Security & Operations
When documents contain highly sensitive information, you can’t afford to take risks. Protecting your data is DocuSign’s top priority. DocuSign meets the industry’s most rigorous security certification standards and operations. DocuSign’s comprehensive approach ensures the security, privacy, compliance, and enforceability of your DocuSign transactions.
Benefits of DocuSign’s rigorous security and operations
DocuSign’s security and operations deliver:
- The most rigorous security certification standards
- Strongest data encryption technologies available to ensure the privacy of your data
- Highly secure access based on robust authentication options
- The strongest level of enforceability and non-repudiation of your transactions
Compliance with rigorous security standards
DocuSign meets the industry’s most rigorous security certification standards, and uses the strongest data encryption technologies available. No other Digital Transaction Management (DTM) company can match the enterprise security and operations investments DocuSign has made—and third-party audit reports back it up. DocuSign is the only DTM provider to be ISO 27001-certified and SSAE 16-certified (SOC 1 and SOC 2) and internationally tested across the entire company and its data centers.
DocuSign is certified compliant on the xDTM Standard, version 1.0 —the transaction management standard for an open, digital world. The xDTM Standard helps organizations and consumers leverage the benefits of DTM to conduct online transactions without exposing them to the risks and consequences of using noncompliant technologies. Built on the dual concepts of trust and reliability, the Standard includes specific, measurable thresholds for security, privacy, interoperability, availability, and other critical elements.
Only DocuSign provides full document encryption to ensure the privacy of your data. Documents stored in our ISO 27001 and SSAE 16 data centers are encrypted with the highest levels of encryption.
Only you and individuals authorized by your company have access to your documents. Your content stays private—including from DocuSign. Employees never have access to your content. Rest assured that your personal information is safe with DocuSign. Your data is your data. DocuSign will never sell your information.
Highly secure access
Many of the world’s most stringent organizations, such as financial services, insurance, and healthcare companies, use DocuSign’s advanced authentication methods to validate the identity of all transacting parties. These methods include texting an SMS code to another device, answering "secret knowledge" questions, and using voice authorization.
Enforceability and non-repudiation of transactions
Our hashing algorithm verifies that documents have not been modified, and our PKI digital certificate technology secures documents and signatures with tamper-evident seals.
DocuSign's court-admissible, digitally signed, and tamper-evident Certificate of Completion contains a comprehensive audit trail that includes:
- Signing parties’ names
- Digital signatures
- Email addresses
- Public IP addresses
- Signing location (if provided)
- Chain of custody (sent, viewed, signed, etc.)
DocuSign is willing to attest to the validity of documents signed with our technology, allowing us to warrant compliance with the ESIGN Act—the only DTM company to do so.
Delivering rigorous security standards
Delivering the industry’s most rigorous security certification standards is a three-pronged approach, incorporating people, processes, and platform, meeting the standards of even the most discerning enterprises.
Dedicated and experienced security team
DocuSign has invested heavily in a dedicated security team, made up of senior executives, including a Chief Risk Officer and Chief Information Security Officer. The team oversees DocuSign’s comprehensive security protocol and conducts mandatory, ongoing security training for all employees. DocuSign works closely with leading security experts to continually monitor the security landscape and to evolve our security strategy.
DocuSign takes a thorough approach to governance, risk, and compliance, which ensures that all security policies and certifications are best-in-class. A security council regularly reviews all processes. Plus, fundamental physical security procedures, such as badges, cameras, and strict access controls, are complemented by technical security, which includes:
- Robust endpoint security, including data leakage prevention and malware protection
- Ongoing monitoring, defense, and incident response
- Managed services for third parties, including a vendor security compliance program
Each component of DocuSign's trusted platform undergoes tremendous security scrutiny.
Hardware and infrastructure
Applications and access
Systems and operations
Transmission and storage
Dedicated Trust Center
Only DocuSign maintains a Trust Center as a source for the latest security, system performance, and availability information: