Skip to main content

Global standards and guidelines

Binding Corporate Rules

DocuSign obtained approval of its applications for Binding Corporate Rules (BCRs) as both a data processor and data controller from the European Union Data Protection Authorities. DocuSign’s approved BCRs enable lawful cross-border transfers of data through the DocuSign platform and eSignature service. Customers will be able to transact business with increased confidence knowing that they will comply with GDPR data transfer requirements when using DocuSign. Learn more

FedRAMP (US Federal Risk and Authorization Management Program)

FedRAMP is a standardized approach for assessing, monitoring, and authorizing cloud computing products and services. DocuSign was awarded the FedRAMP Agency authorization and is listed on the U.S. Federal Government’s FedRAMP marketplace with a Government Cloud deployment model for DocuSign eSignature and a Public Cloud deployment model for DocuSign Contract Lifecycle Management (formerly SpringCM).

DoD IL4 (Department of Defense Impact Level 4)

According to the DoD CC SRG, IL4 DoD accommodates non-public, unclassified data where the unauthorized disclosure of information could be expected to have a severe, adverse effect on organizational operations and assets, or individuals. Defense Information Systems Agency (DISA) granted DocuSign an IL4 provisional authorization for several offerings, including DocuSign eSignature and DocuSign CLM.


StateRAMP establishes common security criteria to standardize cloud security verification. DocuSign eSignature (DocuSign Federal) and DocuSign CLM have achieved StateRAMP authorization.

FISC (The Center for Financial Industry Information Systems)

The FISC develops security guidelines for information systems, which are followed by most financial institutions in Japan. These include guidelines for security measures to be put in place while creating system architectures, auditing of computer system controls, contingency planning, and developing security policies and procedures. Though compliance with the FISC Security Guidelines isn’t required by regulation nor audited by the FISC, DocuSign elected to become a member of the FISC and implemented internal controls to be compliant with the FISC Security Guidelines. For a detailed description of how DocuSign demonstrates FISC compliance, please contact your account manager.

Compilation of (EU) Member States Notification on SSCDs and QSCDs

This publication lists the signature devices that shall be considered as Qualified Signature Creation Devices (QSCDs) under the eIDAS regulation. DocuSign owns and operates a remote signature device, which is listed in this publication, and is the leading global eSignature solution offering cloud-based eIDAS-compliant electronic signatures.

EU Trusted List

DocuSign France SAS, a DocuSign company, is a trust service provider (TSP) under EU Regulation 910/214 for electronic identification and trust services (eIDAS). As a TSP, DocuSign France provides qualified electronic signatures (QES), qualified time stamps, advanced electronic signatures (AES), and advanced seals recognized by all EU member states. DocuSign France is listed as a qualified TSP in the Trusted List managed by the French IT Security Agency, ANSSI.