Security & Trust
When it comes to signed documents and transactions, security and trust are essential. As the world's most trusted electronic signature solution, our commitment to security and privacy represents the foundation of our business.
DocuSign follows national and international security standards, including strict security policies and practices that set the standard for world-class information security. We continually define industry best practices in third-party audits and certifications, second-party assessments, and on-site customer reviews. We offer exceptional privacy—and we have delivered for many years.
DocuSign undertakes third-party audits and certifications of our organization to ensure our customers receive a world-class solution—able to meet or exceed what’s achievable for on-premise electronic signature solutions with a cloud-based solution, and going much farther than most companies do on their own.
Explore the highlights of our approach below.
Security
Global Security Certification
- DocuSign has achieved ISO/IEC 27001:2005 certification as an information security management system. This provides customer assurance that DocuSign meets stringent international standards on security.
Independent Report on Controls
- DocuSign maintains ongoing effectiveness of our controls with routine examinations and testing of security and privacy controls by qualified third parties.
Information Security Audits
- DocuSign’s chief security officer and supporting staff facilitate security audits. DocuSign has passed all first-, second-, and third-party audits, including audits on behalf of the world’s largest and most rigorous organizations.
Secure Application
- Strong encrypted user authentication, as well as the option to restrict access to specific IP addresses, protect access to accounts and data.
- Connection to the DocuSign service is via 256-bit SSL 3.0/TLS 1.0 ensuring that users have a secure connection from their browsers to our service.
- Annual full code reviews and vulnerability mitigation conducted by qualified third parties.
Secure Data Centers
- Multiple geographically dispersed SSAE 16 certified data centers provide the utmost in physical security.
Secure Operations
- In our industry, only DocuSign has passed an SSAE 16 Type II audit – with no exceptions noted. These controls cover Operations and Change Management, as well as Governance, Security, and Development. A copy of this report is available upon request, subject to non-disclosure agreement.
Secure Systems
- Professional, commercial-grade firewalls secure the internal infrastructure.
- Professional, commercial-grade border routers are configured to resist IP-based network attacks with additional protection for and detection of Denial of Service (DoS) attacks.
- Redundancy and resilience is designed and built into the DocuSign service.
- DocuSign’s dedicated production network is physically and logically separate from any corporate network.
Disaster Recovery
- Full production disaster recovery site and regular disaster recovery testing provide additional assurance.
- Geo-diverse, tier IV grade datacenter with tested and complete business resumption capabilities
Secure & Legal Transactions
- DocuSign warrants Federal ESIGN Act and Gramm-Leach-Bliley Act (GLBA) compliance.
- Exported signed documents are digitally sealed and verified for authenticity with a trusted third-party certificate authority.
- Detailed audit trails for each transaction include sender name and email address, timestamps, and originating IP address for each action.
Privacy
DocuSign offers a comprehensive privacy program and strives to continually comply with global privacy and data protection regulations. DocuSign is Payment Card Industry Data Security Standard (PCI DSS) compliant as both a merchant and a service provider, as well as Health Insurance Portability and Accountability Act of 1996 (HIPAA) compliant.
System Status & Reliability
When it comes to signed documents and transactions, security and trust are essential. As the world's most trusted electronic signature solution, our commitment to security and privacy represents the foundation of our business.
DocuSign follows national and international security standards, including strict security policies and practices that set the standard for world-class information security. We continually define industry best practices in third-party audits and certifications, second-party assessments, and on-site customer reviews. We offer exceptional privacy—and we have delivered for many years.
DocuSign undertakes third-party audits and certifications of our organization to ensure our customers receive a world-class solution—able to meet or exceed what’s achievable for on-premise electronic signature solutions with a cloud-based solution, and going much farther than most companies do on their own.
Explore the highlights of our approach below.
Security
Global Security Certification
- DocuSign has achieved ISO/IEC 27001:2005 certification as an information security management system. This provides customer assurance that DocuSign meets stringent international standards on security.
Independent Report on Controls
- DocuSign maintains ongoing effectiveness of our controls with routine examinations and testing of security and privacy controls by qualified third parties.
Information Security Audits
- DocuSign’s chief security officer and supporting staff facilitate security audits. DocuSign has passed all first-, second-, and third-party audits, including audits on behalf of the world’s largest and most rigorous organizations.
Secure Application
- Strong encrypted user authentication, as well as the option to restrict access to specific IP addresses, protect access to accounts and data.
- Connection to the DocuSign service is via 256-bit SSL 3.0/TLS 1.0 ensuring that users have a secure connection from their browsers to our service.
- Annual full code reviews and vulnerability mitigation conducted by qualified third parties.
Secure Data Centers
- Multiple geographically dispersed SSAE 16 certified data centers provide the utmost in physical security.
Secure Operations
- In our industry, only DocuSign has passed an SSAE 16 Type II audit – with no exceptions noted. These controls cover Operations and Change Management, as well as Governance, Security, and Development. A copy of this report is available upon request, subject to non-disclosure agreement.
Secure Systems
- Professional, commercial-grade firewalls secure the internal infrastructure.
- Professional, commercial-grade border routers are configured to resist IP-based network attacks with additional protection for and detection of Denial of Service (DoS) attacks.
- Redundancy and resilience is designed and built into the DocuSign service.
- DocuSign’s dedicated production network is physically and logically separate from any corporate network.
Disaster Recovery
- Full production disaster recovery site and regular disaster recovery testing provide additional assurance.
- Geo-diverse, tier IV grade datacenter with tested and complete business resumption capabilities
Secure & Legal Transactions
- DocuSign warrants Federal ESIGN Act and Gramm-Leach-Bliley Act (GLBA) compliance.
- Exported signed documents are digitally sealed and verified for authenticity with a trusted third-party certificate authority.
- Detailed audit trails for each transaction include sender name and email address, timestamps, and originating IP address for each action.
Privacy
DocuSign offers a comprehensive privacy program and strives to continually comply with global privacy and data protection regulations. DocuSign is Payment Card Industry Data Security Standard (PCI DSS) compliant as both a merchant and a service provider, as well as Health Insurance Portability and Accountability Act of 1996 (HIPAA) compliant.
System Status & Reliability
