Data management and privacy practices for DocuSign eSignature
Data protection rights
DocuSign operates in accordance with fundamental privacy principles that underlie global privacy regulations, with respect to an individual’s right to know what personal data is collected and how it is used or otherwise processed.
You may submit a request regarding your personal data using the DocuSign Privacy Request Portal.
Data deletion and retention
Customers determine their account’s retention policies. For example, in DocuSign eSignature, customers are free to purge their eDocuments at any time and can use the API to verify that a purge has been completed. Once an eDocument or its envelope is purged, it’s also purged on a near real-time basis from the active sites.
Envelope purging is a process to permanently remove documents and their field data from completed and voided envelopes after a specified retention period. If a customer purges the envelopes sent from their account, we retain the audit log data (which includes the Certificate of Completion and history) to support our ability to attest to the details of a transaction. This behavior is viewed by customers as a valuable feature that allows DocuSign to be a neutral record.
Audit log data in DocuSign eSignature may include:
- Envelope addressing information, including sender(s) and signer(s)
- Envelope history
- Specific envelope information, such as:
- Date/time of signing
- Authentication methods used by recipients
DocuSign provides a feature in DocuSign eSignature, when enabled, that allows customer administrators to redact personal data from the audit log as part of the purge process. More information on document retention, targeted envelope purge and the redact personal data feature can be found on the DocuSign Support pages.
All eDocuments created by our customers when using the DocuSign eSignature service are automatically encrypted with an AES 256-bit, or equivalent, encryption key.
The segmentation and systematic encryption (and key escrow management) employed by DocuSign doesn’t allow DocuSign personnel to view or read eDocument content sent through DocuSign eSignature for electronic signature. In accordance with DocuSign’s Acceptable use Policy, only select DocuSign personnel (based on role/responsibility) with a demonstrated need to know have access to transactional data surrounding the envelopes.
Such transactional data includes:
- Username, phone number, email address and address
- Authentication method
- Envelope metadata, history and subject line
DocuSign’s personnel logical access authorization chain requires direct manager approval, application/data source owner approval, and, in cases of sensitive applications and data sources, security management approval. Access to critical applications and data sources is removed at personnel termination and is reviewed to verify that appropriate and current access levels are maintained. DocuSign is ISO 27001 certified and maintains formal policies and procedures for access control.
DocuSign enforces the “rule of least privilege” and has documented segregation of duties. We also enforce formal logical and account separation of the development, QA and production environments.
Paid customers can choose where their account will be located, and for most of them, this can be done at the time of account provisioning. For Web customers, automatic logic determines where a customer account will reside, and it’s based on the customer’s location.
For customers in the U.S. or EU, DocuSign physically stores eDocuments in the applicable geographic location where the corresponding customer account is located. For example, if the customer account is in the EU, then the customer’s eDocuments are also stored in the EU.
The GDPR doesn’t require personal data of EU citizens and residents to be only stored within the EU. Currently, user data, which includes personal data, is replicated around the world to support the global use of the DocuSign eSignature service. DocuSign’s product roadmap includes a new approach to accessing the DocuSign eSignature service that will limit replication of personal data across the globe.
Learn more about DocuSign data residency.
We maintain a list of the subprocessors that we use as part of our products and services, including the activities and services performed by such subprocessors and their country location.
Training and awareness
We require annual privacy and security training that’s mandatory for all DocuSign personnel. These trainings are actively tracked and regularly reviewed to help ensure compliance and relevance for our business activities. We also deliver periodic privacy and security communications to supplement required trainings, further reinforcing data privacy and data security best practices.
Governance and accountability
DocuSign’s Global Privacy Program is directed and overseen by its Chief Privacy Officer and a team of dedicated privacy professionals. IAPP-certified privacy professionals review company activity with privacy and data protection implications, assess compliance and make recommendations to help meet compliance requirements. Our determination and commitment to privacy is further supported by DocuSign’s approved Binding Corporate Rules (BCRs), under which DocuSign’s privacy governance structure, policies and practices have undergone rigorous review and confirmation by the European data protection authorities.
Privacy by design
Our product and engineering teams work closely with our global privacy team to embed privacy principles in our products and services and help ensure privacy compliance with respect to the various phases of product development, starting at concept, through requirements gathering, to implementation and release.
Beyond product development activities, our privacy team drives our privacy by design approach on a corporate-wide basis, including assessing a variety of activities across the company involving personal data for privacy compliance.