DocuSign Law Enforcement Guidelines
DocuSign is committed to operating its business with the utmost integrity and highest ethical standards. The purpose of the following information is to provide operational guidance regarding DocuSign’s methods for responding to third-party requests for information. These guidelines are generally applicable to law enforcement and governmental inquiries and requests, as well as to subpoenas, inquiries, requests, and orders arising in civil legal proceedings.
Before seeking information from DocuSign, you first should directly approach the DocuSign customer that is the party who initiated the transaction. Parties to the transaction will generally have access to the contents and any information about the transaction facilitated via DocuSign. A party may gain access by logging into their account through the DocuSign service portal.
If you are unsuccessful in your attempt to contact the customer directly and you properly serve DocuSign as provided in these guidelines, DocuSign will respond to your request for information. Depending on the DocuSign service and type of account at issue, DocuSign may have basic subscriber information (e.g., customer name, email address, means and source of payment) and metadata related to transactions.
Please note that DocuSign products have been specifically designed to restrict DocuSign’s ability to access the contents (“contents” defined as customer documents enclosed within an envelope) of customers’ transactions in order to preserve the confidentiality of customers’ information uploaded to DocuSign services. For this reason, DocuSign’s ability to provide the requested information may be limited by DocuSign’s technical capabilities at the time of your request.
With respect to DocuSign eSignature, DocuSign encrypts the contents of documents that are stored on its systems and is therefore unable to search the contents of documents or produce a decrypted or plaintext version. All requests for information from DocuSign eSignature must identify the envelope or account at issue with particularity (e.g., by providing the email address of the account holder, Envelope ID and/or Account ID and a date range associated with the transaction(s) at issue).
In response to requests for envelopes in DocuSign eSignature, DocuSign produces the Certificate of Completion and/or Envelope History (Audit Trail) for a given envelope. For more information and examples of these records, please visit our Support Page.
SERVICE AND FORM OF LEGAL PROCESS
DocuSign accepts service of process via its registered agent, United Agent Group, Inc., in any state in which DocuSign is registered to do business. Please verify the address through your state’s Secretary of State website. United Agent Group, Inc.’s address in the State of Washington is as follows:
c/o United Agent Group, Inc.
707 W. Main Avenue, #B1
Spokane, Washington 99201
Acceptance of legal process at DocuSign’s offices or by any other means is for convenience only and does not waive any objections, including lack of jurisdiction or proper service.
DocuSign may disclose responsive records in accordance with local legal process requirements, but foreign governmental entities may be required to engage in a process for international cooperation (such as a Mutual Legal Assistance Treaty (MLAT) or letters rogatory) prior to obtaining any information. More information may be available by contacting the Office of International Affairs at the U.S. Department of Justice.
FORM OF REQUEST
When drafting a request for information and/or data, please include an email address of the account holder, Envelope ID and/or Account ID and a date range associated with the transaction(s) at issue. As stated above, DocuSign is unable to query its systems based on the contents of envelopes or other user information (such as proper name, date of birth, social security number, or a particular piece of real property associated with a corresponding transaction).
DocuSign will comply with preservation requests from law enforcement and governmental entities in accordance with 18 U.S.C. § 2703(f). DocuSign will preserve responsive records (to the extent any exist) for a period of 90 days, which may be extended for an additional 90 days upon request by law enforcement and/or the governmental entity.
DocuSign is a United States company, and all of its U.S.-based data is stored inside the U.S. As such, DocuSign only responds to valid legal process issued by a U.S. governmental entity or court and properly served on it in the U.S. Parties to civil litigation or governmental entities outside the U.S. should appropriately domesticate requests through a U.S. court by working through the appropriate process for international cooperation, such as letters rogatory or a Mutual Legal Assistance Treaty.
More information may be available by contacting the Office of International Affairs at the U.S. Department of Justice. DocuSign may disclose data pursuant to an emergency disclosure request when we believe that doing so is necessary to prevent death or serious physical harm to someone.
Under its Binding Corporate Rules, DocuSign is required to notify the Irish Data Protection Commission (Irish DPC) when a non-EU enforcement authority requests EU data, unless it is legally prohibited from doing so, or there is an imminent risk of serious harm.
NOTICE TO CUSTOMERS
Prior to the disclosure of information and/or documents, DocuSign is obligated to provide notice to affected customers regarding legal process requesting information about the content of their accounts. Law enforcement officials, governmental entities, and other third parties who believe that notice to affected customers would jeopardize an investigation must obtain a non-disclosure order pursuant to 18 U.S.C. § 2705(b), or other appropriate legal mechanism that prohibits DocuSign from providing notice to its customers.
DocuSign does not provide expert testimony support. Generally, DocuSign records are self-authenticating pursuant to applicable law and should not require the testimony of a records custodian. If a special form of certification is required, attach it to your subpoena or other legal process.
DocuSign may seek reimbursement from third-party requestors for costs incurred responding to requests for information as provided by law. DocuSign may also charge additional fees for costs incurred in responding to extraordinary or burdensome requests. DocuSign may waive these fees at its sole discretion.
TO BETTER UNDERSTAND OUR eSIGNATURE PRODUCT
For an overview of our eSignature product, please visit the following website: DocuSign eSignature
DocuSign maintains personal information (personal data) for no longer than necessary for the purposes for which it is processed. The length of time for which DocuSign retains personal information depends on the purposes for which DocuSign collected and used it and/or as required to comply with applicable laws as set out in DocuSign’s internal policies. Where there are technical limitations that prevent deletion or anonymization of personal information, DocuSign safeguards personal information and generally limits use of it.
For an overview on DocuSign data management and privacy practices regarding eSignature, please visit the following website: Data Management and Privacy Practices
For an overview on DocuSign eSignature document and data storage locations, please visit the following website: Data Residency
Authorized Users and Account Administrators
Customers may assign and expressly authorize Authorized User(s) to manage its account(s). Authorized Users must be identified by a unique email address and username. Customers may update Authorized Users by logging into their account through the DocuSign service portal.
Customers may appoint an employee, agent or third-party business partner or contractor to act as its Account Administrator(s) and may change its designation at any time through its Account.
FREQUENTLY ASKED QUESTIONS
Can DocuSign disclose the contents of an envelope or copies of documents signed using DocuSign?
DocuSign encrypts the contents of customers’ documents on its system and DocuSign employees do not have access to the contents of these documents, nor the ability to decrypt or search the contents of these documents.
What business records are retained by DocuSign and are subject to production?
The Certificate of Completion and Envelope History associated with a specific Envelope ID, account subscriber profiles for DocuSign customers, and limited payment records pertaining to some DocuSign customers.
What identifying information is required by DocuSign to perform a search for business records?
DocuSign will need an email address of the account holder, Envelope ID and/or Account ID and a date range associated with the transaction(s) at issue.
Can I email my request directly to DocuSign’s legal department?
No, we do not respond to any requests emailed to DocuSign. All third-party requests for data or information must be served via DocuSign’s registered agent for service of process: United Agent Group, 707 W. Main Avenue, #B1, Spokane, Washington 99201.
Can I serve my request directly to a DocuSign office location?
Acceptance of legal process at DocuSign’s offices is for convenience only and does not waive any objections, including lack of jurisdiction or proper service. Check your local jurisdiction’s rules governing third-party requests for information before serving a request.
Where is DocuSign’s customer data stored?
DocuSign utilizes multiple secure data centers for the eSignature service. For more information, please visit the following website: Data Residency.
Does DocuSign record the physical location of the sender or signer of a particular envelope?
While a user’s physical location is not recorded in the Certificate of Completion associated with an envelope, the IP address of all signers is recorded in the Certificate of Completion.
Does DocuSign retain customer communications?
The Federal Stored Communications Act (“SCA”), 18 U.S.C. § 2701, et seq. strictly prohibits a provider such as DocuSign from disclosing the contents of communications to third parties.
Is DocuSign subject to the Clarifying Lawful Overseas Use of Data (CLOUD) Act?
Like other forms of legal process (such as subpoenas, search warrants and court orders), DocuSign may be subject to orders issued under the CLOUD Act. DocuSign has the same policy for such orders as for other forms of legal process, and is subject to the same limitations when responding to them:
Our response to legal process (including CLOUD Act orders) is further limited by DocuSign’s technical ability to access the data sought by law enforcement. As described above, DocuSign services are designed to restrict DocuSign’s ability to access the contents (“contents” defined as customer documents enclosed within an envelope) of customers’ transactions in order to preserve confidentiality.
Law enforcement agencies seeking information under the CLOUD Act must obtain a warrant from a court.
Can U.S. law enforcement obtain DocuSign customer information or data under the CLOUD Act ?
With respect to DocuSign Signature, our service, platform, and infrastructure (including server hardware) will not be impacted by the Cloud Act. The Act concerns access to content of electronic communications by U.S. law enforcement and the Signature service was architected such that all eDocument content is encrypted upon upload and inaccessible by DocuSign employees. Customers have control over their storage and deletion settings for eDocuments located in their Signature account.
Last Updated Date: September 9, 2022