// Trust & Security Report

    Docusign, Inc. logo

    Docusign, Inc.

    Electronic signature, Intelligent Agreement Management (IAM), and Contract Lifecycle Management platform

    Certifications held

    15

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO 27001:2022
    HELD

    Docusign is ISO 27001:2022, ISO 27017:2015 and 27018:2019 certified

    Verify on docusign.com
    ISO 27017:2015 (Cloud Security)
    HELD

    Docusign is ISO 27001:2022, ISO 27017:2015 and 27018:2019 certified

    Verify on docusign.com
    ISO 27018:2019 (Cloud Privacy)
    HELD

    Docusign is ISO 27001:2022, ISO 27017:2015 and 27018:2019 certified

    Verify on docusign.com
    SOC 2 Type II
    HELD

    Docusign complies with the reporting requirements stipulated by the American Institute of Certified Public Accountants (AICPA) Trust Services Criteria

    Verify on docusign.com
    SOC 1 Type II
    HELD

    SOC 1 Type II and SOC 2 Type II Docusign complies with the reporting requirements stipulated by the American Institute of Certified Public Accountants (AICPA) Trust Services Criteria

    Verify on docusign.com
    PCI DSS v4.0
    HELD

    Docusign maintains compliance with version 4.0 of the Payment Card Industry Data Security Standard (PCI DSS)

    Verify on docusign.com
    FedRAMP Agency Authorization
    HELD

    Docusign was awarded the FedRAMP Agency authorization and is listed on the U.S. Federal Government's FedRAMP marketplace

    Verify on docusign.com
    GovRAMP
    HELD

    Docusign Federal (eSignature & IAM) and Docusign CLM have achieved GovRAMP authorization.

    Verify on docusign.com
    DoD IL4 (Impact Level 4)
    HELD

    Defense Information Systems Agency (DISA) granted Docusign an IL4 provisional authorization for several offerings, including Docusign Federal (eSignature) and Docusign Contract Lifecycle Management.

    Verify on docusign.com
    HIPAA (BAA available)
    HELD

    With the correct configuration, Docusign eSignature can be HIPAA compliant for healthcare and life sciences organizations.

    Verify on docusign.com
    GDPR (Binding Corporate Rules + EU SCCs)
    HELD

    Docusign obtained approval of its applications for Binding Corporate Rules (BCRs) as both a data processor and data controller from the European Union Data Protection Authorities.

    Verify on docusign.com
    CSA STAR (CAIQ Level 1 self-assessment)
    HELD

    Docusign completes the Consensus Assessments Initiative Questionnaire (CAIQ) annually which documents the rigor and strength of DocuSign's security posture and best practices and is publicly accessible for viewing and download from the CSA STAR registry.

    Verify on docusign.com
    BSI C5 Type II (German cloud security)
    HELD

    C5 Type II compliance validates Docusign's eSignature product security program and controls meet the requirements of the Federal Office for Information Security (BSI).

    Verify on docusign.com
    IRAP PROTECTED (Australia)
    HELD

    Docusign has completed a third-party assessment and meets the PROTECTED level requirements, aligning with both the Australian Government Information Security Manual (ISM) controls and the Protective Security Policy Framework (PSPF).

    Verify on docusign.com
    APEC Privacy Recognition for Processor (PRP)
    HELD

    Docusign has achieved the APEC Privacy Recognition for Processor (PRP) System certification

    Verify on docusign.com
    > Show 2 unconfirmed / not-held certifications
    ISO/IEC 42001 (AI Management System)
    NOT CONFIRMED

    No public evidence found on docusign.com. Docusign publishes AI Innovation Principles and a trusted AI approach page but does not claim ISO 42001 certification.

    source: docusign.com
    CSA STAR Level 2 (third-party audit)
    NOT CONFIRMED

    Docusign's CSA STAR participation is via the CAIQ self-assessment (Level 1). No evidence of Level 2 (third-party audit) certification found on docusign.com.

    source: docusign.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Australia, United States, European Union, Canada. Enterprise customers can request data residency in specific regions (e.g. EU, Australia, Canada via Azure-based regional deployments).

