Skip to main content
Trust Center

Docusign Global Certifications, Self-Assessments, and Standards

Docusign’s compliance program consists of third-party audits and self-assessments to attain and maintain compliance with global certifications and standards. Docusign is committed to ensuring data is protected against security threats and preserving the confidentiality, integrity, and availability of our service to our customers.

ISO 27001, ISO 27017, and ISO 27018

Docusign is ISO 27001:2022, ISO 27017:2015 and 27018:2019 certified, which demonstrates our unwavering commitment to information security and showcases our proactive approach to safeguarding sensitive data.

Learn More

PCI DSS

Docusign maintains compliance with version 4.0 of the Payment Card Industry Data Security Standard (PCI DSS) to ensure safe and secure handling of payment card account holder data. As overseen by the Payment Card Industry Security Standards Council (PCI SSC), Docusign places stringent controls around cardholder data as both a service provider and merchant.

Docusign is listed as a PCI Service Provider on the Visa Global Registry of Service Providers.

Learn More

SOC 1 Type II and SOC 2 Type II

Docusign complies with the reporting requirements stipulated by the American Institute of Certified Public Accountants (AICPA) Trust Services Criteria. Docusign completes annual audits across all aspects of its production operations, including data centers, and has consistently satisfied all critical requirements.

Learn More

FedRAMP

FedRAMP (US Federal Risk and Authorization Management Program) is a standardized approach for assessing, monitoring, and authorizing cloud computing products and services. Docusign was awarded the FedRAMP Agency authorization and is listed on the U.S. Federal Government’s FedRAMP marketplace for Docusign Federal (eSignature) and Docusign Contract Lifecycle Management (CLM).

Learn More

StateRAMP

StateRAMP establishes common security criteria to standardize cloud security verification. Docusign Federal (eSignature) and Docusign CLM have achieved StateRAMP authorization.

Learn More

DoD IL4 (Department of Defense Impact Level 4)

According to the DoD CC SRG, DoD IL4 accommodates non-public, unclassified data where the unauthorized disclosure of information could be expected to have a severe, adverse effect on organizational operations and assets, or individuals. Defense Information Systems Agency (DISA) granted Docusign an IL4 provisional authorization for several offerings, including Docusign Federal (eSignature) and Docusign Contract Lifecycle Management.


Learn More

Compilation of (EU) Member States Notification on SSCDs and QSCDs

This publication lists the signature devices that shall be considered as Qualified Signature Creation Devices (QSCDs) under the eIDAS regulation. Docusign owns and operates two remote signature devices, which are listed in the publication, and is the leading global eSignature solution offering cloud-based eIDAS-compliant electronic signatures.

Learn More

EU Trusted List

Docusign France SAS, a Docusign company, is a trust service provider (TSP) under EU Regulation 910/214 for electronic identification and trust services (eIDAS). As a TSP, Docusign France provides qualified electronic signatures (QES), qualified time stamps, advanced electronic signatures (AES), and advanced seals recognized by all EU member states. Docusign France is listed as a qualified TSP in the Trusted List managed by the French IT Security Agency, ANSSI.

Learn More

Australian IRAP

The Information Security Registered Assessors Program (IRAP) is an initiative by the Australian Signals Directorate (ASD). It provides a framework for cybersecurity and risk management that organizations can use to safeguard Australian government data and systems against cyber threats. Docusign has completed a third-party assessment and meets the PROTECTED level requirements, aligning with both the Australian Government Information Security Manual (ISM) controls and the Protective Security Policy Framework (PSPF).

Learn More

APEC PRP

Asia-Pacific Economic Cooperation (APEC) has established Cross-Border Privacy Rules (CBPR) and Framework to protect the privacy and security of personal information at-rest and in-transit. Docusign has achieved the APEC Privacy Recognition for Processor (PRP) System certification

Please search in the APEC Certificate Directory for Docusign's compliance certificate.

Learn More

Binding Corporate Rules

Docusign obtained approval of its applications for Binding Corporate Rules (BCRs) as both a data processor and data controller from the European Union Data Protection Authorities. Docusign’s approved BCRs enable lawful cross-border transfers of data through the Docusign platform and eSignature service. 

Learn More

SIG

The SIG (Standardized Information Gathering) Questionnaire is a third-party risk assessment curated by the practitioner members of Shared Assessments. The SIG enables Docusign to annually leverage an industry-standard library of vetted questions measuring risk across 21 domains. It serves as a comprehensive tool for gathering data on security controls, policies, and procedures; providing a standardized method to decrease risk in third-party interactions as well as to increase assessment efficiency for our customers.

Learn More

CSA STAR

The Cloud Security Alliance (CSA) Security, Trust, Assurance and Risk (STAR) comprises key principles of transparency, rigorous auditing, and harmonization of standards. Docusign completes the Consensus Assessments Initiative Questionnaire (CAIQ) annually which documents the rigor and strength of Docusign’s security posture and best practices and is publicly accessible for viewing and download from the CSA STAR registry.

Learn More

FISC

The Center for Financial Industry Information Systems (FISC) develops security guidelines for information systems, which are followed by most financial institutions in Japan. These include guidelines for security measures to be put in place while creating system architectures, auditing of computer system controls, contingency planning, and developing security policies and procedures. Although compliance with the FISC Security Guidelines is not required by regulation nor audited by FISC, Docusign elected to become a member of the FISC and implemented internal controls to be compliant with the FISC Security Guidelines.

Learn More

Government of Canada Protected-B Program

The Government of Canada Protected-B Program offers a certification framework for Software as a Service (SaaS) companies operating in Canada, ensuring that their software meets stringent security standards necessary for handling sensitive government data at the Protected-B classification level. Docusign has completed thorough assessments, evaluation processes, and personnel security clearance validation to achieve and maintain this certification on a per-department basis.

Learn More