields): Signature boxes, date fields, text fields
├── Routing Order: Sequential or parallel signing
└── Status: Created → Sent → Delivered → Completed

Example:

{
  "envelopeId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "status": "sent",
  "emailSubject": "Please sign: Purchase Order PO-2024-1234",
  "documents": [
    {
      "documentId": "1",
      "name": "PO-2024-1234.pdf",
      "order": 1
    }
  ],
  "recipients": {
    "signers": [
      {
        "recipientId": "1",
        "email": "vendor@acmesupplies.de",
        "name": "Johann Schmidt",
        "routingOrder": 1
      }
    ]
  },
  "status": "sent",
  "sentDateTime": "2026-01-05T10:30:00Z"
}

2. Recipients & Routing

Control who signs and in what order.

Recipient Types:

Signers: Required signatures (can't proceed without them)
Approvers: Approve/reject decisions
Carbon Copies (CC): Receive copy, no action required
Certified Delivery: Must open document (proof of delivery)
Intermediaries: Forward to next recipient (routing agents)

Routing Options:

Sequential: Recipient 1 → Recipient 2 → Recipient 3
Parallel: All recipients sign simultaneously
Conditional: Routing based on previous decisions (e.g., if approved, send to CFO)

Orcha Use Case:

Purchase Order Approval Flow:
1. Department Head (Signer) → Approves PO
2. CFO (Signer, if > €10K) → Additional approval
3. Vendor (Signer) → Acknowledges terms
4. AP Team (CC) → Receives final signed copy

3. Templates

Reusable document templates with predefined fields.

Benefits:

Consistency across similar documents
Faster envelope creation
Pre-positioned signature fields
Merge fields for dynamic data (invoice #, amount, vendor name)

Orcha Templates:

Purchase Order Template
Master Service Agreement Template
Invoice Approval Template (high-value)
Period Close Sign-off Template
Contract Amendment Template

Example:

{
  "templateId": "t1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "name": "Purchase Order Approval",
  "documents": [
    {
      "name": "Standard PO",
      "fileExtension": "pdf",
      "order": 1
    }
  ],
  "recipients": {
    "signers": [
      {
        "roleName": "Department Head",
        "routingOrder": 1,
        "tabs": {
          "signHereTabs": [
            {
              "anchorString": "/dept_sig/",
              "anchorXOffset": "0",
              "anchorYOffset": "0"
            }
          ]
        }
      },
      {
        "roleName": "Vendor",
        "routingOrder": 2,
        "tabs": {
          "signHereTabs": [
            {
              "anchorString": "/vendor_sig/",
              "anchorXOffset": "0",
              "anchorYOffset": "0"
            }
          ]
        }
      }
    ]
  }
}

4. Tabs (Fields)

Interactive elements placed on documents.

Common Tab Types:

Sign Here: Signature field
Initial Here: Initial field
Date Signed: Auto-fills signature date
Text: Free-form text entry
Checkbox: Agreement checkboxes
Radio Button: Multiple choice
Dropdown: Predefined options
Formula: Calculate values (e.g., totals)

Anchor-Based Positioning: Instead of pixel coordinates, use text anchors:

{
  "signHereTabs": [
    {
      "anchorString": "Authorized Signature:",
      "anchorXOffset": "100",
      "anchorYOffset": "-5"
    }
  ]
}

5. Webhooks (DocuSign Connect)

Real-time event notifications.

Key Events:

envelope-sent: Envelope sent to recipients
envelope-delivered: Recipient opened envelope
envelope-completed: All signatures collected
envelope-declined: Recipient rejected
envelope-voided: Sender canceled
recipient-completed: Individual signer finished

Orcha Webhook Handler:

(defn docusign-webhook-handler
  [request]
  (let [event (parse-docusign-event (:body request))
        envelope-id (:envelopeId event)
        status (:status event)]
    (case status
      "completed" (handle-completed-envelope envelope-id)
      "declined" (handle-declined-envelope envelope-id)
      "voided" (handle-voided-envelope envelope-id)
      (log-event event))))

(defn handle-completed-envelope
  [envelope-id]
  ;; 1. Fetch signed document from DocuSign
  (let [signed-doc (fetch-signed-document envelope-id)]
    ;; 2. Store in Orcha GoBD-compliant storage
    (store-document signed-doc {:type :signed-contract
                                 :docusign-envelope envelope-id})
    ;; 3. Update approval status in database
    (update-approval-status envelope-id :completed)
    ;; 4. Trigger downstream workflows (e.g., activate PO)
    (activate-purchase-order envelope-id)))

DocuSign API: Key Endpoints

Authentication: OAuth 2.0

Authorization Code Grant (Recommended for Orcha):

User Consent: Redirect user to DocuSign login

GET https://account.docusign.com/oauth/auth
  ?response_type=code
  &scope=signature impersonation
  &client_id=YOUR_INTEGRATION_KEY
  &redirect_uri=https://orcha.com/oauth/callback

Exchange Code for Token:

POST https://account.docusign.com/oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code
&code=AUTHORIZATION_CODE
&client_id=YOUR_INTEGRATION_KEY
&client_secret=YOUR_SECRET_KEY

Response:

{
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGc...",
  "token_type": "Bearer",
  "expires_in": 28800,
  "refresh_token": "eyJ0eXAiOiJKV1QiLCJhbGc..."
}

Token Storage in Orcha:

CREATE TABLE docusign_tokens (
  user_id UUID PRIMARY KEY REFERENCES users(id),
  access_token TEXT NOT NULL,
  refresh_token TEXT NOT NULL,
  expires_at TIMESTAMP NOT NULL,
  account_id TEXT NOT NULL,
  base_uri TEXT NOT NULL,
  created_at TIMESTAMP DEFAULT NOW(),
  updated_at TIMESTAMP DEFAULT NOW()
);

Core API Endpoints

1. Create Envelope from Document

Endpoint: POST /v2.1/accounts/{accountId}/envelopes

Request:

{
  "emailSubject": "Please sign: Purchase Order PO-2024-1234",
  "status": "sent",
  "documents": [
    {
      "documentBase64": "JVBERi0xLjQKJeLjz9MKMy...",
      "name": "PO-2024-1234.pdf",
      "fileExtension": "pdf",
      "documentId": "1"
    }
  ],
  "recipients": {
    "signers": [
      {
        "email": "dept.head@company.de",
        "name": "Maria Weber",
        "recipientId": "1",
        "routingOrder": "1",
        "tabs": {
          "signHereTabs": [
            {
              "anchorString": "/dept_sig/",
              "anchorXOffset": "0",
              "anchorYOffset": "0"
            }
          ],
          "dateSignedTabs": [
            {
              "anchorString": "/date/",
              "anchorXOffset": "0",
              "anchorYOffset": "0"
            }
          ]
        }
      }
    ]
  }
}

Response:

{
  "envelopeId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "status": "sent",
  "uri": "/envelopes/a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}

2. Create Envelope from Template

Endpoint: POST /v2.1/accounts/{accountId}/envelopes

Request:

{
  "templateId": "t1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "templateRoles": [
    {
      "roleName": "Department Head",
      "name": "Maria Weber",
      "email": "maria.weber@company.de",
      "tabs": {
        "textTabs": [
          {
            "tabLabel": "PO_Number",
            "value": "PO-2024-1234"
          },
          {
            "tabLabel": "Amount",
            "value": "€8,450.00"
          }
        ]
      }
    },
    {
      "roleName": "Vendor",
      "name": "Johann Schmidt",
      "email": "johann@acmesupplies.de"
    }
  ],
  "status": "sent"
}

3. Get Envelope Status

Endpoint: GET /v2.1/accounts/{accountId}/envelopes/{envelopeId}

Response:

{
  "envelopeId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "status": "completed",
  "statusChangedDateTime": "2026-01-05T14:22:15Z",
  "emailSubject": "Please sign: Purchase Order PO-2024-1234",
  "recipients": {
    "signers": [
      {
        "email": "maria.weber@company.de",
        "name": "Maria Weber",
        "status": "completed",
        "signedDateTime": "2026-01-05T11:15:30Z"
      },
      {
        "email": "johann@acmesupplies.de",
        "name": "Johann Schmidt",
        "status": "completed",
        "signedDateTime": "2026-01-05T14:22:10Z"
      }
    ]
  }
}

4. Download Signed Document

Endpoint: GET /v2.1/accounts/{accountId}/envelopes/{envelopeId}/documents/{documentId}

Headers:

Authorization: Bearer {access_token}
Accept: application/pdf

Response: Binary PDF data

Orcha Implementation:

(defn download-signed-document
  [account-id envelope-id document-id]
  (let [url (str "https://demo.docusign.net/restapi/v2.1/accounts/"
                 account-id "/envelopes/" envelope-id
                 "/documents/" document-id)
        response (http/get url
                           {:headers {"Authorization" (str "Bearer " (get-access-token))
                                      "Accept" "application/pdf"}
                            :as :byte-array})]
    (:body response)))

5. Get Audit Trail (Certificate of Completion)

Endpoint: GET /v2.1/accounts/{accountId}/envelopes/{envelopeId}/documents/certificate

Response: PDF with complete audit trail including:

All recipient actions (viewed, signed, declined)
IP addresses and timestamps
Authentication methods used
Document hash for tamper detection

GoBD Compliance: This certificate is legally recognized in Germany for audit purposes.

