Bank-Grade Security and Operations

When documents contain highly sensitive information, you can’t afford to take risks. Protecting your data is DocuSign’s top priority. DocuSign meets the industry’s rigorous security certification standards and operations. DocuSign’s comprehensive approach ensures the security, privacy, compliance, and enforceability of your DocuSign transactions. 



Benefits of DocuSign’s rigorous security and operations

DocuSign’s security and operations deliver:

Compliance with rigorous security standards

DocuSign meets the industry’s rigorous security certification standards, and uses the strongest data encryption technologies available. No other Digital Transaction Management (DTM) company can match the enterprise security and operations investments DocuSign has made—and third-party audit reports back it up. DocuSign is the only DTM provider to be ISO 27001-certified and SSAE 16-certified (SOC 1 and SOC 2) and internationally tested across the entire company and its data centers.

Learn more

Document privacy

Only DocuSign provides full document encryption to ensure the privacy of your data. Documents stored in our ISO 27001 and SSAE 16 data centers are encrypted with the highest levels of encryption.

Only you and individuals authorized by your company have access to your documents. Your content stays private—including from DocuSign. Employees never have access to your content. Rest assured that your personal information is safe with DocuSign. Your data is your data. DocuSign will never sell your information.
Learn more

Highly secure access

Many of the world’s most stringent organizations, such as financial services, insurance, and healthcare companies, use DocuSign’s advanced authentication methods to validate the identity of all transacting parties. These methods include texting an SMS code to another device, answering "secret knowledge" questions, and using voice authorization.

Enforceability and non-repudiation of transactions

Our hashing algorithm verifies that documents have not been modified, and our PKI digital certificate technology secures documents and signatures with tamper-evident seals.

DocuSign's court-admissible, digitally signed, and tamper-evident Certificate of Completion contains a comprehensive audit trail that includes:

  • Signing parties’ names
  • Digital signatures
  • Email addresses
  • Public IP addresses
  • Signing location (if provided)
  • Chain of custody (sent, viewed, signed, etc.)
  • Timestamps

DocuSign is willing to attest to the validity of documents signed with our technology, allowing us to warrant compliance with the ESIGN Act—the only DTM company to do so.
Learn more


Delivering rigorous security standards

Delivering rigorous security certification standards is a three-pronged approach, incorporating people, processes, and platform, meeting the standards of even the most discerning enterprises.

Dedicated and experienced security team

DocuSign has invested heavily in a dedicated security team, made up of senior executives, including a Chief Risk Officer and Chief Information Security Officer. The team oversees DocuSign’s comprehensive security protocol and conducts mandatory, ongoing security training for all employees. DocuSign works closely with leading security experts to continually monitor the security landscape and to evolve our security strategy.

Best-in-class processes

DocuSign takes a thorough approach to governance, risk, and compliance, which ensures that all security policies and certifications are best-in-class. A security council regularly reviews all processes. Plus, fundamental physical security procedures, such as badges, cameras, and strict access controls, are complemented by technical security, which includes:

  • Robust endpoint security, including data leakage prevention and malware protection
  • Ongoing monitoring, defense, and incident response
  • Managed services for third parties, including a vendor security compliance program

Trusted platform

Each component of DocuSign's trusted platform undergoes tremendous security scrutiny.


Hardware and infrastructure

  • Geo-dispersed, ISO 27001-certified, and SOC-audited datacenters, located across multiple geographic regions
  • Near real-time secure data replication and encrypted archival
  • Around-the-clock onsite security with strict physical access control

Applications and access

  • Formal code reviews and vulnerability mitigation by third parties
  • Application level Advanced Encryption Standard (AES) 256-bit encryption
  • Key management and encryption program

Systems and operations

  • Separate corporate and production networks (physically and logically)
  • Two-factor, encrypted virtual private network (VPN) access
  • Active 24/7 monitoring and alerting

Transmission and storage

  • Secure, private SSL 256-bit viewing session
  • Anti-tampering controls
  • Digital audit trails

Dedicated Trust Center

Only DocuSign maintains a Trust Center as a source for the latest security, system performance, and availability information: