Frequently asked questions
The General Data Protection Regulation (GDPR), the European Union’s new privacy law, is in effect as of May 25, 2018. To help address your questions on DocuSign and the GDPR regulations, we compiled this list of frequently asked questions. If you have further questions on DocuSign and the GDPR, please contact your DocuSign Sales representative.
What is the GDPR?
The GDPR is a European data protection law that aims to update data privacy standards to address the increase in the creation and processing of personal data in today’s technology, including the cloud and social media. The regulation requires organizations that process personal data to be responsible for that data and stipulates new requirements for handling personal data, documenting those practices, and robust accountability. It also emphasizes increased transparency and choice for data subjects (i.e., the individuals described by personal data).
GDPR preparation and compliance
Does DocuSign adhere to requirements of the GDPR?
DocuSign is committed to protecting the documents and data provided by our customers, and adheres to the regulations set forth the GDPR in the delivery of its Signature service.
How has DocuSign prepared for the GDPR?
Recognizing the impact of the GDPR, DocuSign identified a team of executives to lead our compliance program. As part of the program, we closely reviewed the GDPR (including regulator interpretations) and Binding Corporate Rules (BCR), as well its existing common control framework, to identify changes or improvements in DocuSign’s data protection program. Teams comprised of individuals in IT, product, legal, and compliance have been engaged to draft policies, standards, and procedures or to develop changes to the features or functionality of the DocuSign Signature service.
In complying with the GDPR, DocuSign is building on a strong compliance culture and a history of compliance with stringent security standards, including:
- ISO 270001/PCI certifications: DocuSign has and maintains certifications for ISO 27001 and the PCI Data Security Standard
- SOC1/SOC2 standards: DocuSign maintains controls sufficient to meet the objectives of SOC1 and SOC2, or equivalent standards, and is assessed against those standards annually
- Encryption: All eContracts or eDocuments created by our customers when using the DocuSign Signature service are automatically encrypted with an AES 256-bit, or equivalent, encryption key
Europe’s Data Protection Directive and the GDPR don’t prohibit transfers of personal data outside of the European Economic Area (EEA), but there are requirements an organization must satisfy to do so lawfully. There are defined methods or mechanisms identified by the European Commission as “appropriate safeguards” for personal data transferred outside of the EU, including Binding Corporate Rules. DocuSign has received approval from the EU Data Protection Authorities (DPA) of its applications for BCR as both a data controller and a data processor.
eContracts or eDocuments (i.e. documents sent for electronic signature) processed by DocuSign for customers in the EEA can also be stored in European data centers.
What are binding corporate rules, and does DocuSign have them?
BCR are a set of internal binding rules that define a corporation’s global policy on data protection. BCR are submitted to data protection authorities in the EU who review them, request changes or clarifications where they wish, and ultimately approve them as providing an adequate level of protection for the privacy and fundamental rights of individuals in the EU. Once approved, personal data transferred to and within the corporate family is protected by this rigorous data protection scheme.
DocuSign is committed to achieving and maintaining customer trust and has obtained approval as both a data processor and data controller from the European Union Data Protection Authorities.
What is the difference between BCR and GDPR?
BCR stands for Binding Corporate Rules. GDPR stands for the General Data Protection Regulation. The GDPR mentions BCR as an approved means of ensuring adequate privacy protection for personal data exported from Europe to countries like the United States.
- BCR are one of three approaches to ensuring adequate privacy protection for personal data exported from the EU to countries like the United States. The other two are standard contractual clauses and the EU-US Privacy Shield. Without one of these measures in place, exports of personal data from the EU to the United States are not lawful. BCR are regarded by some as the gold standard for data transfers, because they entail regulator review of an organization’s data protection practices and are explicitly mentioned in the GDPR.
BCR are relevant to GDPR compliance, because they indicate a high level of maturity in data protection, but meeting BCR requirements doesn’t ensure compliance with the additional requirements of GDPR.
- GDPR is a new data protection law in Europe. Like previous data protection laws in Europe, it prohibits exports of personal data from the EU to the United States unless an adequate transfer mechanism like BCR, standard contractual clauses, or Privacy Shield is in place.
Is DocuSign using DocuSign Signature to support its GDPR compliance efforts?
DocuSign commonly employs DocuSign Signature to support internal processes, such as policy creation, review, and approval. We also leverage DocuSign Signature to deliver and track training. These efforts are important aspects of our GDPR compliance efforts.
- Since DocuSign Signature is well suited to securing consent in accordance with the GDPR, DocuSign is looking closely at deploying it for use cases where we rely on consent as a lawful basis for processing personal data.
- We typically use DocuSign Signature to execute contracts with our service providers, including data processors. We will deploy DocuSign Signature as a part of our efforts to ensure that our agreements with data processors contain the data protection terms required by GDPR.
Can DocuSign offer GDPR terms in its contracts with customers?
DocuSign provides customers with additional data processing terms as required under GDPR, including the obligation to secure protections from any subprocessor.
Can I choose where my account will be located?
Yes, for most paid customers this can be done at the time of account provisioning. For web customers, automatic logic determines where a customer account will reside and is based on the location of the customer.
Does DocuSign offer data residency in the EU?
While the GDPR doesn’t require data residency, DocuSign ensures that all eDocuments from an account are physically stored in the geographic location where the customer’s account is located (if the customer’s account is in the U.S. or Europe). For example, if the customer’s account is in the EU, then the customer’s eDocuments are also stored in the EU.
The GDPR doesn’t require personal data of EU citizens and residents to be only stored within the EU. Currently, user data, which includes personal data, is replicated across the globe to support global use of the Signature service. DocuSign’s product roadmap includes a new approach to access to the Signature service that will limit replication of personal data across the globe.
