Security at DocuSign – a top priority

Security is in DocuSign’s DNA. Every DocuSign product is researched, designed, and developed with security as a top priority. Our advanced platform architecture and security operations are designed to maximize security for data at rest and in transit, and each component of our trusted platform undergoes stringent security review.

We commit to delivering a set of industry-recognized information security programs through our information security contractual terms, and we constantly strive to improve our programs and never lessen nor weaken relevant controls.

This page outlines the key security technologies, policies, and practices that protect your documents and data within all DocuSign products.

Hardware and infrastructure

  • Geo-dispersed, ISO 27001-certified, and SOC-audited datacenters, located across multiple geographic regions
  • Near real-time secure data replication and encrypted archival
  • Around-the-clock onsite security with strict physical access control that complies with industry-recognized standards
  • Annual Business Continuity Planning (BCP) and Disaster Recovery (DR) testing
  • Professional, commercial-grade firewalls, border routers, and network management systems

Systems and operations

  • Physically and logically separate networks
  • Centralized, logical access management system
  • Two-factor, encrypted VPN access
  • Denial of Service (DDoS) mitigation
  • Active intrusion detection and prevention
  • Anti-malware software integration that automatically alerts DocuSign’s cyber incident response team if potentially harmful code is detected
  • Third-party penetration testing

Applications and access

  • Formal code reviews and vulnerability mitigation by third parties
  • Application-level Advanced Encryption Standard (AES) 256-bit encryption
  • Key management and encryption program
  • Malware protection
  • Digital audit trail, with a Certificate of Completion that provides non-repudiation for all documents generated and signed using DocuSign
  • Configurable security features
    • Multi-factor authentication provides additional level of assurance that only those authorized to access DocuSign products and associated documents can access them
    • Role-based authorization for all business transactions types enables you to designate access to specific individuals

Transmission and storage

  • Subscriber data encrypted in accordance with industry best-practice standards
  • Access and transfer of data to/from DocuSign via HTTPS
  • Anti-tampering controls
  • Signature verification of signing events
  • Unalterable, systematic capture of signing data
  • Digital certificate technology
  • Customer-configurable data retention capability

Comprehensive security from start to finish

This foundation delivers end-to-end security to our customers and their data:

  • Confidentiality: customer information stays confidential, including from DocuSign—customer documents and data are private and access is workflow controlled
  • Integrity: each document is ensured to be intact and tamper evident
  • Availability: customers can be confident that DocuSign's service will be available with a robust infrastructure, historically providing an average of 99.99% uptime
  • Authenticity: customers can rely on the authenticity of signers through the multi-faceted verification of signing events
  • Non-repudiation: customer documents are ensured technically and legally and are procedurally unassailable as evidenced by the audit trail and chain of custody available with the DocuSign solution