Appetite for risk security varies from organization to organization and is dependent on both the industry in which the organization operates and the corresponding legal and regulatory requirements. At DocuSign, we understand this. That’s why all our products are researched, designed, and developed with security as a top priority and built with configurable security in mind.
Designed to maximize security for data at rest and in transit, the DocuSign Agreement Cloud allows you to configure security settings to match your security risk requirements for accessing, managing, and sharing data. Moreover, each DocuSign product in our trusted platform undergoes stringent security reviews and monitoring to ensure your data remains safe and protected.
For product-specific security information, use the links below or to the left:
For an overview of key security features and practices that protect your documents and data within all DocuSign products, see below.
Hardware and infrastructure
- Geo-dispersed, ISO 27001-certified, and SOC-audited datacenters, located across multiple geographic regions
- Near real-time secure data replication and encrypted archival
- Around-the-clock onsite security with strict physical access control that complies with industry-recognized standards
- Annual Business Continuity Planning (BCP) and Disaster Recovery (DR) testing
- Professional, commercial-grade firewalls, border routers, and network management systems
Systems and operations
- Physically and logically separate networks
- Centralized, logical access management system
- Two-factor authentication, encrypted VPN access
- Denial of Service (DDoS) mitigation
- Active intrusion detection and prevention
- Anti-malware software integration that automatically alerts DocuSign’s cyber incident response team if potentially harmful code is detected
- Third-party penetration testing
Applications and access
- Formal code reviews and vulnerability mitigation by third parties
- Application-level Advanced Encryption Standard (AES) 256-bit encryption
- Key management and encryption program
- Malware protection
- Digital audit trail, with a Certificate of Completion that provides non-repudiation for all documents generated and signed using DocuSign
- Configurable security features
- Multi-factor authentication provides additional level of assurance that only those authorized to access DocuSign products and associated documents can access them
- Role-based authorization for all business transactions types enables you to designate access to specific individuals
Learn more about DocuSign’s authentication mechanisms on the product features page and user guide.
Transmission and storage
- Subscriber data encrypted in accordance with industry best-practice standards
- Access and transfer of data to/from DocuSign via HTTPS
- Anti-tampering controls
- Signature verification of signing events
- Unalterable, systematic capture of signing data
- Digital certificate technology
- Customer-configurable data retention capability
Learn how DocuSign uses transaction data and the "Certificate of Completion."
Comprehensive security from start to finish
This foundation delivers end-to-end security to our customers and their data:
- Confidentiality: customer information stays confidential, including from DocuSign—customer documents and data are private and access is workflow controlled.
- Integrity: each document is ensured to be both intact and tamper evident.
- Availability: DocuSign’s replicated, geo-dispersed infrastructure delivers consistent high availability, providing assurance that our service is there whenever customers need it.
- Authenticity: customers can rely on the authenticity of signers through the multi-faceted verification of signing events.
- Non-repudiation: customer documents are ensured technically and legally and are procedurally unassailable as evidenced by the audit trail and chain of custody available with the DocuSign solution.
- Disclosure: all forms of responsible disclosure are welcomed. This includes any vulnerabilities found in DocuSign products. DocuSign fully endorses a safe harbor policy for good faith reports. You can contact our product security team by emailing bug reports to firstname.lastname@example.org.