Subprocessor list
Revision date: June 11, 2019
This website and its contents do not give any party additional rights or remedies and should not be construed as a binding agreement. The information herein is provided to illustrate DocuSign’s engagement process for subprocessors, and to provide a subprocessor list.
DocuSign uses certain subprocessors to support the delivery of the DocuSign Signature service.
What is a Subprocessor?
A subprocessor is a data processor, engaged by DocuSign, that processes eDocuments (which may contain personal data) as necessary to support the delivery of the DocuSign Signature service.
Subscribe to Updates to the Subprocessor List
DocuSign will make updates to the subprocessor list via this website. To subscribe to updates to the subprocessor list, copy the following link into your preferred RSS reader: https://www.docusign.com/trust/alerts/feed.
Due Diligence and Safeguards
DocuSign uses commercially reasonable efforts to evaluate the data protection practices of subprocessors that process eDocuments. DocuSign requires subprocessors to provide, at a minimum, the level of data protection required of DocuSign under applicable data protection laws and regulations, including, but not limited to, the requirements to:
- Use commercially reasonable security measures in providing services to DocuSign to preserve the security, integrity, and confidentiality of personal data, and to protect against unauthorized access and anticipated threats or hazards to personal data;
- Use personal data only to provide the DocuSign Signature service (including necessary subprocessor services), and not process personal data for any other purpose;
- Handle and maintain personal data in compliance with all applicable data privacy and protection laws, rules, and regulations;
- Immediately notify DocuSign about any actual or potential security breach affecting personal data processed on behalf of DocuSign;
- Assist and support DocuSign in dealing with requests from governmental authorities, data controllers, data subjects or data protection authorities, as applicable;
- Not transfer personal data to a third country unless expressly authorized to do so by DocuSign;
- Not engage another data processor without prior specific authorization of DocuSign; and
- Comply with obligations as required by the General Data Protection Regulation, as applicable.
Infrastructure Subprocessors
DocuSign owns and controls the infrastructure that it uses to host eDocuments submitted to the instances of the DocuSign Signature application in the United States and in EMEA. In addition, customer accounts can be established in additional regions based on where the customer is located or as determined at the time the customer’s account is provisioned by using infrastructure subprocessors. The following is a list of the name(s), location(s), and activities of the infrastructure subprocessors:
| Entity name | Purpose; applicable services | Country location(s) |
|
Microsoft Azure |
To provide instances of the DocuSign Signature application in Australia and Canada. | Australia; Canada |
Service-specific Subprocessors
DocuSign uses certain service-specific subprocessors to provide specific functionality within the DocuSign Signature service. The following is a list of the name(s), location(s), and activities of the service-specific subprocessors:
| Entity name | Purpose; applicable services | Country location(s) |
| FaxLogic | Customer may use an optional feature of the DocuSign Signature service to transmit documents via facsimile. | USA |
| FedEx |
Customer may use an optional feature of the DocuSign Signature service to print documents directly to a FedEx Office location. |
USA |
|
Customer may use an optional feature of the DocuSign Signature service to automatically place fields in documents. |
USA |
Objecting to a Subprocessor
Customer may object to a subprocessor per the BCR-P Privacy Code. To object to a subprocessor, Customer must submit its objection by email to [email protected] with subject line “Subprocessor Objection,” along with their name, company name, name of the DocuSign service, name of the subprocessor, and grounds for objection (see the BCR-P Privacy Code for objective justifiable grounds).