Docusign is ISO 27001:2013, ISO 27017:2015 and 27018:2019 certified, which demonstrates our unwavering commitment to information security and showcases our proactive approach to safeguarding sensitive data.

*Docusign is in the process of ISO27001:2022 version update.

Docusign maintains compliance with version 3.2.1* of the Payment Card Industry Data Security Standard (PCI DSS) to ensure safe and secure handling of credit card holder information. As overseen by the Payment Card Industry Security Standards Council (PCI SSC), Docusign places stringent controls around cardholder data as both a service provider and merchant.

DocuSign is listed as a PCI Service Provider on the Visa Global Registry of Service Providers.

*Docusign is in the process of PCI 4.0 version update.

Docusign complies with the reporting requirements stipulated by the American Institute of Certified Public Accountants (AICPA) Trust Services Criteria. Docusign completes annual audits across all aspects of its production operations, including data centers, and has consistently satisfied all critical requirements.

FedRAMP (US Federal Risk and Authorization Management Program) is a standardized approach for assessing, monitoring, and authorizing cloud computing products and services. Docusign was awarded the FedRAMP Agency authorization and is listed on the U.S. Federal Government’s FedRAMP marketplace for Docusign Federal (eSignature)and Docusign Contract Lifecycle Management(CLM).

StateRAMP establishes common security criteria to standardize cloud security verification. Docusign Federal (eSignature) and Docusign CLM have achieved StateRAMP authorization.

According to the DoD CC SRG, DoD IL4 accommodates non-public, unclassified data where the unauthorized disclosure of information could be expected to have a severe, adverse effect on organizational operations and assets, or individuals. Defense Information Systems Agency (DISA) granted Docusign an IL4 provisional authorization for several offerings, including Docusign Federal (eSignature) and Docusign Contract Lifecycle Management.

This publication lists the signature devices that shall be considered as Qualified Signature Creation Devices (QSCDs) under the eIDAS regulation. Docusign owns and operates two remote signature devices, which are listed in the publication, and is the leading global eSignature solution offering cloud-based eIDAS-compliant electronic signatures.

Docusign France SAS, a Docusign company, is a trust service provider (TSP) under EU Regulation 910/214 for electronic identification and trust services (eIDAS). As a TSP, Docusign France provides qualified electronic signatures (QES), qualified time stamps, advanced electronic signatures (AES), and advanced seals recognized by all EU member states. Docusign France is listed as a qualified TSP in the Trusted List managed by the French IT Security Agency, ANSSI.

The Information Security Registered Assessors Program (IRAP) is an initiative by the Australian Signals Directorate (ASD). It provides a framework for cybersecurity and risk management that organizations can use to safeguard Australian government data and systems against cyber threats. Docusign has completed a third-party assessment and meets the PROTECTED level requirements, aligning with both the Australian Government Information Security Manual (ISM) controls and the Protective Security Policy Framework (PSPF).

Asia-Pacific Economic Cooperation (APEC) has established Cross-Border Privacy Rules (CBPR) and Framework to protect the privacy and security of personal information at-rest and in-transit. Docusign has achieved the APEC Privacy Recognition for Processor (PRP) System certification

Please search in the APEC Certificate Directory for Docusign's compliance certificate.

Docusign obtained approval of its applications for Binding Corporate Rules (BCRs) as both a data processor and data controller from the European Union Data Protection Authorities. Docusign’s approved BCRs enable lawful cross-border transfers of data through the Docusign platform and eSignature service. 

The SIG (Standardized Information Gathering) Questionnaire is a third-party risk assessment curated by the practitioner members of Shared Assessments. The SIG enables Docusign to annually leverage an industry-standard library of vetted questions measuring risk across 21 domains. It serves as a comprehensive tool for gathering data on security controls, policies, and procedures; providing a standardized method to decrease risk in third-party interactions as well as to increase assessment efficiency for our customers.

The Cloud Security Alliance (CSA) Security, Trust, Assurance and Risk (STAR) comprises key principles of transparency, rigorous auditing, and harmonization of standards. Docusign completes the Consensus Assessments Initiative Questionnaire (CAIQ) annually which documents the rigor and strength of Docusign’s security posture and best practices and is publicly accessible for viewing and download from the CSA STAR registry.

The Center for Financial Industry Information Systems (FISC) develops security guidelines for information systems, which are followed by most financial institutions in Japan. These include guidelines for security measures to be put in place while creating system architectures, auditing of computer system controls, contingency planning, and developing security policies and procedures. Although compliance with the FISC Security Guidelines is not required by regulation nor audited by FISC, Docusign elected to become a member of the FISC and implemented internal controls to be compliant with the FISC Security Guidelines.

The Government of Canada Protected-B Program offers a certification framework for Software as a Service (SaaS) companies operating in Canada, ensuring that their software meets stringent security standards necessary for handling sensitive government data at the Protected-B classification level. Docusign has completed thorough assessments, evaluation processes and personnel security clearance validation to achieve and maintain this certification.