Subprocessor list

Revision date: June 11, 2019

This website and its contents do not give any party additional rights or remedies and should not be construed as a binding agreement. The information herein is provided to illustrate DocuSign’s engagement process for subprocessors, and to provide a subprocessor list.

DocuSign uses certain subprocessors to support the delivery of the DocuSign Signature service.

 

What is a Subprocessor?

A subprocessor is a data processor, engaged by DocuSign, that processes eDocuments (which may contain personal data) as necessary to support the delivery of the DocuSign Signature service.

 

Subscribe to Updates to the Subprocessor List

DocuSign will make updates to the subprocessor list via this website.  To subscribe to updates to the subprocessor list, copy the following link into your preferred RSS reader: https://www.docusign.com/trust/alerts/feed.

 

Due Diligence and Safeguards

DocuSign uses commercially reasonable efforts to evaluate the data protection practices of subprocessors that process eDocuments. DocuSign requires subprocessors to provide, at a minimum, the level of data protection required of DocuSign under applicable data protection laws and regulations, including, but not limited to, the requirements to:

  • Use commercially reasonable security measures in providing services to DocuSign to preserve the security, integrity, and confidentiality of personal data, and to protect against unauthorized access and anticipated threats or hazards to personal data;
  • Use personal data only to provide the DocuSign Signature service (including necessary subprocessor services), and not process personal data for any other purpose;
  • Handle and maintain personal data in compliance with all applicable data privacy and protection laws, rules, and regulations;
  • Immediately notify DocuSign about any actual or potential security breach affecting personal data processed on behalf of DocuSign;
  • Assist and support DocuSign in dealing with requests from governmental authorities, data controllers, data subjects or data protection authorities, as applicable;
  • Not transfer personal data to a third country unless expressly authorized to do so by DocuSign;
  • Not engage another data processor without prior specific authorization of DocuSign; and
  • Comply with obligations as required by the General Data Protection Regulation, as applicable.

Infrastructure Subprocessors

DocuSign owns and controls the infrastructure that it uses to host eDocuments submitted to the instances of the DocuSign Signature application in the United States and in EMEA. In addition, customer accounts can be established in additional regions based on where the customer is located or as determined at the time the customer’s account is provisioned by using infrastructure subprocessors. The following is a list of the name(s), location(s), and activities of the infrastructure subprocessors:

Entity name Purpose; applicable services Country location(s)

Microsoft Azure

To provide instances of the DocuSign Signature application in Australia and Canada. Australia; Canada

 

Service-specific Subprocessors

DocuSign uses certain service-specific subprocessors to provide specific functionality within the DocuSign Signature service. The following is a list of the name(s), location(s), and activities of the service-specific subprocessors:

Entity name Purpose; applicable services Country location(s)
FaxLogic Customer may use an optional feature of the DocuSign Signature service to transmit documents via facsimile. USA
FedEx

Customer may use an optional feature of the DocuSign Signature service to print documents directly to a FedEx Office location.

USA
Google

Customer may use an optional feature of the DocuSign Signature service to automatically place fields in documents.

USA

Objecting to a Subprocessor

Customer may object to a subprocessor per the BCR-P Privacy Code. To object to a subprocessor, Customer must submit its objection by email to [email protected] with subject line “Subprocessor Objection,” along with their name, company name, name of the DocuSign service, name of the subprocessor, and grounds for objection (see the BCR-P Privacy Code for objective justifiable grounds).