Last updated: November 1, 2019
This website and its contents don’t give any party additional rights or remedies and shouldn’t be construed as a binding agreement. The information herein is provided to illustrate DocuSign’s engagement process for subprocessors, and to provide a subprocessor list.
DocuSign uses certain subprocessors to support the delivery of the DocuSign services.
What is a subprocessor?
A subprocessor is a data processor who, on behalf of DocuSign, processes personal data contained in electronic documents and files submitted to the DocuSign services.
DocuSign uses certain infrastructure subprocessors to host its applications and other service-specific subprocessors to provide specific functionality within the DocuSign services or to provide professional services. Subprocessors used to provide professional services to customers are set forth in statements of work or other similar service agreements. Also, such subprocessors may be provided in a list of subprocessors.
View DocuSign subprocessors by service:
Subscribe to updates to the subprocessor List
DocuSign will make updates to the subprocessor lists via this website. To subscribe to updates to the subprocessor lists, copy the following link into your preferred RSS reader: https://www.docusign.com/trust/alerts/feed.
Due diligence and safeguards
DocuSign uses commercially reasonable efforts to evaluate the data protection practices of subprocessors that process electronic documents and files and will or may have access to or process personal data. DocuSign requires subprocessors to provide, at a minimum, the level of data protection required of DocuSign under applicable data protection laws and regulations, including, but not limited to, the requirements to:
- Use commercially reasonable security measures in providing services to DocuSign to preserve the security, integrity, and confidentiality of personal data, and to protect against unauthorized access and anticipated threats or hazards to personal data;
- Use personal data only for DocuSign to provide its services (including necessary subprocessor services), and not process personal data for any other purpose;
- Handle and maintain personal data in compliance with all applicable data privacy and protection laws, rules, and regulations;
- Comply with obligations as required by all applicable data privacy and protection laws, rules, and regulations;
- Immediately notify DocuSign about any actual or potential security breach affecting personal data processed on behalf of DocuSign;
- Assist and support DocuSign in dealing with requests from governmental authorities, data controllers, data subjects or data protection authorities, as applicable;
- Not transfer personal data to a third country unless expressly authorized to do so by DocuSign; and
- Not engage another data processor without prior specific authorization of DocuSign.
Objecting to a subprocessor
Customers may object to a subprocessor per the BCR-P Privacy Code. To object to a subprocessor, customers must submit their objection by email to [email protected] with subject line “Subprocessor Objection,” along with their name, company name, name of the DocuSign service, name of the subprocessor, and grounds for objection (see the BCR-P Privacy Code for objective justifiable grounds).