Binding corporate rules and DocuSign
DocuSign has received the approval of the applications for Binding Corporate Rules (BCRs) as both a data processor and data controller from the European Union Data Protection Authorities. Considered the gold standard for data protection, BCRs are a strict set of rules for the members of the corporate family and are very difficult to obtain.
European Data Protection Authority (DPA) approval, which includes a lead DPA and two consulting DPAs, typically takes over two years and requires significant resources to draft, implement, and maintain. Only the most privacy-committed organizations successfully achieve BCR approval. To date, a very limited number of companies worldwide have obtained BCR approval. Of those, only a portion are approved as BCR for processors (BCR-P), explained in greater detail below.
Adherence to a set of BCR privacy codes is backed by audits and staff training programs overseen by an internal privacy compliance team and made binding by a company-adopted BCR privacy code. DocuSign is committed to achieving and maintaining customer trust.
BCR for processors
Binding Corporate Rules for Processors (BCR-P) are a global, company-wide privacy framework that allows the transfer of customer personal data outside of the EEA by processors, once approved by European DPAs. Specifically, BCR-P govern the transfer of personal data by a company acting as a data processor. All DocuSign group members have signed the BCR-P and are bound to comply with them. The BCR-P help ensure robust data protection practices throughout the corporate family and satisfies the European standards of data protection for customer personal data processed by DocuSign through its products and services.
For more on BCRs, see: