DocuSign's top priority is the privacy and security of our customers' information, documents, and data.
DocuSign meets or exceeds national and international security standards, including strict security policies and practices that set the standard for world-class information security. We continually drive industry best practices in third-party audits and certifications, third-party assessments, and on-site customer reviews. DocuSign’s Approach to Security and Privacy.
- DocuSign provides robust security assurance, with enterprise-wide ISO 27001:2013 certification, xDTM compliance, as well as SSAE 16, SOC 1 Type 2, SOC 2 Type 2 reports.
- DocuSign delivers industry-leading data confidentiality with application level AES 256 bit encryption. DocuSign's anti-tampering controls guarantee the integrity of customer documents, both in process and completed.
- With near real-time, secure data replication and uptime of 99.99%, customers can count on the availability of DocuSign's service to conduct their business.
- Through DocuSign's multi-faceted verification of signing events, customers can rely on the authenticity of signers.
- DocuSign is the digital transaction management company that provides unique features for non-repudiation, including digital audit trail and chain of custody.
DocuSign is the only digital transaction management company that is ISO 27001:2013 certified as an information security management system (ISMS). This is the highest level of global information security assurance available today, and provides customers assurance that DocuSign meets stringent international standards on security.
SSAE 16, SOC 1 Type2, SOC 2 Type 2
As an SSAE 16 examined and tested organization, DocuSign complies with the reporting requirements stipulated by the by the American Institute of Certified Public Accountants (AICPA). We undergo yearly audits across all aspects of our enterprise business and production operations including our datacenters, and have sustained and surpassed all requirements.
xDTM Standard, Version 1.0
The first standard of its kind to focus on digital transaction management, xDTM Standard was developed to raise the bar on quality and promote more trust and confidence in conducting business transactions online. The Standard ensures that digital transactions are protected yet accessible, regardless of where parties reside or the devices used. DocuSign is certified compliant with the xDTM Standard, version 1.0.
PCI DSS 3.1
Our PCI DSS 3.1 compliance certifies safe and secure handling of credit card holder information. As overseen by the Payment Card Industry Security Standards Council (PCI SSC), DocuSign places stringent controls around cardholder data as both a service provider and merchant.
With Skyhigh's CloudTrust program, DocuSign fully satisfies the most stringent requirements for data protection, identity verification, and security controls based on detailed criteria developed in conjunction with the Cloud Security Alliance (CSA).
FedRAMP (US Federal Risk and Authorization Management Program)
FedRAMP is a standardized approach for assessing, monitoring, and authorizing cloud computing products and service. DocuSign has agency sponsorship by the Federal Communications Commission (FCC) and is listed as “In Process” on the FedRAMP marketplace with a Government Community Cloud deployment model. To date, DocuSign is the only Digital Transaction Management (DTM) solution listed on the FedRAMP marketplace. The FCC is expected to issue an Authority to Operate in early 2017.
FISC (The Center for Financial Industry Information Systems)
The FISC develops security guidelines for information systems, which are followed by most financial institutions in Japan. These include guidelines for security measures to be put in place while creating system architectures, auditing of computer system controls, contingency planning, and developing security policies and procedures. Though compliance with the FISC Security Guidelines is not required by regulation nor audited by the FISC, DocuSign elected to become a member of the FISC and implemented internal controls to be compliant with the FISC Security Guidelines. For a detailed description of how DocuSign demonstrates FISC compliance, please contact your Account Manager.
Compilation of (EU) Member States notification on SSCDs and QSCDs
This publication lists the signature devices that shall be considered as Qualified Signature Creation Devices (QSCDs) under the eIDAS regulation. DocuSign owns and operates a remote signature device which is listed in this publication and is the leading global eSignature solution offering cloud-based eIDAS-compliant electronic signatures.
EU Trusted List
According to the eIDAS Regulation, EU Member States must publish lists of trust service providers (TSPs) and the qualified trust services they provide. Only TSPs that are on a Member State’s Trust List are considered qualified, and can offer their qualified trust services in all of the EU. DocuSign is the only global cloud and mobile-ready digital signature solution with end-to-end workflows on the EU Trusted List of qualified trusted service providers.