Global standards and guidelines

Binding Corporate Rules

DocuSign obtained approval of its applications for Binding Corporate Rules (BCRs) as both a data processor and data controller from the European Union Data Protection Authorities. DocuSign’s approved BCRs enable lawful cross-border transfers of data through the DocuSign platform and eSignature service. Customers will be able to transact business with increased confidence knowing that they will comply with GDPR data transfer requirements when using DocuSign. Learn more

FedRAMP (US Federal Risk and Authorization Management Program)

FedRAMP is a standardized approach for assessing, monitoring, and authorizing cloud computing products and services. DocuSign was awarded the FedRAMP Agency authorization and is listed on the U.S. Federal Government’s FedRAMP marketplace with a Government Cloud deployment model for DocuSign eSignature and a Public Cloud deployment model for DocuSign Contract Lifecycle Management (formerly SpringCM).

FISC (The Center for Financial Industry Information Systems)

The FISC develops security guidelines for information systems, which are followed by most financial institutions in Japan. These include guidelines for security measures to be put in place while creating system architectures, auditing of computer system controls, contingency planning, and developing security policies and procedures. Though compliance with the FISC Security Guidelines isn’t required by regulation nor audited by the FISC, DocuSign elected to become a member of the FISC and implemented internal controls to be compliant with the FISC Security Guidelines. For a detailed description of how DocuSign demonstrates FISC compliance, please contact your account manager.

Compilation of (EU) Member States Notification on SSCDs and QSCDs

This publication lists the signature devices that shall be considered as Qualified Signature Creation Devices (QSCDs) under the eIDAS regulation. DocuSign owns and operates a remote signature device, which is listed in this publication, and is the leading global eSignature solution offering cloud-based eIDAS-compliant electronic signatures.

EU Trusted List

DocuSign France SAS, a DocuSign company, is a trust service provider (TSP) under EU Regulation 910/214 for electronic identification and trust services (eIDAS). As a TSP, DocuSign France provides qualified electronic signatures (QES), qualified time stamps, advanced electronic signatures (AES), and advanced seals recognized by all EU member states. DocuSign France is listed as a qualified TSP in the Trusted List managed by the French IT Security Agency, ANSSI.

Information Security Registered Assessors Program (IRAP)

The Information Security Registered Assessors Program (IRAP) is an Australian Signals Directorate (ASD) initiative to outline a cyber security and risk management framework that organizations can apply to protect Australian government data and systems from cyber threats. DocuSign has been assessed at the Protected Level of control requirements, in alignment with the relevant Australian Government Information Security Manual (ISM) controls and the Protective Security Policy Framework (PSPF).