6. Void Envelope (Cancel)

Endpoint: PUT /v2.1/accounts/{accountId}/envelopes/{envelopeId}

Request:

{
  "status": "voided",
  "voidedReason": "Purchase order canceled by department head"
}

Integration Architecture

System Design: Orcha ↔ DocuSign

┌──────────────────────────────────────────────────────────────────┐
│  ORCHA PLATFORM                                                  │
├──────────────────────────────────────────────────────────────────┤
│                                                                  │
│  ┌────────────────────────────────────────────────────────┐    │
│  │  AI APPROVAL INTELLIGENCE                              │    │
│  │  (Existing Phase 1.1)                                  │    │
│  │                                                        │    │
│  │  • 4-way match validation                             │    │
│  │  • AI explainability                                  │    │
│  │  • Decision consequences                              │    │
│  │  • Policy checks                                      │    │
│  └─────────────────┬──────────────────────────────────────┘    │
│                    │                                            │
│                    │ Approval decision made                     │
│                    │                                            │
│                    ▼                                            │
│  ┌────────────────────────────────────────────────────────┐    │
│  │  DOCUSIGN INTEGRATION SERVICE (NEW)                    │    │
│  ├────────────────────────────────────────────────────────┤    │
│  │                                                        │    │
│  │  📤 OUTBOUND                                           │    │
│  │  ├─ Create envelope from document                     │    │
│  │  ├─ Create envelope from template                     │    │
│  │  ├─ Add recipients & routing rules                    │    │
│  │  ├─ Position signature tabs                           │    │
│  │  └─ Send for signature                                │    │
│  │                                                        │    │
│  │  📥 INBOUND                                            │    │
│  │  ├─ Receive webhook events                            │    │
│  │  ├─ Download signed documents                         │    │
│  │  ├─ Fetch audit trail (Certificate of Completion)     │    │
│  │  └─ Update Orcha approval status                      │    │
│  │                                                        │    │
│  │  🔄 STATUS TRACKING                                    │    │
│  │  ├─ Real-time status dashboard                        │    │
│  │  ├─ Reminder automation                               │    │
│  │  └─ Escalation workflows                              │    │
│  │                                                        │    │
│  └─────────────────┬──────────────────────────────────────┘    │
│                    │                                            │
│                    ▼                                            │
│  ┌────────────────────────────────────────────────────────┐    │
│  │  DOCUMENT MANAGEMENT (Existing Phase 1.2)              │    │
│  │                                                        │    │
│  │  • GoBD-compliant storage                             │    │
│  │  • Immutable audit trail                              │    │
│  │  • Version control                                    │    │
│  │  • Search & retrieval                                 │    │
│  └────────────────────────────────────────────────────────┘    │
│                                                                  │
└──────────────────────────────────────────────────────────────────┘
                              ↕ HTTPS (OAuth 2.0)
┌──────────────────────────────────────────────────────────────────┐
│  DOCUSIGN eSignature REST API                                   │
├──────────────────────────────────────────────────────────────────┤
│                                                                  │
│  • 400+ API Endpoints                                           │
│  • Envelope Management                                          │
│  • Template Management                                          │
│  • Recipient Routing                                            │
│  • Webhook Events (DocuSign Connect)                            │
│  • Certificate of Completion (Audit Trail)                      │
│  • eIDAS Compliance (EU)                                        │
│                                                                  │
└──────────────────────────────────────────────────────────────────┘
                              ↕
┌──────────────────────────────────────────────────────────────────┐
│  RECIPIENTS                                                      │
├──────────────────────────────────────────────────────────────────┤
│                                                                  │
│  • Department Heads (Internal)                                  │
│  • CFO / Controllers (Internal)                                 │
│  • Vendors (External)                                           │
│  • Steuerberater (External)                                     │
│  • External Auditors (External)                                 │
│                                                                  │
└──────────────────────────────────────────────────────────────────┘

Data Model

-- DocuSign Configuration
CREATE TABLE docusign_config (
  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
  tenant_id UUID NOT NULL REFERENCES tenants(id),
  integration_key TEXT NOT NULL,
  secret_key_encrypted TEXT NOT NULL,
  account_id TEXT NOT NULL,
  base_uri TEXT NOT NULL,
  is_active BOOLEAN DEFAULT TRUE,
  created_at TIMESTAMP DEFAULT NOW(),
  updated_at TIMESTAMP DEFAULT NOW()
);

-- DocuSign Tokens (per user)
CREATE TABLE docusign_tokens (
  user_id UUID PRIMARY KEY REFERENCES users(id),
  access_token TEXT NOT NULL,
  refresh_token TEXT NOT NULL,
  expires_at TIMESTAMP NOT NULL,
  account_id TEXT NOT NULL,
  base_uri TEXT NOT NULL,
  created_at TIMESTAMP DEFAULT NOW(),
  updated_at TIMESTAMP DEFAULT NOW()
);

-- Templates
CREATE TABLE docusign_templates (
  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
  tenant_id UUID NOT NULL REFERENCES tenants(id),
  template_id TEXT NOT NULL, -- DocuSign template ID
  name TEXT NOT NULL,
  description TEXT,
  document_type TEXT NOT NULL, -- 'purchase_order', 'contract', 'invoice_approval', etc.
  roles JSONB NOT NULL, -- Array of role definitions
  is_active BOOLEAN DEFAULT TRUE,
  created_at TIMESTAMP DEFAULT NOW(),
  updated_at TIMESTAMP DEFAULT NOW()
);

-- Envelopes
CREATE TABLE docusign_envelopes (
  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
  tenant_id UUID NOT NULL REFERENCES tenants(id),
  envelope_id TEXT NOT NULL UNIQUE, -- DocuSign envelope ID
  
  -- Link to Orcha entities
  approval_id UUID REFERENCES approvals(id),
  invoice_id UUID REFERENCES invoices(id),
  purchase_order_id UUID REFERENCES purchase_orders(id),
  contract_id UUID REFERENCES contracts(id),
  
  -- Envelope details
  template_id UUID REFERENCES docusign_templates(id),
  subject TEXT NOT NULL,
  status TEXT NOT NULL, -- 'created', 'sent', 'delivered', 'completed', 'declined', 'voided'
  
  -- Recipients
  recipients JSONB NOT NULL, -- Array of recipient objects
  
  -- Documents
  documents JSONB NOT NULL, -- Array of document metadata
  
  -- Audit trail
  sent_at TIMESTAMP,
  delivered_at TIMESTAMP,
  completed_at TIMESTAMP,
  voided_at TIMESTAMP,
  voided_reason TEXT,
  
  -- Signed document storage
  signed_document_url TEXT, -- S3 URL
  certificate_url TEXT, -- Certificate of Completion URL
  
  created_at TIMESTAMP DEFAULT NOW(),
  updated_at TIMESTAMP DEFAULT NOW()
);

CREATE INDEX idx_envelopes_status ON docusign_envelopes(status);
CREATE INDEX idx_envelopes_approval_id ON docusign_envelopes(approval_id);
CREATE INDEX idx_envelopes_invoice_id ON docusign_envelopes(invoice_id);

-- Envelope Events (from webhooks)
CREATE TABLE docusign_envelope_events (
  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
  envelope_id TEXT NOT NULL REFERENCES docusign_envelopes(envelope_id),
  event_type TEXT NOT NULL, -- 'sent', 'delivered', 'completed', 'declined', 'voided', etc.
  recipient_email TEXT,
  recipient_name TEXT,
  status TEXT,
  ip_address INET,
  user_agent TEXT,
  timestamp TIMESTAMP NOT NULL,
  raw_payload JSONB NOT NULL,
  created_at TIMESTAMP DEFAULT NOW()
);

CREATE INDEX idx_envelope_events_envelope ON docusign_envelope_events(envelope_id);
CREATE INDEX idx_envelope_events_type ON docusign_envelope_events(event_type);

Use Cases: Orcha + DocuSign

Use Case 1: Purchase Order Approval & Vendor Acknowledgment

Flow:

1. Department Head creates PO in Orcha
2. Orcha AI validates PO (budget check, policy compliance)
3. PO requires signature → Orcha creates DocuSign envelope
4. DocuSign sends PO to:
   a. Department Head (signer, routing order 1)
   b. CFO (signer, routing order 2, if > €10K)
   c. Vendor (signer, routing order 3)
5. Recipients sign in sequence
6. DocuSign webhook → Orcha: "envelope completed"
7. Orcha downloads signed PO
8. Orcha stores in GoBD-compliant storage
9. Orcha activates PO (now legally binding)
10. Invoice matching can proceed against signed PO

Value:

Legally binding vendor commitment
Clear terms of service (quantities, prices, delivery dates)
Reduces disputes during invoice matching
Audit-ready documentation

UI in Orcha:

┌────────────────────────────────────────────────────────────────┐
│  PURCHASE ORDER PO-2024-1234                                   │
├────────────────────────────────────────────────────────────────┤
│                                                                │
│  Status: Pending Signatures (2 of 3 completed)                │
│                                                                │
│  ✅ Maria Weber (Dept Head) - Signed Jan 5, 11:15 AM          │
│  ✅ Klaus Müller (CFO) - Signed Jan 5, 11:42 AM               │
│  ⏳ Johann Schmidt (Vendor) - Sent Jan 5, 11:45 AM            │
│                                                                │
│  [View Document] [Send Reminder] [Cancel Envelope]            │
│                                                                │
└────────────────────────────────────────────────────────────────┘

Use Case 2: Master Service Agreement (MSA) Execution

Scenario: CFO negotiates annual contract with office supplies vendor (€250K/year spend).

Flow:

1. CFO uploads MSA draft to Orcha
2. Legal review (internal or external)
3. CFO clicks "Send for Signature" in Orcha
4. Orcha creates DocuSign envelope from MSA Template
5. Sequential routing:
   a. CFO (signer, routing order 1)
   b. Vendor Legal (signer, routing order 2)
   c. Vendor CFO (signer, routing order 3)
6. All parties sign electronically
7. Signed MSA returned to Orcha
8. Orcha extracts contract terms (pricing, volume discounts, payment terms)
9. Contract terms feed into invoice validation rules
10. Procurement Intelligence monitors compliance

Value:

Accelerated contract execution (days → hours)
Automatic contract term extraction (no manual data entry)
Contract compliance monitoring (Phase 2)
Price creep detection against signed MSA

Orcha + DocuSign + AI:

Signed MSA → AI extracts terms → Contract compliance rules

Example:
"Vendor X must provide 2% early payment discount for payment within 10 days"
→ Orcha automatically flags invoices without discount
→ AP team follows up with vendor

Use Case 3: High-Value Invoice Approval (€50K+)

Scenario: German compliance requirements for large expenditures.

Flow:

1. Invoice arrives (€75K for IT equipment)
2. Orcha AI validates:
   ✓ 4-way match (invoice ↔ PO ↔ GR ↔ contract)
   ✓ Budget available
   ✓ No fraud signals
3. Orcha: "This invoice requires CFO signature (amount > €50K)"
4. Orcha creates DocuSign envelope with:
   - Original invoice PDF
   - 4-way match report
   - Budget impact summary
5. CFO receives email with full context
6. CFO signs electronically
7. Signed approval returned to Orcha
8. Orcha posts to GL and schedules payment

Value:

Audit defense: "CFO personally signed approval for €75K expense"
Non-repudiation: DocuSign Certificate proves CFO signed
Faster approvals: CFO can sign from phone (mobile DocuSign app)
Compliance: Meets Betriebsprüfung requirements

Use Case 4: Monthly Close Sign-Off (Festschreibung)

Scenario: German GoBD requires period locking with authorized signature.

Flow:

1. Controller completes month-end close in Orcha
2. All transactions reconciled (AP, bank, GL)
3. Controller clicks "Finalize Period" → Orcha creates envelope
4. Sequential routing:
   a. Controller (signer, routing order 1)
   b. CFO (signer, routing order 2)
   c. Steuerberater (CC, routing order 3)
5. Controller and CFO sign Festschreibung certificate
6. Steuerberater receives signed certificate + DATEV export
7. Period locked in Orcha (no further edits)

Value:

GoBD compliance: Festschreibung legally binding
Audit trail: Certificate of Completion proves authorized sign-off
Steuerberater confidence: No retroactive changes possible
Reduces audit risk and back-and-forth

Use Case 5: Vendor Self-Service Payment Requests

Scenario: Dynamic discounting (Phase 3.2) - vendor requests early payment.

Flow:

1. Vendor logs into Orcha vendor portal
2. Vendor sees unpaid invoices (€45K due in 25 days)
3. Vendor clicks "Request Early Payment"
4. Vendor offers 2% discount for payment in 5 days
5. Orcha calculates APR: 2% for 20 days = 36% APR
6. Orcha creates DocuSign envelope:
   - Early payment agreement
   - Amended invoice with discount
7. Routing:
   a. Vendor (signer, confirms discount offer)
   b. Orcha Treasurer (signer, accepts offer)
8. Both parties sign → Payment scheduled for day 5
9. Vendor receives payment early, Orcha saves €900

Value:

Legally binding discount agreements
Prevents disputes ("I didn't agree to that discount")
Audit trail for early payment programs
Scales dynamic discounting to 100+ vendors

Technical Implementation

Phase 1: Core Integration (Months 1-2)

Sprint 1: Authentication & Basic Envelope Creation

Deliverables:

OAuth 2.0 flow for DocuSign
Token storage and refresh logic
Create envelope from PDF
Basic status tracking

Code Example: OAuth Flow

(ns orcha.docusign.auth
  (:require [clj-http.client :as http]
            [cheshire.core :as json]
            [orcha.config :refer [config]]
            [orcha.db.docusign :as db]))

(def auth-base-url "https://account.docusign.com")
(def api-base-url "https://demo.docusign.net/restapi")

(defn get-authorization-url
  "Generate DocuSign OAuth authorization URL"
  [redirect-uri state]
  (str auth-base-url "/oauth/auth"
       "?response_type=code"
       "&scope=signature%20impersonation"
       "&client_id=" (:docusign-integration-key config)
       "&redirect_uri=" redirect-uri
       "&state=" state))

(defn exchange-code-for-token
  "Exchange authorization code for access token"
  [code]
  (let [response (http/post (str auth-base-url "/oauth/token")
                            {:form-params {:grant_type "authorization_code"
                                           :code code
                                           :client_id (:docusign-integration-key config)
                                           :client_secret (:docusign-secret-key config)}
                             :content-type :x-www-form-urlencoded
                             :as :json})]
    (:body response)))

(defn refresh-access-token
  "Refresh expired access token"
  [refresh-token]
  (let [response (http/post (str auth-base-url "/oauth/token")
                            {:form-params {:grant_type "refresh_token"
                                           :refresh_token refresh-token
                                           :client_id (:docusign-integration-key config)
                                           :client_secret (:docusign-secret-key config)}
                             :content-type :x-www-form-urlencoded
                             :as :json})]
    (:body response)))

(defn get-user-info
  "Fetch DocuSign user info (includes account ID and base URI)"
  [access-token]
  (let [response (http/get (str auth-base-url "/oauth/userinfo")
                           {:headers {"Authorization" (str "Bearer " access-token)}
                            :as :json})]
    (:body response)))

(defn store-tokens
  "Store access and refresh tokens for user"
  [user-id token-response]
  (let [user-info (get-user-info (:access_token token-response))
        account (first (:accounts user-info))
        expires-at (java.time.Instant/ofEpochSecond
                     (+ (System/currentTimeMillis) (* (:expires_in token-response) 1000)))]
    (db/upsert-token {:user-id user-id
                      :access-token (:access_token token-response)
                      :refresh-token (:refresh_token token-response)
                      :expires-at expires-at
                      :account-id (:account_id account)
                      :base-uri (:base_uri account)})))

(defn get-valid-token
  "Get valid access token for user (refresh if expired)"
  [user-id]
  (let [token (db/get-token user-id)]
    (if (and token (> (.getEpochSecond (:expires-at token))
                      (System/currentTimeMillis)))
      (:access-token token)
      (let [refreshed (refresh-access-token (:refresh-token token))]
        (store-tokens user-id refreshed)
        (:access_token refreshed)))))

Code Example: Create Envelope

(ns orcha.docusign.envelopes
  (:require [clj-http.client :as http]
            [cheshire.core :as json]
            [clojure.java.io :as io]
            [orcha.docusign.auth :as auth]
            [orcha.db.docusign :as db]
            [orcha.storage :as storage]))

(defn create-envelope
  "Create and send DocuSign envelope"
  [{:keys [user-id document-url subject recipients template-id template-data]}]
  (let [token (auth/get-valid-token user-id)
        token-info (db/get-token user-id)
        account-id (:account-id token-info)
        base-uri (:base-uri token-info)
        
        ;; Download document if URL provided
        document-base64 (when document-url
                          (-> (storage/download document-url)
                              (java.util.Base64/getEncoder)
                              (.encodeToString)))
        
