Alerts and updates

Subscribe using the DocuSign Trust Center Alerts RSS feed URL: https://www.docusign.com/trust/alerts/feed.
Add an RSS reader extension to your browser (Chrome, Firefox), or enable via Outlook on a PC.

  • DocuSign has engaged a new service-specific subprocessor, Google LLC, to deliver an optional product feature within the DocuSign Signature service. This subprocessor will only be used if you choose to enable or purchase the optional product feature for auto-tagging.

    Please review the details of this subprocessor, DocuSign’s commitments under our BCR-P Privacy Code, and your options for objecting to the subprocessor here: https://www.docusign.com/trust/privacy/subprocessors-list

  • DocuSign has observed a new phishing campaign that began around 8:00 on the morning of May 23rd  (Pacific Time).. The email purports to come from "DocuSign Electronic Signature and Invoice Service” or similar using the email address "docusign@carenethouston.org"  The emails have the subject line similar to:

    "You received notification from DocuSign Service“

    These emails contain links to a malicious Microsoft Office document which, if run, will download malware to your computer. These emails are not sent from DocuSign. Do not click on the link in these emails, instead please forward them to spam@docusign.com and then delete the email immediately.

    For more information on how to spot phishing please see our Combating Phishing white paper (3.3 MB) 

  • On May 14th, 2019 Microsoft released a fix for a remote code execution vulnerability (CVE-2019-0708) residing in Remote Desktop Services and affecting Windows 7, Windows Server 2008 and Windows Server 2008 R2 operating systems. In keeping with our security best practices, we would like to assure customers that all impacted DocuSign systems were immediately patched.

  • DocuSign has observed a new phishing campaign that began around 8:30 on the morning of April 16th (Pacific Time) and is coming in at a very quick rate. The email purports to come from "DocuSign Electronic Signature and Invoice Service” or similar using the email address "docusign@goldencorralonthego.org".  The emails have the subject line similar to:

    "You received notification from DocuSign Service“

    These emails contain links to a malicious Microsoft Office document which, if run, will download malware to your computer. These emails are not sent from DocuSign. Do not click on the link in these emails, instead please forward them to spam@docusign.com and then delete the email immediately.

    For more information on how to spot phishing please see our Combating Phishing white paper (3.3 MB) 

  • The DocuSign SSL site certificates for NA1 and NA2 are expiring. The renewal schedule and renewed certificates have been posted here: https://www.docusign.com/trust/compliance/public-certificates

     

  • DocuSign has observed a new phishing campaign that began around 8:00 on the morning of April 9th (Pacific Time). The email purports to come from "DocuSign Electronic Signature and Invoice Service” or similar using the email address "docusign@indie95.com".  The emails have the subject line similar to:

    "You received notification from DocuSign Service“

    These emails contain links to a malicious Word document which, if run, will download malware to your computer. These emails are not sent from DocuSign. Do not click on the link in these emails, instead please forward them to spam@docusign.com and then delete the email immediately.

    For more information on how to spot phishing please see our Combating Phishing white paper (3.3 MB) 

  • DocuSign is proceeding with our scheduled Single Sign-On certificate replacement plan.  DocuSign is already issuing authentication requests with the new certificate in all environments.  Next, DocuSign will no longer accept SAML responses encrypted with the old certificate in all environments starting April 11th, 2019 at 4:00 PM PST.

    Please review if your Identity Provider (IdP) has enabled SAML encryption.  If your IdP uses a DocuSign certificate to encrypt SAML responses, you must replace the old certificate with the new certificate found here: https://www.docusign.com/trust/compliance/public-certificates. Failing to update this certificate will not allow a user to log into DocuSign. If you are unsure how to complete these steps please contact your IdP.

  • DocuSign has observed a new phishing campaign that began around noon of April 4th (Pacific Time). The email purports to come from "DocuSign Electronic Signature” using the email address "docusign@buyapetfranchise.com".  The emails have the subject line similar to:

    "You received notification from DocuSign Service“

    These emails contain links to a malicious Word document which, if run, will download malware to your computer. These emails are not sent from DocuSign. Do not click on the link in these emails, instead please forward them to spam@docusign.com and then delete the email immediately.

    For more information on how to spot phishing please see our Combating Phishing white paper (3.3 MB) 

  • DocuSign has observed a new phishing campaign that began the morning of April 2nd (Pacific Time). The email purports to come from "DocuSign Electronic Signature” using the email address "docusign@milaromanoff.com".  The emails have the subject line similar to:

    "You received invoice from DocuSign Electronic Signature Service“

    These emails contain links to a malicious Word document which, if run, will download malware to your computer. These emails are not sent from DocuSign. Do not click on the link in these emails, instead please forward them to spam@docusign.com and then delete the email immediately.

    For more information on how to spot phishing please see our Combating Phishing white paper (3.3 MB)  https://www.docusign.com/sites/default/files/Combating_Phishing_WP_05082...

  • In January this year, DocuSign patched its online digital signature validation tool (validator.docusign.com) to ensure it could address the three digital signature vulnerabilities identified in a research paper by a team from Ruhr-University Bochum in Germany.

    Those vulnerabilities related to online validation services in general—they had no impact on the integrity or validity of a digital signature written to a document by the core DocuSign eSignature solution. In addition, given DocuSign had already patched the validator tool before the research paper was published, we have asked the researchers to update their online records accordingly.

  • On Monday March 4th, 2019 at approximately 4:00 PM PST DocuSign will replace their Single Sign-On certificate and simultaneously change the CA in all production environments. At that time DocuSign will only sign outbound SAML requests with a single certificate, the new certificate. Please take immediate action to update the SSO certificate and/or metadata URL within your IdP application as needed to prevent user login issues. If you are unsure how to complete these steps please contact your IdP.
  • DocuSign has observed a new phishing campaign that began the morning of February 14th (Pacific Time). The email purports to come from "DocuSign Electronic Signature” using the email address "docusign@srcpro.com".  The emails all have the subject:

    "You received invoice from DocuSign Electronic Signature Service“

    These emails contain links to a malicious Word document or Microsoft Excel Spreadsheet which, if run, will download malware to your computer. These emails are not sent from DocuSign. Do not click on the link in these emails, instead please forward them to spam@docusign.com and then delete the email immediately.

    For more information on how to spot phishing please see our Combating Phishing white paper (3.3 MB).

Pages