Security Assurance Program

Customers entrust us with safekeeping their most sensitive documents. We take that responsibility very seriously, through a thorough and comprehensive approach to security and privacy.

People

Everyone at DocuSign, from the facilities staff to the executive team, is committed to security excellence. A cross-functional team of experts, including a dedicated Chief Information Security Officer (CISO), is devoted to security-related activities.

Processes

All business processes, including internal policies, the Software Development Lifecycle (SDLC), and platform monitoring, consider the security of our customer data.

Participants

We consider the senders, signers, partners and developers that interact with our system part of our security scope. We offer them a high degree of security assurance while taking steps to protect ourselves from any threats they might present.

Platform

Each component of our trusted platform - Hardware & Infrastructure, Systems & Operations, Applications & Access, and Transmission & Storage - undergoes tremendous security scrutiny.


The Foundation

Hardware & Infrastructure
  • Three geo-dispersed, SSAE 16 audited datacenters
  • Near real-time secure data replication and encrypted archival
  • 365x24x7 on-site security
  • Annual Business Continuity Planning (BCP) & Disaster Recovery (DR) testing
  • Third-party penetration testing
Systems & Operations
  • Physically and logically separate networks
  • Two-factor, encrypted VPN access
  • Professional, commercial grade firewalls and border routers
  • Denial of Service (DDoS) mitigation
  • Active monitoring and alerting
Applications & Access
  • Formal code reviews and vulnerability mitigation by third parties
  • Application level Advanced Encryption Standard (AES) 256 bit encryption
  • Key Management & Encryption Program
  • Malware protection
  • Digital audit trail
  • Multiple authentication mechanisms
Transmission & Storage
  • Subscriber data encrypted in accordance with industry best-practice standards
  • Access and transfer of data to/from DocuSign via HTTPS
  • Anti-tampering controls
  • Signature verification of signing events
  • Unalterable, systematic capture of signing data
  • Digital certificate technology
  • Customer configurable data retention program

Comprehensive Security from Start to Finish

This foundation delivers comprehensive security - Confidentiality, Integrity, Availability, Authenticity and Non-repudiation – to our customers and their data.

Confidentiality

Our customers' content stays confidential, including from DocuSign. Customers' documents and data are private, and access is workflow controlled.

Integrity

Each document is ensured to be intact and tamper-evident.

Availability

Customers can be confident that DocuSign's service will be available with our robust infrastructure, historically providing an average of 99.99% uptime.

Authenticity

Our customers can rely on authenticity of signers through the multi-faceted verification of signing events.

Non-Repudiation

Customers' documents are ensured technically, legally, and procedurally unassailable. - as evidenced by the audit trail and chain of custody offered by our solution.