        ;; Build envelope definition
        envelope-def (if template-id
                       ;; Template-based envelope
                       {:templateId template-id
                        :templateRoles recipients
                        :status "sent"}
                       ;; Document-based envelope
                       {:emailSubject subject
                        :documents [{:documentBase64 document-base64
                                     :name "document.pdf"
                                     :fileExtension "pdf"
                                     :documentId "1"}]
                        :recipients {:signers recipients}
                        :status "sent"})
        
        response (http/post (str base-uri "/v2.1/accounts/" account-id "/envelopes")
                            {:headers {"Authorization" (str "Bearer " token)
                                       "Content-Type" "application/json"}
                             :body (json/generate-string envelope-def)
                             :as :json})]
    (:body response)))

(defn get-envelope-status
  "Fetch envelope status from DocuSign"
  [user-id envelope-id]
  (let [token (auth/get-valid-token user-id)
        token-info (db/get-token user-id)
        account-id (:account-id token-info)
        base-uri (:base-uri token-info)
        
        response (http/get (str base-uri "/v2.1/accounts/" account-id
                                "/envelopes/" envelope-id)
                           {:headers {"Authorization" (str "Bearer " token)}
                            :as :json})]
    (:body response)))

(defn download-completed-document
  "Download signed document from DocuSign"
  [user-id envelope-id document-id]
  (let [token (auth/get-valid-token user-id)
        token-info (db/get-token user-id)
        account-id (:account-id token-info)
        base-uri (:base-uri token-info)
        
        response (http/get (str base-uri "/v2.1/accounts/" account-id
                                "/envelopes/" envelope-id
                                "/documents/" document-id)
                           {:headers {"Authorization" (str "Bearer " token)
                                      "Accept" "application/pdf"}
                            :as :byte-array})]
    (:body response)))

(defn download-certificate
  "Download Certificate of Completion (audit trail)"
  [user-id envelope-id]
  (let [token (auth/get-valid-token user-id)
        token-info (db/get-token user-id)
        account-id (:account-id token-info)
        base-uri (:base-uri token-info)
        
        response (http/get (str base-uri "/v2.1/accounts/" account-id
                                "/envelopes/" envelope-id
                                "/documents/certificate")
                           {:headers {"Authorization" (str "Bearer " token)
                                      "Accept" "application/pdf"}
                            :as :byte-array})]
    (:body response)))

Sprint 2: Webhook Integration & Status Tracking

Deliverables:

Webhook endpoint for DocuSign Connect
Event handler for envelope status changes
Automatic download of signed documents
Status dashboard UI

Code Example: Webhook Handler

(ns orcha.docusign.webhooks
  (:require [ring.middleware.json :refer [wrap-json-body]]
            [cheshire.core :as json]
            [orcha.db.docusign :as db]
            [orcha.docusign.envelopes :as envelopes]
            [orcha.storage :as storage]
            [orcha.workflows.approvals :as approvals]
            [clojure.tools.logging :as log]))

(defn verify-docusign-signature
  "Verify HMAC signature from DocuSign Connect"
  [payload signature secret]
  ;; DocuSign signs webhook payloads with HMAC-SHA256
  (let [calculated-sig (-> (javax.crypto.Mac/getInstance "HmacSHA256")
                           (doto (.init (javax.crypto.spec.SecretKeySpec.
                                          (.getBytes secret) "HmacSHA256")))
                           (.doFinal (.getBytes payload))
                           (java.util.Base64/getEncoder)
                           (.encodeToString))]
    (= calculated-sig signature)))

(defn handle-envelope-completed
  "Handle envelope completion event"
  [envelope-data]
  (let [envelope-id (:envelopeId envelope-data)
        envelope-record (db/get-envelope-by-envelope-id envelope-id)]
    
    (when envelope-record
      ;; 1. Download signed document
      (let [user-id (:user-id envelope-record)
            signed-doc (envelopes/download-completed-document
                         user-id envelope-id "1")
            certificate (envelopes/download-certificate user-id envelope-id)
            
            ;; 2. Store in S3 (GoBD-compliant)
            signed-url (storage/upload-document
                         signed-doc
                         {:type :signed-document
                          :envelope-id envelope-id
                          :tenant-id (:tenant-id envelope-record)})
            
            cert-url (storage/upload-document
                       certificate
                       {:type :certificate-of-completion
                        :envelope-id envelope-id
                        :tenant-id (:tenant-id envelope-record)})]
        
        ;; 3. Update envelope record
        (db/update-envelope envelope-id
                            {:status "completed"
                             :completed-at (java.time.Instant/now)
                             :signed-document-url signed-url
                             :certificate-url cert-url})
        
        ;; 4. Trigger downstream workflows
        (when (:approval-id envelope-record)
          (approvals/mark-approved (:approval-id envelope-record)))
        
        (when (:purchase-order-id envelope-record)
          (activate-purchase-order (:purchase-order-id envelope-record)))
        
        (log/info "Envelope completed and processed" {:envelope-id envelope-id})))))

(defn handle-envelope-declined
  "Handle envelope declined event"
  [envelope-data]
  (let [envelope-id (:envelopeId envelope-data)
        declined-by (:recipients envelope-data)
        reason (:declinedReason envelope-data)]
    
    (db/update-envelope envelope-id
                        {:status "declined"
                         :voided-at (java.time.Instant/now)
                         :voided-reason (str "Declined by: " reason)})
    
    ;; Notify stakeholders
    (send-notification {:type :envelope-declined
                        :envelope-id envelope-id
                        :reason reason})
    
    (log/warn "Envelope declined" {:envelope-id envelope-id :reason reason})))

(defn docusign-webhook-handler
  "Main webhook handler endpoint"
  [request]
  (let [payload (slurp (:body request))
        signature (get-in request [:headers "x-docusign-signature-1"])
        secret (:docusign-webhook-secret config)]
    
    ;; Verify signature
    (if (verify-docusign-signature payload signature secret)
      (let [event-data (json/parse-string payload true)
            envelope-status (get-in event-data [:envelopeStatus :status])]
        
        ;; Log event
        (db/insert-envelope-event
          {:envelope-id (get-in event-data [:envelopeStatus :envelopeId])
           :event-type envelope-status
           :raw-payload event-data
           :timestamp (java.time.Instant/now)})
        
        ;; Handle based on status
        (case envelope-status
          "completed" (handle-envelope-completed (:envelopeStatus event-data))
          "declined" (handle-envelope-declined (:envelopeStatus event-data))
          "voided" (handle-envelope-voided (:envelopeStatus event-data))
          (log/debug "Unhandled envelope status" {:status envelope-status}))
        
        {:status 200 :body "OK"})
      
      ;; Invalid signature
      (do
        (log/error "Invalid DocuSign webhook signature")
        {:status 401 :body "Unauthorized"}))))

(def webhook-routes
  ["/api/webhooks/docusign"
   {:post {:handler docusign-webhook-handler
           :middleware [wrap-json-body]}}])

Phase 2: Template Management & Advanced Workflows (Months 3-4)

Sprint 3: Template Creation & Management

Deliverables:

UI for creating/editing templates
Template library (PO, MSA, Invoice Approval, etc.)
Merge fields for dynamic data
Template versioning

Code Example: Template Service

(ns orcha.docusign.templates
  (:require [orcha.docusign.auth :as auth]
            [clj-http.client :as http]
            [cheshire.core :as json]
            [orcha.db.docusign :as db]))

(defn create-template
  "Create reusable DocuSign template"
  [{:keys [user-id name description roles documents]}]
  (let [token (auth/get-valid-token user-id)
        token-info (db/get-token user-id)
        account-id (:account-id token-info)
        base-uri (:base-uri token-info)
        
        template-def {:name name
                      :description description
                      :emailSubject (str "Please sign: " name)
                      :shared "false"
                      :documents documents
                      :recipients {:signers roles}}
        
        response (http/post (str base-uri "/v2.1/accounts/" account-id "/templates")
                            {:headers {"Authorization" (str "Bearer " token)
                                       "Content-Type" "application/json"}
                             :body (json/generate-string template-def)
                             :as :json})]
    (:body response)))

(defn list-templates
  "List all templates for account"
  [user-id]
  (let [token (auth/get-valid-token user-id)
        token-info (db/get-token user-id)
        account-id (:account-id token-info)
        base-uri (:base-uri token-info)
        
        response (http/get (str base-uri "/v2.1/accounts/" account-id "/templates")
                           {:headers {"Authorization" (str "Bearer " token)}
                            :as :json})]
    (get-in response [:body :envelopeTemplates])))

