To demonstrate our commitment to protecting customer data, DocuSign has significantly invested in maintaining certifications in the following regulatory and industry standards.
DocuSign is ISO 27001:2013 certified. This is the highest level of global information security assurance available today, and provides customers assurance that DocuSign meets stringent international standards on security.
SOC 1 Type 2, SOC 2 Type 2
As a SOC 1 and SOC 2-certified organization, DocuSign complies with the reporting requirements stipulated by the American Institute of Certified Public Accountants (AICPA). We undergo yearly audits across all aspects of our production operations, including our datacenters, and have sustained and surpassed all requirements.
DocuSign maintains compliance with the current version of the PCI Data Security Standard (DSS) to ensure safe and secure handling of credit card holder information. As overseen by the Payment Card Industry Security Standards Council (PCI SSC), DocuSign places stringent controls around cardholder data as both a service provider and merchant. DocuSign is listed as a PCI Service Provider on the Visa Global Registry of Service Providers.
CSA STAR Program
DocuSign adheres to the requirements of the Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR) program. The CSA STAR comprises key principles of transparency, rigorous auditing, and harmonization of standards. Our Consensus Assessments Initiative Questionnaire (CAIQ) documents the rigor and strength of DocuSign’s security posture and best practices and is publicly accessible for viewing and download from theCSA STAR registry.
DocuSign has achieved the Asia-Pacific Economic Cooperation (APEC) Privacy Recognition for Processor (PRP) System certification. APEC has established Cross-Border Privacy Rules (CBPR) and Framework to protect the privacy and security of personal information at-rest and in-transit. An independent auditor, Schellman Group, has assessed our capabilities and granted us this certification to demonstrate compliance with CBPR and Framework.