Data deletion and retention
What is DocuSign’s “right to be forgotten” process, and how long does it take to respond?
DocuSign customers determine their account’s retention policies. Once an eDocument or its envelope is purged, it is also purged on a near real-time basis from the active sites. In addition, customers are free to purge their eDocuments at any time and can use the API to verify that a purge has been completed.
If I purge my transaction records, what data is retained?
Envelope purging is a process to permanently remove documents and their field data from completed and voided envelopes after a specified retention period. If a customer purges the envelopes sent from their account, DocuSign retains the audit log data (which includes the Certificate of Completion and history) to support DocuSign’s ability to attest to the details of a transaction. This behavior is viewed by customers as a valuable feature that allows DocuSign to serve as a virtual witness.
Audit log data may include:
- Envelope addressing information, including sender and signer(s)
- Envelope history
- Specific envelope information, such as:
- Date/time of signing
- Authentication methods used by recipients
DocuSign provides a feature, when enabled, that allows customer administrators to redact personal data from the audit log as part of the purge process. More information on the Redact Personal Data feature can be found in the DocuSign Support pages.
How do I submit a request?
Individuals or their representatives may submit a request using the request form on the DocuSign Support Center. Individuals need to provide complete and relevant information on the form, which DocuSign will use to evaluate the request.
This form and the related evaluation processes may change as additional guidance becomes available, and individual submissions may be re-evaluated over time.
Will DocuSign employees have access to our data and what data will they have access to?
The segmentation and systematic encryption (and key escrow management) employed by DocuSign does not allow DocuSign personnel to view or read eDocuments sent through the DocuSign Signature service for electronic signature. Only select DocuSign employees (based on role/responsibility) with a demonstrated need to know have access to transactional data surrounding envelopes. These employees cannot generate or extract reports on the data.
Such transactional data includes:
- Username, phone number, email address, and address
- Authentication method
- Envelope metadata, history, and subject
DocuSign’s employee logical access authorization chain requires direct manager approval, application/data source owner approval, and, in cases of sensitive applications and data sources, security management approval. Access to critical applications and data sources is removed at employee termination and is reviewed at least quarterly to verify that appropriate and current access levels are maintained. DocuSign is ISO 27001 certified and maintains formal policies and procedures, including our DocuSign Access Control Standard.
DocuSign enforces the “rule of least privilege” and has documented segregation of duties. We also enforce formal logical and account separation of the development, QA, and production environments.
How will DocuSign manage data transfers under the GDPR?
Europe’s Data Protection Directive and the GDPR don’t prohibit transfers of personal data outside of the European Economic Area (EEA), but there are requirements an organization must satisfy to do so lawfully. There are defined methods or mechanisms identified by the European Commission as “appropriate safeguards” for personal data transferred outside of the EU, including Binding Corporate Rules. DocuSign has received approval from the EU DPA of its applications for BCR as both a data controller and a data processor.
How does DocuSign inform data breaches under the GDPR?
As per the requirements under GDPR Article 33 (2), the processor (DocuSign) shall notify the controller (The Subscriber) “without undue delay” after becoming aware of a personal data breach. Unless notification is delayed by the actions or demands of a law enforcement agency, DocuSign shall report to Customer: (a) any unlawful access or unauthorized acquisition use, or disclosure of Customer Data persisted in DocuSign Signature (a “Data Breach”) following determination by DocuSign that a Data Breach has occurred.
In the event of a breach requiring notification to customers, DocuSign will identify one or more methods of communication to efficiently alert affected customers. We also post a wealth of information relevant to the status and integrity of our service to the DocuSign Trust Site. Interested customers should consider subscribing to the Trust site’s alert and updates feed.
Do you have a documented Data Privacy and Protection Policy/Standard that’s in compliance with the GDPR?
Training and awareness
Do DocuSign employees undergo mandatory data protection (GDPR) and data security training?
DocuSign has developed annual GDPR and security training content that’s mandatory for all employees to complete. These trainings are tracked through our Learning Management System to ensure employee completion. We also provide periodic privacy and security reinforcements for employees to reinforce data privacy and data security best practices.
Governance and accountability
Does DocuSign have a named person who is responsible for data privacy and protection?
While DocuSign isn’t required under the GDPR to appoint a Data Privacy Officer, we have a Chief Privacy Officer and a Privacy Officer as well as several attorneys and other privacy professionals. IAPP-certified privacy experts review company activity with data protection implications, assess risk, and make recommendations to reduce risk. Our privacy governance structure has been reviewed by European Data Protection Authorities as a part of our BCRs approval process and no concerns were raised.
Privacy by design
Does DocuSign comply with data protection by design and by default principles in the design and development of its services?
DocuSign’s product and engineering teams collaborate with our legal privacy leads (individuals with certifications and extensive experience with data privacy) to assess and mitigate potential privacy risks during the various phases of product development starting from concept, through requirements gathering, and throughout implementation. The collaboration typically includes regular meetings where the teams collaborate on developing products/services that meet and/or exceed applicable data privacy requirements.
Does DocuSign conduct privacy impact assessments to identify and minimize the privacy risks of new projects?
Our privacy professionals assess a variety of activity involving personal data for risk and frequently make recommendations for how to reduce any risks identified. Under the GDPR, when these assessments identify a high risk, we’ll conduct full data protection impact assessments.
How does DocuSign govern subprocessors?
We provide customers with additional data processing terms as required under GDPR, including the obligation to secure similar protections from any subprocessor. DocuSign maintains a list of the subprocessors employed, including the activities and services performed and their country location.