;; Example: Purchase Order Template
(def purchase-order-template
  {:name "Purchase Order Approval"
   :description "Standard PO approval workflow with vendor acknowledgment"
   :roles [{:roleName "Department Head"
            :routingOrder "1"
            :tabs {:signHereTabs [{:anchorString "/dept_sig/"
                                   :anchorXOffset "0"
                                   :anchorYOffset "0"}]
                   :dateSignedTabs [{:anchorString "/dept_date/"
                                     :anchorXOffset "0"
                                     :anchorYOffset "0"}]
                   :textTabs [{:tabLabel "PO_Number"
                               :value ""
                               :anchorString "/po_number/"
                               :anchorXOffset "0"
                               :anchorYOffset "0"}
                              {:tabLabel "Amount"
                               :value ""
                               :anchorString "/amount/"
                               :anchorXOffset "0"
                               :anchorYOffset "0"}]}}
           {:roleName "CFO"
            :routingOrder "2"
            :tabs {:signHereTabs [{:anchorString "/cfo_sig/"
                                   :anchorXOffset "0"
                                   :anchorYOffset "0"}]
                   :dateSignedTabs [{:anchorString "/cfo_date/"
                                     :anchorXOffset "0"
                                     :anchorYOffset "0"}]}}
           {:roleName "Vendor"
            :routingOrder "3"
            :tabs {:signHereTabs [{:anchorString "/vendor_sig/"
                                   :anchorXOffset "0"
                                   :anchorYOffset "0"}]
                   :dateSignedTabs [{:anchorString "/vendor_date/"
                                     :anchorXOffset "0"
                                     :anchorYOffset "0"}]
                   :textTabs [{:tabLabel "Vendor_Name"
                               :value ""
                               :anchorString "/vendor_name/"
                               :anchorXOffset "0"
                               :anchorYOffset "0"}]}}]})

Sprint 4: Advanced Routing & Conditional Logic

Deliverables:

Conditional routing rules
Escalation workflows (reminders, auto-escalate if not signed)
Bulk envelope creation
Analytics dashboard

Code Example: Conditional Routing

(defn create-approval-envelope
  "Create envelope with conditional routing based on amount"
  [{:keys [invoice approval-amount department-head cfo vendor]}]
  (let [requires-cfo? (> approval-amount 10000)
        
        recipients (cond-> []
                     ;; Always include department head
                     true (conj {:roleName "Department Head"
                                 :name (:name department-head)
                                 :email (:email department-head)
                                 :routingOrder "1"})
                     
                     ;; Add CFO if amount > €10K
                     requires-cfo? (conj {:roleName "CFO"
                                          :name (:name cfo)
                                          :email (:email cfo)
                                          :routingOrder "2"})
                     
                     ;; Vendor always last
                     true (conj {:roleName "Vendor"
                                 :name (:name vendor)
                                 :email (:email vendor)
                                 :routingOrder (if requires-cfo? "3" "2")}))]
    
    (envelopes/create-envelope
      {:user-id (:user-id invoice)
       :template-id (get-template-id :purchase-order)
       :recipients recipients
       :subject (str "Purchase Order Approval - " (:invoice-number invoice))})))

Business Value & ROI

Quantified Value (500-employee SME)

1. Time Savings

Before DocuSign:

Purchase order approvals: 3-5 days (email chains, printing, scanning)
Contract execution: 1-2 weeks (mail signatures, track documents)
High-value invoice approvals: 2-3 days (physical signature requirement)

After DocuSign:

Purchase order approvals: 2-4 hours (electronic signatures)
Contract execution: 1-2 days (sequential electronic signing)
High-value invoice approvals: 1-2 hours (mobile signing)

Time Saved:

PO approvals: 200/year × 2.5 days = 500 days → 100 days = 400 days saved
Contracts: 50/year × 10 days = 500 days → 50 days = 450 days saved
Invoice approvals: 100/year × 1.5 days = 150 days → 10 days = 140 days saved

Total: 990 days/year = €100,000-150,000 in productivity gains

2. Audit & Compliance Value

Audit Defense:

DocuSign Certificate of Completion is legally recognized in Germany
Reduces audit time by 20-30% (instant document retrieval, tamper-proof signatures)
Prevents penalties for insufficient documentation

Value: €20,000-50,000/year in audit cost savings

Compliance Confidence:

eIDAS-compliant electronic signatures (EU standard)
GoBD-compliant audit trail (immutable, timestamped)
Non-repudiation (proof of signer identity and intent)

Value: Risk mitigation (unquantified, but critical)

3. Vendor Relationship Value

Early Payment Discounts (Phase 3.2):

Legally binding discount agreements → scales dynamic discounting
Vendors willing to offer better terms with secure signature process

Value: Enables €200,000/year in early payment discounts

Contract Compliance (Phase 2.1):

Signed MSAs with clear terms → reduces invoice disputes
Automatic extraction of contract terms → improves procurement intelligence

Value: Reduces disputes, improves vendor scorecards

4. Growth Enablement

Scale Approvals:

As company grows (500 → 1,000 employees), approval volume doubles
DocuSign scales effortlessly (no additional headcount)

Value: €50,000-100,000/year in avoided headcount costs (at scale)

Total ROI

Annual Value:

Time savings: €100-150K
Audit cost reduction: €20-50K
Enables early payment discounts: €200K
Total: €320-400K/year

Implementation Cost:

DocuSign Business Pro: ~€40-60/user/year
Integration development: €30-50K (one-time)
Maintenance: €10K/year

ROI: 5-8x in Year 1, 10-15x in Year 2+

Legal & Compliance: German Context

eIDAS Regulation (EU)

DocuSign provides three levels of electronic signatures under eIDAS:

Simple Electronic Signature (SES)
- Standard DocuSign signature
- Legally binding for most business transactions
- Sufficient for: POs, invoices, internal approvals
Advanced Electronic Signature (AES)
- DocuSign Express Signature
- Uniquely linked to signer, capable of identifying signer
- Sufficient for: Contracts, MSAs, high-value approvals
Qualified Electronic Signature (QES)
- DocuSign ID Verification (with qualified certificate)
- Equivalent to handwritten signature under EU law
- Required for: Real estate contracts, bank loans, notarized documents

Orcha Recommendation:

Phase 1: SES for internal approvals (POs, invoices)
Phase 2: AES for vendor contracts (MSAs, amendments)
Phase 3: QES for audit-critical transactions (optional, based on customer need)

BGB §126a (German Civil Code)

German law recognizes electronic signatures as equivalent to handwritten signatures if:

Signature is uniquely linked to the signer
Signer can be identified with certainty
Signature is created using means under signer's sole control
Signature is linked to the data in such a way that any subsequent change is detectable

DocuSign Compliance: ✅ Yes, DocuSign AES meets all requirements.

GoBD Compliance

DocuSign integrates with GoBD requirements:

Immutability: Certificate of Completion includes document hash (tamper detection)
Audit Trail: Complete record of all actions (viewed, signed, timestamp, IP)
Retention: Signed documents stored in Orcha GoBD-compliant storage
Festschreibung: Period lock includes DocuSign-signed certificate

Orcha Implementation:

Store signed documents in S3 with write-once, read-many (WORM) configuration
Certificate of Completion archived alongside signed document
All events logged in immutable event table

Competitive Advantage

Why DocuSign > Alternatives?

1. Market Leader

1.5M+ customers worldwide
Industry-standard platform (buyers know it)
Reduces sales friction ("We already use DocuSign")

2. Legal Recognized

eIDAS-compliant (EU)
Accepted by German courts and auditors
Steuerberater comfortable with DocuSign audit trails

3. API Maturity

400+ endpoints (most comprehensive API)
Extensive documentation and SDKs
Active developer community

4. Integration Ecosystem

Pre-built integrations with ERP systems (SAP, Dynamics)
DATEV compatibility (important for German market)
Webhook reliability (99.9% delivery SLA)

5. User Experience

Mobile apps (iOS, Android)
Signing from any device (no account required)
Multi-language support (German UI)

Alternatives Considered

SignNow (barracuda):

✅ Lower cost
❌ Less German market penetration
❌ API less mature

Adobe Sign:

✅ Comparable features
❌ More expensive
❌ Less developer-friendly API

Build In-House:

✅ Full control
❌ High development cost (€200-300K)
❌ Legal risk (eIDAS compliance burden)
❌ User adoption (external parties prefer known platforms)

Decision: DocuSign is the best balance of features, cost, legal compliance, and market acceptance for German SMEs.

