Product security

Appetite for risk security varies from organization to organization and is dependent on both the industry in which the organization operates and the corresponding legal and regulatory requirements. At DocuSign, we understand this. That’s why all our products are researched, designed, and developed with security as a top priority and built with configurable security in mind.

Designed to maximize security for data at rest and in transit, the DocuSign Agreement Cloud allows you to configure security settings to match your security risk requirements for accessing, managing, and sharing data. Moreover, each DocuSign product in our trusted platform undergoes stringent security reviews and monitoring to ensure your data remains safe and protected.

Below is an overview of the key security features and practices that protect your documents and data within all DocuSign products. For more detailed information per product, please use the links to the left of this page.

Hardware and infrastructure

  • Geo-dispersed, ISO 27001-certified, and SOC-audited datacenters, located across multiple geographic regions
  • Near real-time secure data replication and encrypted archival
  • Around-the-clock onsite security with strict physical access control that complies with industry-recognized standards
  • Annual Business Continuity Planning (BCP) and Disaster Recovery (DR) testing
  • Professional, commercial-grade firewalls, border routers, and network management systems

Systems and operations

  • Physically and logically separate networks
  • Centralized, logical access management system
  • Two-factor authentication, encrypted VPN access
  • Denial of Service (DDoS) mitigation
  • Active intrusion detection and prevention
  • Anti-malware software integration that automatically alerts DocuSign’s cyber incident response team if potentially harmful code is detected
  • Third-party penetration testing

Applications and access

  • Formal code reviews and vulnerability mitigation by third parties
  • Application-level Advanced Encryption Standard (AES) 256-bit encryption
  • Key management and encryption program
  • Malware protection
  • Digital audit trail, with a Certificate of Completion that provides non-repudiation for all documents generated and signed using DocuSign
  • Configurable security features
    • Multi-factor authentication provides additional level of assurance that only those authorized to access DocuSign products and associated documents can access them
    • Role-based authorization for all business transactions types enables you to designate access to specific individuals

Transmission and storage

  • Subscriber data encrypted in accordance with industry best-practice standards
  • Access and transfer of data to/from DocuSign via HTTPS
  • Anti-tampering controls
  • Signature verification of signing events
  • Unalterable, systematic capture of signing data
  • Digital certificate technology
  • Customer-configurable data retention capability

Comprehensive security from start to finish

This foundation delivers end-to-end security to our customers and their data:

  • Confidentiality: customer information stays confidential, including from DocuSign—customer documents and data are private and access is workflow controlled
  • Integrity: each document is ensured to be both intact and tamper evident
  • Availability: DocuSign’s replicated, geo-dispersed infrastructure delivers consistent high availability, providing assurance that our service is there whenever customers need it
  • Authenticity: customers can rely on the authenticity of signers through the multi-faceted verification of signing events
  • Non-repudiation: customer documents are ensured technically and legally and are procedurally unassailable as evidenced by the audit trail and chain of custody available with the DocuSign solution