Security Assurance Program
Customers entrust us with safekeeping their most sensitive documents. We take that responsibility very seriously, through a thorough and comprehensive approach to security and privacy.
Everyone at DocuSign, from the facilities staff to the executive team, is committed to security excellence. A cross-functional team of experts, including a dedicated Chief Information Security Officer (CISO), is devoted to security-related activities.
All business processes, including internal policies, the Software Development Lifecycle (SDLC), and platform monitoring, consider the security of our customer data.
We consider the senders, signers, partners and developers that interact with our system part of our security scope. We offer them a high degree of security assurance while taking steps to protect ourselves from any threats they might present.
Each component of our trusted platform - Hardware & Infrastructure, Systems & Operations, Applications & Access, and Transmission & Storage - undergoes tremendous security scrutiny.
Hardware & Infrastructure
- Three geo-dispersed, SSAE 16 audited datacenters
- Near real-time secure data replication and encrypted archival
- 365x24x7 on-site security
- Annual Business Continuity Planning (BCP) & Disaster Recovery (DR) testing
- Third-party penetration testing
Systems & Operations
- Physically and logically separate networks
- Two-factor, encrypted VPN access
- Professional, commercial grade firewalls and border routers
- Denial of Service (DDoS) mitigation
- Active monitoring and alerting
Applications & Access
- Formal code reviews and vulnerability mitigation by third parties
- Application level Advanced Encryption Standard (AES) 256 bit encryption
- Key Management & Encryption Program
- Malware protection
- Digital audit trail
- Multiple authentication mechanisms
Transmission & Storage
- Subscriber data encrypted in accordance with industry best-practice standards
- Access and transfer of data to/from DocuSign via HTTPS
- Anti-tampering controls
- Signature verification of signing events
- Unalterable, systematic capture of signing data
- Digital certificate technology
- Customer configurable data retention program
Comprehensive Security from Start to Finish
This foundation delivers comprehensive security - Confidentiality, Integrity, Availability, Authenticity and Non-repudiation – to our customers and their data.
Our customers' content stays confidential, including from DocuSign. Customers' documents and data are private, and access is workflow controlled.
Each document is ensured to be intact and tamper-evident.
Customers can be confident that DocuSign's service will be available with our robust infrastructure, historically providing an average of 99.99% uptime.
Our customers can rely on authenticity of signers through the multi-faceted verification of signing events.
Customers' documents are ensured technically, legally, and procedurally unassailable. - as evidenced by the audit trail and chain of custody offered by our solution.