Implementation Roadmap

Timeline: 4 Months

Month 1: Core Integration

Sprint 1: OAuth, basic envelope creation, status tracking
Sprint 2: Webhooks, automatic document download

Month 2: Approval Workflows

Sprint 3: PO approval workflow with DocuSign
Sprint 4: High-value invoice approval workflow

Month 3: Templates & Contracts

Sprint 5: Template management UI
Sprint 6: MSA execution workflow

Month 4: Advanced Features

Sprint 7: Conditional routing, escalations
Sprint 8: Analytics dashboard, reporting

Success Metrics

Phase 1 (Months 1-2):

50+ envelopes created per month
90%+ completion rate within 48 hours
Zero webhook delivery failures
95%+ user satisfaction (approvers love it)

Phase 2 (Months 3-4):

200+ envelopes per month (POs, contracts, invoices)
80%+ of contracts executed electronically
100% audit trail coverage
€100K+ time savings realized

Long-Term (12 months):

1,000+ envelopes per month
95%+ electronic signature adoption
€320-400K annual value delivered
Enables dynamic discounting (€200K/year)

User Experience: Key Screens

Screen 1: Approval with DocuSign Integration

┌────────────────────────────────────────────────────────────────┐
│  🤖 APPROVAL REQUEST: Purchase Order PO-2024-1234              │
│  Vendor: Acme Office Supplies | Amount: €8,450                │
├────────────────────────────────────────────────────────────────┤
│                                                                │
│  ✅ 4-WAY MATCH VALIDATION                                     │
│  ✓ Invoice matches PO (variance: -0.6%)                       │
│  ✓ Goods received and confirmed                               │
│  ✓ Contract terms compliant                                   │
│                                                                │
│  🤖 AI RECOMMENDATION: AUTO-APPROVE (98% confidence)           │
│                                                                │
│  ⚠️  SIGNATURE REQUIRED (Amount > €5,000)                      │
│                                                                │
│  This purchase order requires your electronic signature       │
│  to create a legally binding agreement with the vendor.       │
│                                                                │
│  By signing, you:                                             │
│  • Authorize the purchase of goods/services as specified      │
│  • Commit to payment terms (net 30 days)                      │
│  • Create enforceable contract with vendor                    │
│                                                                │
│  ┌──────────────────────────────────────────────────────────┐ │
│  │  [✍️ SIGN WITH DOCUSIGN]                                  │ │
│  │                                                           │ │
│  │  Signing process:                                         │ │
│  │  1. You sign electronically                               │ │
│  │  2. CFO signs (if applicable)                             │ │
│  │  3. Vendor acknowledges terms                             │ │
│  │  4. Signed PO returned to Orcha                           │ │
│  └──────────────────────────────────────────────────────────┘ │
│                                                                │
│  [❌ REJECT] [⏸️ HOLD] [📄 VIEW DETAILS]                       │
│                                                                │
└────────────────────────────────────────────────────────────────┘

Screen 2: Envelope Status Tracking

┌────────────────────────────────────────────────────────────────┐
│  DOCUSIGN ENVELOPES - ACTIVE                                   │
├────────────────────────────────────────────────────────────────┤
│                                                                │
│  PO-2024-1234 | Acme Office Supplies | €8,450                 │
│  Status: Waiting for signatures (2 of 3 completed)            │
│                                                                │
│  ✅ Maria Weber (Dept Head) - Signed Jan 5, 11:15 AM          │
│  ✅ Klaus Müller (CFO) - Signed Jan 5, 11:42 AM               │
│  ⏳ Johann Schmidt (Vendor) - Sent Jan 5, 11:45 AM            │
│     Last viewed: Jan 5, 2:30 PM                                │
│                                                                │
│  [📧 Send Reminder] [❌ Cancel] [📄 View Document]             │
│                                                                │
│  ─────────────────────────────────────────────────────────────  │
│                                                                │
│  MSA-2024-0045 | IT Services GmbH | Annual Contract           │
│  Status: Completed ✅ (Jan 3, 4:15 PM)                         │
│                                                                │
│  ✅ Klaus Müller (CFO) - Signed Jan 3, 10:22 AM               │
│  ✅ Hans Becker (Vendor Legal) - Signed Jan 3, 2:15 PM        │
│  ✅ Anna Schmidt (Vendor CFO) - Signed Jan 3, 4:12 PM         │
│                                                                │
│  [📥 Download] [🔍 View Certificate] [📊 Extract Terms]        │
│                                                                │
└────────────────────────────────────────────────────────────────┘

Screen 3: Template Library

┌────────────────────────────────────────────────────────────────┐
│  DOCUSIGN TEMPLATES                                            │
├────────────────────────────────────────────────────────────────┤
│                                                                │
│  Purchase Order Approval                                       │
│  Roles: Department Head → CFO (conditional) → Vendor          │
│  Used: 147 times | Avg completion: 18 hours                   │
│  [📝 Edit] [📋 Use Template] [📊 Analytics]                    │
│                                                                │
│  ─────────────────────────────────────────────────────────────  │
│                                                                │
│  Master Service Agreement                                      │
│  Roles: CFO → Vendor Legal → Vendor CFO                       │
│  Used: 23 times | Avg completion: 2.3 days                    │
│  [📝 Edit] [📋 Use Template] [📊 Analytics]                    │
│                                                                │
│  ─────────────────────────────────────────────────────────────  │
│                                                                │
│  High-Value Invoice Approval (>€50K)                           │
│  Roles: Controller → CFO                                       │
│  Used: 89 times | Avg completion: 4 hours                     │
│  [📝 Edit] [📋 Use Template] [📊 Analytics]                    │
│                                                                │
│  ─────────────────────────────────────────────────────────────  │
│                                                                │
│  [➕ CREATE NEW TEMPLATE]                                      │
│                                                                │
└────────────────────────────────────────────────────────────────┘

Risk Analysis & Mitigation

Technical Risks

1. DocuSign API Downtime

Risk: DocuSign API unavailable → can't send envelopes
Mitigation:
- Queue envelopes for retry (SQS)
- Fallback: Allow internal-only approvals to proceed
- DocuSign SLA: 99.9% uptime

2. Webhook Delivery Failure

Risk: Miss envelope completion event → don't download signed docs
Mitigation:
- Poll envelope status every 15 minutes (backup)
- Implement webhook retry logic
- Alert on missing webhook events

3. Token Expiration

Risk: Access token expires mid-request
Mitigation:
- Proactive token refresh (refresh 1 hour before expiry)
- Automatic retry with refreshed token

Business Risks

1. User Adoption

Risk: Approvers resist electronic signatures
Mitigation:
- Emphasize time savings (approve from phone)
- Show legal compliance (equally valid as handwritten)
- Gradual rollout (start with tech-savvy users)

2. External Party Resistance

Risk: Vendors refuse to use DocuSign
Mitigation:
- DocuSign is industry-standard (high acceptance)
- Offer alternative: Manual signing (fallback)
- Emphasize benefits: Faster payment, better relationship

3. Legal Challenges

Risk: Signature disputed in court
Mitigation:
- Use DocuSign AES (eIDAS-compliant)
- Store Certificate of Completion (audit trail)
- Legal review of high-value contracts (€100K+)

Compliance Risks

1. GoBD Non-Compliance

Risk: Signed documents not properly archived
Mitigation:
- Automatic download to GoBD-compliant storage
- Immutable storage (write-once, read-many)
- Certificate of Completion archived alongside document

2. Data Privacy (GDPR)

Risk: Recipient data stored improperly
Mitigation:
- DocuSign is GDPR-compliant (EU data centers)
- Minimize data sent to DocuSign (only required fields)
- Data retention policy (auto-delete after 7 years)

White-Labeling, User Experience & Licensing Strategy

1. White-Labeling Capabilities

DocuSign is NOT fully white-labeled, but offers significant branding customization:

What You CAN Customize

✅ Email Branding

Your company logo in signature request emails
Company name and colors
Custom email templates with your messaging
Sender email address (noreply@orcha.com with DKIM setup)

✅ Signing Page Branding

Your logo appears during the signing ceremony
Custom colors matching Orcha brand guidelines
Custom fonts (from DocuSign's supported list)
Custom button text and labels

✅ Email Templates

Write your own email copy
Customize subject lines
Add custom instructions and context
Localize to German language

What You CANNOT Hide

❌ "Powered by DocuSign" Branding

Appears in email footer
Visible on signing pages
Required by DocuSign terms of service
Industry standard (not seen as negative)

❌ DocuSign URLs

Signing links go to docusign.net domain
Cannot use custom domain for signing pages
Mobile app shows "DocuSign" branding

❌ DocuSign Mobile App

Recipients see "DocuSign" when signing on mobile
No white-label mobile app option
However, this is actually a positive (users trust DocuSign brand)

Example: What Recipients See

Email:

From: Orcha Approvals <noreply@orcha.com>
Subject: Please sign: Purchase Order PO-2024-1234

[ORCHA LOGO]

Hi Johann,

Maria Weber from Acme GmbH has requested your signature 
on a purchase order (€8,450.00).

[REVIEW AND SIGN BUTTON]

This document is managed by Orcha and secured by DocuSign.

---
Powered by DocuSign | View in DocuSign App

Assessment: The branding is professional and acceptable. Most recipients recognize DocuSign as a trusted platform, which actually increases trust rather than detracting from Orcha's brand.

