DocuSign's commitment to information protection

DocuSign attestations of compliance


The capabilities and features of the Signature service and other DocuSign solutions are anchored in DocuSign’s compliance to applicable laws, regulations, and industry standards around the world. DocuSign is also committed to delivering world-class security that meets or exceeds US and international requirements, including the US ESIGN act, European Union Directive 1999/93/EC, and European Regulation 910/2014 (also known as eIDAS).

Additionally, DocuSign complies with industry-leading standards spanning security, data privacy and protection, and more. Compliance to these standards provides assurance on the effectiveness of DocuSign’s technology infrastructure, policies, and operations in areas such as data encryption, system monitoring, penetration testing, environmental segmentation, data center security, authentication, encryption key management practices, and others, as well as companion areas such corporate governance, employee policies, and training.

DocuSign security and trust assurance packet

DocuSign’s Security and Trust Assurance Packet (STAP) includes reports from third-party auditors and provides further detail on DocuSign’s external certifications and compliance with industry standards across the five key sections outlined below: ISO 27001:2013; SOC 1 Type 2, SOC 2 Type 2; PCI DSS Attestation of Compliance; and Skyhigh CloudTrust.

DocuSign is committed to making its service available so customers may access it whenever needed. The STAP also includes a certificate of liability insurance and a customer data flow diagram indicating how data is securely managed as it traverses DocuSign’s systems.

The STAP is intended to assist customer-side compliance and legal teams, as well as groups involved in the technical assessment of DocuSign solutions. You can request a copy of the STAP from your sales representative (a signed NDA is required).


Key certifications and audits

ISO 27001:2013
ISO 27001:2013 is the highest level of global information security assurance available today. DocuSign is certified as an information security management system (ISMS) across all 133 controls in the ISO 27001:2013 standard. The STAP includes the ISO 27001:2013 Certificate of Registration for DocuSign (IS 580155), provided by the British Standards Institute (BSI).



SOC 1 Type 2, SOC 2 Type 2
Driven by the AICPA, (American Institute of Certified Public Accountants), the SOC 1 Type 2 and SOC 2 Type 2 reports provide information on the internal controls in place in an organization. DocuSign undergoes third-party monitoring and yearly audits across all aspects of its enterprise business and production operations.

The STAP includes the reports provided by an independent auditor who determined that DocuSign is operating effectively and efficiently relative to its desired state:

  • The report on Controls Placed in Operation and Tests of Operating Effectiveness (SOC 1 Type 2)
  • The report on Controls Placed in Operation and Tests of Operating Effectiveness Relevant to the Security, Availability, and Confidentiality Principles (SOC 2 Type 2)


PCI Logo

PCI DSS Attestation of Compliance
The Payment Card Industry Data Security Standard (PCI-DSS) is a set of information security requirements that any entity touching credit card data must comply with as mandated by the major credit card brands. As an organization that is both a service provider and a merchant, DocuSign undergoes annual audits by a Qualified Security Assessor that validates compliance. Content provided in the STAP includes Attestations of Compliance and penetration tests results.


Sky High Seal

Skyhigh CloudTrust
DocuSign is certified as Skyhigh Enterprise-Ready under the Skyhigh CloudTrust program, which evaluates security controls and enterprise readiness based on Cloud Security Alliance (CSA) criteria. The certification is not included in the STAP, but is available upon request.