Customer compliance and DocuSign

Highlights

  • Customers who are subject to a range of specific regulatory requirements use the Signature service as a key component of meeting their compliance obligations.
  • DocuSign’s technology platform is highly configurable and flexible, which enables it to meet specialized requirements in areas such as life sciences, banking, finance and securities, medical privacy, real estate, and more.
  • With a clear understanding of the various compliance needs of its customers, DocuSign regularly partners with customers to meet their requirements via the platform’s broad functional and operational capabilities.

DocuSign customers operate globally and in industries governed by diverse sets of regulatory requirements and industry-specific best practices. They use the Signature service and other DocuSign products as key components to meet their compliance obligations.

To meet specialized requirements, DocuSign’s technology platforms are architected to be highly configurable and flexible. These capabilities, combined with DocuSign’s longstanding commitment to partner with customers, enables customers to comply with regulations in areas such as life sciences, banking, finance and securities, medical privacy, real estate, and more worldwide.

Customer compliance and the DocuSign signature service

DocuSign provides a versatile set of services, both with its Signature service platform and through the delivery of customer-focused operational programs, that are frequently relevant for customers who are subject to the strictest of regulatory compliance requirements.

Additionally, DocuSign offers rigorous internal and third-party audit reports as well as advanced Signature service capabilities that may aid customers in achieving their compliance requirements.

Rigorous Internal and Third-Party Audit Reports
Regulated industries may have specific requirements for the use of electronic signatures and electronic records with respect to how they are created, modified, maintained, archived, retrieved, transmitted, or submitted.

As a part of demonstrating their own compliance, a DocuSign customer can leverage DocuSign’s audit reports to demonstrate how DocuSign is meeting its performance obligations to its customer, relevant to a particular regulation. This may include areas such as Signature service features, DocuSign’s adherence to company policies, or employee training requirements. More information about DocuSign’s audit and compliance attestations is provided in DocuSign’s Commitment to Information Security

DocuSign signature service capabilities that aid compliance

DocuSign also offers rich capabilities within the Signature Service that allow for customization in support of compliance obligations.

DocuSign Signature Account Settings 
Configuring account settings on the Signature service and maintaining them to ensure adherence to a particular regulatory requirement is critical for customers relying on specific workflows or the enforcement of particular policies as part of their compliance. DocuSign can work with a customer’s account administrator to make any necessary changes to the account settings in the customer’s instance of the Signature service to accomplish this.

This type of request is handled via a signed Account Change Request (“ACR”) between the customer and DocuSign to specify configuration changes. The ACR can serve as a process control to help a customer determine if a setting change may affect compliance, thus reducing the risk of legal implications for both customers and DocuSign.

Built-in Electronic Record and Signature Disclosure Capability  
The Signature service includes an Electronic Record and Signature Disclosure (ERSD) template, sometimes referred to as the Consumer Disclosure. Customers may use this feature to obtain a consumer’s consent to receive notices and disclosures electronically, as may be required under the US ESIGN Act (“ESIGN Act”) in certain situations.

The default ERSD includes language intended to address typical needs in an ERSD, such as:

  • Describing the range of notices to be provided electronically
  • Terms and conditions for providing electronic notices and disclosures
  • How consumers may withdraw their consent

In the Signature service, the ERSD is turned on by default and all new recipient signers are presented with the ERSD as a first action when they arrive at the Signature service. Customer administrators may set a range of options to configure the ERSD and also upload their own ERSD. See the Electronic Record and Signature Disclosure section in this document for additional information and a copy of default ERSD that comes with the Signature service.

Flexible Configuration Options   
The Signature service is part of a family of global solutions offered by DocuSign that recognize locally designed regulations around the world.

Similar to DocuSign’s other offerings, the Signature service provides customers with a broad range of configurable parameters that enable customers to enforce the policies and requirements applicable to their particular circumstances. These configurable capabilities span areas, such as:

  • User authentication and user accounts
  • Enforcing specialized signing requirements
  • Specific restrictions or privileges for viewing, downloading, and offline data access
  • Other customer-implementable controls that ensure the authenticity and integrity of records and signatures from the point of creation to the point of receipt

Digital Signatures  

  • For customers who require digital signatures as part of conducting business in particular countries or industries, DocuSign:
  • Supports Public Key Infrastructure (PKI)-based digital signatures that utilize digital certificates to verify identity
  • Delivers the various signature types defined under eIDAS, including EU Advanced Electronic Signatures (AES) and EU Qualified Electronic Signatures (QES)
  • Offers digital signature capabilities that align to FDA 21 CFR part 11, in the US
  • Provides an Introduction to Digital Signatures, as well as many other resources on docusign.com

User guides and administrator documents on DocuSign’s publicly available site provide greater detail about these options.

Authentication Capabilities  
Customers use the Signature service authentication measures to verify the identity of a signer, which includes demonstrating that signers are who they say they are. Appropriate authentication of a signer prior to signing decreases the risk of fraudulent transactions due to identity theft and improves data privacy. Use of stronger authentication or multiple layers of authentication lowers the risk of contract repudiation.

The Signature service provides customers with a range of authentication options so they can align the level of signer authentication to the sensitivity of their eDocument the Signature service. The authentication methods supported by the Signature service range from confirming IP addresses to using authentication codes sent by SMS to the use of knowledge bases to validate identity. More detail on the authentication capabilities of the Signature service, as well as the specific methods available, is available in the Authentication section.

How DocuSign can help

DocuSign can partner with customers to meet compliance needs. Customers should have a clear understanding of their specific compliance requirements or use cases that represent regulations to which they must adhere. Specialized DocuSign resources in legal, product, and customer operations can review specialized capabilities offered by DocuSign.