2. User Experience: Embedded vs External Signing

Option A: Embedded Signing (Recommended for Orcha Users)

For Internal Users (Orcha Customers):

Users never leave the Orcha platform:

┌────────────────────────────────────────────────────────┐
│  ORCHA PLATFORM (orcha.com)                            │
│  ┌──────────────────────────────────────────────────┐  │
│  │ APPROVAL REQUEST PO-2024-1234                    │  │
│  │ Amount: €8,450                                   │  │
│  │                                                  │  │
│  │ ✅ 4-Way Match Complete                          │  │
│  │ 🤖 AI Recommends: APPROVE                        │  │
│  │                                                  │  │
│  │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━  │  │
│  │                                                  │  │
│  │ [Embedded DocuSign Signing Iframe Below]        │  │
│  │ ┌──────────────────────────────────────────────┐│  │
│  │ │ Please sign to approve this purchase order   ││  │
│  │ │                                              ││  │
│  │ │ ┌──────────────────────────────────────┐    ││  │
│  │ │ │ [Your Signature Here]                │    ││  │
│  │ │ └──────────────────────────────────────┘    ││  │
│  │ │                                              ││  │
│  │ │ Date: January 5, 2026                       ││  │
│  │ │                                              ││  │
│  │ │ [✅ SIGN AND APPROVE]                        ││  │
│  │ │                                              ││  │
│  │ │ Small "Powered by DocuSign" footer          ││  │
│  │ └──────────────────────────────────────────────┘│  │
│  └──────────────────────────────────────────────────┘  │
└────────────────────────────────────────────────────────┘

Implementation:

(defn get-embedded-signing-url
  "Generate embedded signing URL for display in Orcha iframe"
  [envelope-id recipient-id user-email user-name]
  (let [token (auth/get-valid-token)
        response (http/post 
                   (str base-uri "/envelopes/" envelope-id 
                        "/views/recipient")
                   {:headers {"Authorization" (str "Bearer " token)
                              "Content-Type" "application/json"}
                    :body (json/generate-string
                            {:returnUrl "https://orcha.com/approvals/complete"
                             :authenticationMethod "email"
                             :email user-email
                             :userName user-name
                             :clientUserId recipient-id})
                    :as :json})]
    (-> response :body :url)))

;; Frontend: Display in iframe
;; <iframe src={embeddedSigningUrl} 
;;         width="100%" 
;;         height="600px"
;;         frameborder="0" />

User Experience:

✅ User stays in Orcha the entire time
✅ Seamless experience (no context switching)
✅ No docusign.net URL visible
✅ Completion returns to Orcha immediately
❌ Small "Powered by DocuSign" footer remains

Option B: Email Link (For External Parties)

For External Users (Vendors, Steuerberater):

They must use DocuSign's signing pages:

Vendor receives email from DocuSign (with Orcha branding)
Clicks link → Opens docusign.net signing page
Signs document on DocuSign page
Receives confirmation email
Orcha receives webhook notification

User Experience:

✅ No Orcha account required for vendors
✅ Mobile-friendly (DocuSign apps for iOS/Android)
✅ Industry-standard process (vendors expect this)
❌ Full DocuSign branding visible

Why This is Actually Good:

Vendors trust DocuSign more than unknown platforms
Many vendors already have DocuSign accounts (auto-login)
Reduces friction (no new platform to learn)
Signing from mobile app is very common

3. License Costs & Pricing Models

Model A: Orcha as Master Account (Recommended)

How It Works:

Orcha purchases one DocuSign Business Pro account
Orcha pays for all envelopes on behalf of customers
Customers never interact with DocuSign billing
Everything bundled in Orcha subscription

DocuSign Pricing:

Base Account:
├─ DocuSign Business Pro: $40-50/user/month
├─ Minimum: 3 users required = $120-150/month base
└─ API access included

Envelope Fees:
├─ Standard envelopes: $0.50 per envelope
├─ Advanced envelopes: $1.00 per envelope (complex routing)
└─ Volume discounts kick in at 5,000+/month

Example Calculation (50 Orcha customers):
├─ Base: $150/month
├─ Average: 200 envelopes/customer/month = 10,000 envelopes
├─ Cost: $150 + (10,000 × $0.50) = $5,150/month
└─ Per customer: $103/month average

Volume Pricing (Negotiable at Scale):

Tier 1: 0-5,000 envelopes/month
  → $0.50 per envelope

Tier 2: 5,000-20,000 envelopes/month
  → $0.35 per envelope (30% discount)

Tier 3: 20,000-50,000 envelopes/month
  → $0.25 per envelope (50% discount)

Enterprise: 50,000+ envelopes/month
  → Flat fee negotiation (e.g., $10K/month unlimited)
  → Effective: $0.10-0.20 per envelope

Orcha's Pricing to Customers:

Option 1: Add-On Pricing
├─ Base Orcha subscription: €299/month
├─ DocuSign Electronic Signatures: +€89/month
│   ├─ Includes: 200 envelopes/month
│   └─ Additional: €0.50 per envelope
└─ Total: €388/month

Option 2: Bundled Pricing
├─ Orcha Premium: €349/month
│   ├─ AP Automation
│   ├─ Procurement Intelligence
│   ├─ DocuSign Signatures (200 envelopes)
│   └─ All features included
└─ Simplifies sales (one price)

Profitability Analysis:

At Launch (50 customers, no volume discount):

Revenue: 50 customers × €89/month = €4,450/month
Cost: $150 base + (10,000 × $0.50) = $5,150/month (€4,850)
Margin: -€400/month (8% loss initially)

At Scale (100 customers, Tier 2 volume discount):

Revenue: 100 customers × €89/month = €8,900/month
Cost: $150 base + (20,000 × $0.35) = $7,150/month (€6,700)
Margin: +€2,200/month (25% profit)

At Enterprise Scale (200+ customers, flat fee deal):

Revenue: 200 customers × €89/month = €17,800/month
Cost: $10,000/month flat (€9,400)
Margin: +€8,400/month (47% profit)

Recommendation: Accept initial loss leader to gain market share, negotiate volume discount at 100+ customers.

Model B: Customer BYO Account (NOT Recommended)

How It Works:

Each Orcha customer purchases their own DocuSign account
Customer pays DocuSign directly
Orcha just provides API integration

Pricing:

Per Customer:
├─ DocuSign Business Pro: $40-65/user/month
├─ Typical: 2-5 users (CFO, Controller, Approvers)
├─ Total: $80-325/month paid to DocuSign
└─ Orcha integration fee: €25/month

Why NOT Recommended:

❌ Complex Onboarding

Customer must sign up with DocuSign separately
Two vendors to coordinate with
2-4 weeks onboarding vs instant with Model A

❌ Support Nightmare

"Is this an Orcha issue or DocuSign issue?"
Two support channels (confusion)
Finger-pointing between vendors

❌ Higher Perceived Cost

Customer sees: €299 Orcha + €200 DocuSign = €499 total
Looks expensive compared to bundled €349

❌ Competitive Disadvantage

Competitors bundle everything (simpler story)
Sales cycle lengthens (two purchase decisions)

✅ Only Advantage: Orcha has zero DocuSign costs

Decision: Model A (Orcha as master account) is strongly recommended despite initial loss leader.

4. Do Customers Need Their Own DocuSign Account?

Answer: NO - Orcha creates "virtual users" for them

JWT Grant Authentication (Best Approach)

How It Works:

┌─────────────────────────────────────────────────────────┐
│  ORCHA'S DOCUSIGN MASTER ACCOUNT                        │
├─────────────────────────────────────────────────────────┤
│                                                         │
│  Virtual User 1: maria@customer-a.de (CFO)              │
│  Virtual User 2: klaus@customer-a.de (Controller)       │
│  Virtual User 3: anna@customer-b.de (CFO)               │
│  Virtual User 4: thomas@customer-b.de (Controller)      │
│  ...                                                    │
│  Virtual User N: [Unlimited users]                      │
│                                                         │
└─────────────────────────────────────────────────────────┘

Implementation Steps:

One-Time Setup: Orcha Gets DocuSign Account

1. Orcha signs up for DocuSign Business Pro
2. Orcha creates integration (gets Integration Key + Secret)
3. Orcha enables JWT Grant in DocuSign admin
4. Orcha generates RSA key pair for JWT signing

Per Customer: Create Virtual User

(defn create-virtual-docusign-user
  "Create virtual DocuSign user for Orcha customer (no real account)"
  [orcha-user-id email name]
  (let [;; Generate JWT token for Orcha's account
        jwt-token (generate-jwt-token 
                    {:integration-key orcha-integration-key
                     :user-id orcha-docusign-account-id
                     :scopes ["signature" "impersonation"]
                     :expires-in 3600})
        
        ;; Get access token
        access-token (exchange-jwt-for-token jwt-token)
        
