Binding corporate rules and DocuSign

DocuSign has received approval of our applications for Binding Corporate Rules (“BCR”) as both a data processor and data controller from the European Union Data Protection Authorities. Considered the gold standard for data protection, Binding Corporate Rules (BCRs) are a strict set of rules for the members of the corporate family and are very difficult to obtain.

European Data Protection Authority (DPA) approval, which includes a lead DPA and two consulting DPAs, typically takes over two years and requires significant resources to draft, implement, and maintain. Only the most privacy-committed organizations successfully achieve BCR approval. To date, fewer than 100 companies worldwide have obtained BCR approval. Of those, only a few are approved as BCR for processors (BCR-P), explained in greater detail below.

Adherence to a set of BCR privacy codes is backed by audits and staff training programs, which are overseen by an internal privacy compliance team and made binding by a company-adopted BCR privacy code. DocuSign is committed to achieving and maintaining customer trust.

BCR for processors

Binding Corporate Rules for Processors (BCR-P) are a global, company-wide privacy framework that allows the transfer of customer personal data outside of the EEA by processors, once it’s been approved by European DPAs. Specifically, BCR-P govern the transfer of personal data by a company acting as a data processor. All DocuSign group members have signed the BCR-P and are bound to comply with them. The BCR-P help ensure robust data protection practices throughout the corporate family and satisfies the European standards of data protection for customer personal data processed by DocuSign via the DocuSign Signature service.

For more on BCRs, see DocuSign’s Data Protection and Trust Guide and BCR-P privacy code.