    Docusign explicitly states it avoids training on identifiable personal customer data: 'We intentionally design our systems with functionality to avoid training models using personal information that customers may enter into our Services (except when we have consent from a customer to do so).' However, de-identified Customer Data may be used for AI model training with customer consent: 'Building, training and maintaining our artificial intelligence models through machine learning that power certain of our Services using de-identified Customer Data (with customer consent).' Customers on enterprise plans should review their service agreements for specific AI data use terms.

    // Security controls

    Encryption at rest

    AES-256-bit (or most recent FIPS-approved method): 'Encrypt all documents with AES 256-bit encryption or the most recent FIPS-approved methods'

    docusign.com

    Encryption in transit

    HTTPS/TLS, SSL, SSH, IPsec, SFTP: 'all data access and transfer activities use HTTPS and other secure protocols, such as SSL, SSH, IPsec, SFTP, or secure channel signing and sealing'

    docusign.com

    Multi-factor authentication

    Supported across all services: 'Multi-factor authentication provides an additional level of assurance that only those authorized to access Docusign eSignature and associated documents can access them'

    docusign.com

    Data isolation

    Logical customer data separation: 'Logically separate individual customer data'

    docusign.com

    Access controls

    Role-based access controls for all business transaction types; production environment access restricted to maintenance activities with additional security training required

    docusign.com

    Non-repudiation

    Certificate of Completion with PKI digital sealing provided for all signed documents

    docusign.com

    Audit cadence

    Annual independent audits for SOC 1, SOC 2, ISO 27001, and PCI DSS; dedicated compliance team provides independent verification

    docusign.com

    Vulnerability management

    Threat intelligence capabilities maintained; growing cybersecurity defenses with dedicated security specialists across information security domains

    docusign.com

    // Products & data scope

    eSignatureElectronic signature

    data: Agreement content, signer identity data, PHI if healthcare use case (requires BAA). Documents encrypted at rest and in transit.

    Core product. HIPAA-eligible with proper configuration and signed BAA. FedRAMP authorized for government use. Included in most IAM plans.

    IAM Core (Intelligent Agreement Management)AI-powered agreement management platform

    data: Agreement metadata, document content, AI-analyzed contract terms. AI analysis powered by Docusign's own models.

    AI analysis does not train on personal customer data without consent. De-identified data may be used with consent. FedRAMP authorized.

    Contract Lifecycle Management (CLM)Contract lifecycle management

    data: Full contract text, party information, workflow data, version history.

    FedRAMP and DoD IL4 authorized. GovRAMP authorized. Enterprise-only product.

    Identify (Identity Verification)Identity verification

    data: Government ID images, biometric facial comparison data, liveness check data. Docusign acts as both processor and controller depending on use.

    Highest-sensitivity data scope in the Docusign product family. Customers should review DPA carefully. IDV data subject to additional privacy terms.

    Web FormsWeb form creation and data capture

    data: Form submission data, routing information, any personal data entered by respondents.

    Data processed under standard DPA. Included in higher-tier IAM plans.

    // What to watch

    • HIPAA is not a formal certification: DocuSign supports HIPAA compliance via a signed BAA and correct configuration, but HIPAA is not independently audited like SOC 2. Customers must configure Docusign correctly and execute a BAA; compliance is not automatic.
    • CSA STAR is Level 1 self-assessment (CAIQ) only: Docusign annually completes the CAIQ and publishes it to the CSA STAR registry, but has not publicly claimed CSA STAR Level 2 (third-party certification). Treat as self-reported.
    • AI training on de-identified customer data with consent: Docusign does not train on personal customer data by default, but may use de-identified Customer Data for model training when customers consent. Enterprise customers should review their specific agreement terms to confirm opt-out posture.
    • No ISO 42001 (AI Management System) certification found: Docusign publishes AI Innovation Principles and a trusted AI approach, but does not claim ISO 42001 certification as of June 2026.
    • No ISO 27701 (Privacy Information Management) certification found on docusign.com: Docusign holds ISO 27018 (cloud privacy) and BCR but does not appear to claim separate ISO 27701 certification.

    // At a glance

    Pricing model

    Subscription tiers: Personal (free tier), Standard, Business Pro (per user/month billed annually), Enterprise (custom pricing). API plans separate. HIPAA-eligible plans start at Business Pro tier.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Docusign, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    docusign.com

    > Browse all vendor trust reports