        ;; Create impersonation consent (one-time per user)
        consent (grant-impersonation-consent 
                  access-token 
                  {:email email 
                   :name name
                   :client-user-id (str "orcha-" orcha-user-id)})]
    
    ;; Store mapping in Orcha database
    (db/insert :docusign-virtual-users
               {:orcha-user-id orcha-user-id
                :docusign-user-id (:user-id consent)
                :email email
                :name name
                :client-user-id (str "orcha-" orcha-user-id)
                :consent-granted-at (now)})))

Per Envelope: Send on Behalf of User

(defn send-envelope-as-user
  "Send DocuSign envelope impersonating Orcha user"
  [orcha-user-id envelope-data]
  (let [virtual-user (db/get-virtual-user orcha-user-id)
        
        ;; Generate JWT for this specific user
        jwt-token (generate-jwt-token 
                    {:integration-key orcha-integration-key
                     :user-id (:docusign-user-id virtual-user)
                     :account-id orcha-docusign-account-id
                     :scopes ["signature" "impersonation"]
                     :expires-in 3600})
        
        access-token (exchange-jwt-for-token jwt-token)]
    
    ;; Create envelope (appears to come from virtual-user)
    (docusign/create-envelope access-token envelope-data)))

User Experience:

First Time Only (One-Time Consent):

┌────────────────────────────────────────────────────────┐
│  DOCUSIGN CONSENT REQUEST                              │
├────────────────────────────────────────────────────────┤
│                                                        │
│  Orcha would like to send documents for signature     │
│  on your behalf using DocuSign.                        │
│                                                        │
│  By approving, you allow:                              │
│  • Orcha to send envelopes from your email            │
│  • Recipients to see your name as sender               │
│  • DocuSign to process documents securely              │
│                                                        │
│  [APPROVE] [LEARN MORE]                                │
│                                                        │
└────────────────────────────────────────────────────────┘

After Approval:

User never sees DocuSign again (unless signing)
All envelope management in Orcha
Signing is embedded (iframe) or via email link
No separate DocuSign login needed

Cost Impact:

Orcha pays per envelope ($0.50 each)
NO per-user seat fees (virtual users don't count)
Scalable to unlimited Orcha users
Only 3 base seats required ($120-150/month total)

5. Recommended Implementation Strategy

Phase 1: Embedded Signing for Internal Users

Month 1-2:

Orcha gets DocuSign Business Pro account
Implement JWT Grant authentication
Create virtual users for each Orcha user (one-time consent)
Embed signing ceremony in Orcha UI (iframe)
Handle webhooks for completion events

Customer Experience:

Customer signs up for Orcha (€349/month with DocuSign)
No separate DocuSign account needed
First signature request: one-time consent popup
After that: seamless signing in Orcha
Never see docusign.net URLs

Cost:

$150/month base + $0.50 per envelope
At 200 envelopes/customer/month: ~€100/customer/month
Charge €89/month → Slight loss initially, profitable at scale

Phase 2: External Party Signing

Month 3-4:

Send envelopes to external parties (vendors, Steuerberater)
They receive branded emails with DocuSign links
Sign on DocuSign pages (full DocuSign branding)
Webhook notifies Orcha of completion

Vendor Experience:

Receives email: "Orcha (via DocuSign) has sent you a document"
Clicks link → docusign.net page with Orcha logo
Signs → Confirmation
No Orcha account required

Cost: Same per-envelope fee ($0.50)

Phase 3: Volume Negotiation

Month 6+ (at 10,000+ envelopes/month):

Contact DocuSign sales for volume pricing
Negotiate $0.30-0.35 per envelope (Tier 2)
At 100+ customers, negotiate flat fee ($10K/month unlimited)

Profitability:

Tier 2 pricing: 25% profit margin
Flat fee pricing: 47% profit margin
Feature becomes profitable at scale

6. Competitive Pricing Comparison

Factor	DocuSign Direct	Orcha + DocuSign
Setup	Customer must buy DocuSign	Included in Orcha
Monthly Cost	$80-325/customer	€89/customer
User Seats	$40-65 per user	Unlimited users
Envelopes	100-500 included, then $1 each	200 included, then €0.50
Integration	Manual (no API)	Seamless (embedded)
Support	Two vendors (Orcha + DocuSign)	One vendor (Orcha)
Onboarding	2-4 weeks	Instant
Signing Experience	Always external	Embedded for internal

Customer Savings: €111-236/month (40-75% cheaper through Orcha)

Why Customers Choose Orcha:

✅ Simpler (one vendor, one bill)
✅ Cheaper (bundled pricing beats standalone)
✅ Faster (no separate DocuSign onboarding)
✅ Better UX (embedded signing)

7. Go-To-Market Messaging

Don't Say:

❌ "We integrate with DocuSign"
❌ "You need a DocuSign account"
❌ "We white-label DocuSign"

Do Say:

✅ "Legally binding electronic signatures included"
✅ "No separate accounts needed—everything in Orcha"
✅ "Powered by DocuSign for trust and compliance"
✅ "Sign from anywhere—desktop or mobile"

Positioning:

"Orcha includes legally binding electronic signatures (powered by DocuSign) at no extra cost. Sign purchase orders, contracts, and approvals directly in Orcha—no separate accounts, no complexity, just secure signatures that are legally recognized across the EU."

Pricing:

Orcha Premium: €349/month
- Includes 200 electronic signatures
- Additional signatures: €0.50 each
- Unlimited users
- Embedded signing experience

Competitive Advantage:

Most competitors charge separately for e-signatures
DocuSign direct costs €200-400/month per company
Orcha bundles it for 60% less
Better experience (embedded, not external)

Conclusion

Why DocuSign for Orcha?

Strategic Fit:

Complements AI Approval Intelligence: Adds legal enforceability to workflow approvals
Enables Phase 2 Procurement: Signed MSAs feed contract compliance monitoring
Scales Phase 3 Treasury: Dynamic discounting requires legally binding discount agreements
De-Risks Phase 4 Compliance: eIDAS + GoBD compliance strengthens audit defense

Customer Value:

€320-400K/year in time savings, audit cost reduction, and enabled discounts
5-8x ROI in Year 1
Competitive moat: "Orcha = only AP platform with legally binding approvals"

Market Positioning:

German SMEs care deeply about compliance and legal enforceability
DocuSign is recognized and trusted by Steuerberater and auditors
Removes objection: "Your approvals aren't legally binding"

Recommendation

Proceed with Integration (Priority: High)

Rationale:

Low technical risk: Mature API, extensive documentation
High business value: €320-400K/year for typical customer
Competitive advantage: Differentiates Orcha from "invoice OCR" competitors
Enables future phases: Procurement, Treasury, Compliance all benefit

Timeline: 4 months to full production

Investment: €30-50K development + €40-60/user/year

Expected Outcome: 95%+ electronic signature adoption, €320-400K annual value per customer

Appendix: API Reference Summary

Authentication

GET /oauth/auth - Authorization URL
POST /oauth/token - Exchange code for token
POST /oauth/token - Refresh access token
GET /oauth/userinfo - Get user account info

Envelopes

POST /v2.1/accounts/{accountId}/envelopes - Create envelope
GET /v2.1/accounts/{accountId}/envelopes/{envelopeId} - Get status
PUT /v2.1/accounts/{accountId}/envelopes/{envelopeId} - Update/void
GET /v2.1/accounts/{accountId}/envelopes/{envelopeId}/documents/{documentId} - Download document
GET /v2.1/accounts/{accountId}/envelopes/{envelopeId}/documents/certificate - Download certificate

Templates

POST /v2.1/accounts/{accountId}/templates - Create template
GET /v2.1/accounts/{accountId}/templates - List templates
GET /v2.1/accounts/{accountId}/templates/{templateId} - Get template
PUT /v2.1/accounts/{accountId}/templates/{templateId} - Update template

Recipients

POST /v2.1/accounts/{accountId}/envelopes/{envelopeId}/recipients - Add recipients
PUT /v2.1/accounts/{accountId}/envelopes/{envelopeId}/recipients/{recipientId} - Update recipient
POST /v2.1/accounts/{accountId}/envelopes/{envelopeId}/recipients/{recipientId}/views/recipient - Get signing URL

Webhooks (Connect)

Configure via DocuSign Admin UI or API
Events: envelope-sent, envelope-delivered, envelope-completed, envelope-declined, envelope-voided, recipient-completed

Additional Resources

Official Documentation:

Legal & Compliance:

SDKs:

Orcha Internal:

Phase 1.1: AI Approval Intelligence (dependency)
Phase 1.2: Document & Contract Management (dependency)
Phase 2.1: Procurement & Spend Control (benefits from signed MSAs)
Phase 3.2: Dynamic Discounting (requires legally binding discount agreements)

Document Version: 1.0
Last Updated: January 5, 2026
Author: Orcha Product Team
Status: Approved for Development