Security for DocuSign Protect and Sign
Security is in DocuSign’s DNA, and like all of our products, DocuSign Protect and Sign is researched, designed, and developed with security as a top priority.
This document outlines the security technologies, policies, and practices that protect your documents and data within DocuSign Protect and Sign, including information that enables you to configure security in accordance with the specific risk management and compliance requirements of your organization. For security details common to all DocuSign products, visit product security on the Trust Center.
Physical and logical security
DocuSign maintains around-the-clock onsite security with strict physical access control that complies with industry-recognized standards, such as SOC 1, SOC 2, and ISO 27001.
We also use world-class security software and hardware to protect the physical integrity of DocuSign Protect and Sign and all associated computer systems and networks that process customer data. We do this through a centralized management system that controls access to the production environment through a global two-factor authentication process.
This isolated production environment is protected by industry-leading network management systems and malware detectors.
Security testing and vulnerability management
The quality and integrity of DocuSign Protect and Sign is ensured by a formal product development lifecycle that includes secure coding practices. Rigorous automated and manual code reviews are designed to pinpoint security weaknesses. We also perform internal and external vulnerability scans and penetration tests against the DocuSign Protect and Sign production environment. Any identified weaknesses from these industry-compliant tests are remedied in a commercially reasonable manner and in a timeframe commensurate with their severity.
Security monitoring
We monitor DocuSign Protect and Sign from both an operational and a security perspective. Intrusion prevention and detection events are logged, and tailored alerts are sent to our operations and security teams to ensure that DocuSign Protect and Sign can be used without security exposure from any location by those authorized to access it.
Storage, encryption, and disposal
To ensure your data stays protected, DocuSign follows industry best practices to:
- Logically separate individual customer data
- Encrypt customer data—all data access and transfer activities use HTTPS and other secure protocols, such as SSL, SSH, IPsec, SFTP, or secure channel signing and sealing
- Support only recognized cipher suites
- Encrypt all documents with AES 256-bit encryption or the most recent FIPS-approved methods
- Provide non-repudiation for all documents generated and signed using DocuSign via a Certificate of Completion
- Maintain a data disposal and re-use policy for managing data assets
- Implement processes for equipment management and secure media disposal
Business continuity and disaster recovery
DocuSign maintains written business continuity and disaster recovery plans that ensure the continuing availability of DocuSign Protect and Sign. The continuity plan includes crisis management, business recovery, and infrastructure elements, and we test both plans on an annual basis in accordance with ISO 27001 controls.
Configurable security features
DocuSign Protect and Sign offers the following customer-configurable features:
- Multi-factor authentication provides an additional level of assurance that only those authorized to access DocuSign Protect and Sign and associated documents can access them
- Level of signature allows you to configure qualified signatures, based on your needs, that are compliant with Electronic IDentification, Authentication, and trust Services (eIDAS)
- A proof file provides an audit trail of the transactions that occurred within DocuSign Protect and Sign
- Consent protocol Web page content aligns with the product or service requiring a signature