How data governance regulations and standards shape DocuSign’s rigorous security and privacy practices
Every e-signature provider seeks to keep confidential customer data secure throughout the e-signing process and help ensure that the data remains accurate, complete, and consistently available to those authorised to access it. But what sets them all apart is their approach to data governance.
DocuSign’s commitment to and significant ongoing investment toward protecting customer data extends to every operating environment across the DocuSign Agreement Cloud. In fact, information security and privacy are in our DNA and ingrained in our people, processes, and technologies—globally.
Our approach is simple: every employee is responsible for information security, including protecting:
- DocuSign-owned information assets
- Customer and partner information assets
- The underlying technology infrastructure and the data generated, processed, and stored in DocuSign environments.
This article details DocuSign’s commitment to delivering robust data governance through specific policies and capabilities, rooted in an understanding of laws, regulations, standards, and best practices.
From global regulations to contractual commitments
Effective security capabilities stem from a full range of factors that inform the security approach, from the broadest government laws and regulations to specific contractual agreements. DocuSign data governance standards, policies, and procedures are informed by a firm grasp of these factors, resulting in security and privacy capabilities and an overall security mindset that are integrated into everything that the company does to cultivate ongoing customer trust.
Global standards and guidelines
DocuSign works diligently to stay abreast of security and privacy regulations and frameworks around the world. By continually monitoring the security and privacy landscape, we can modify our data governance approach to remain in step and comply with the latest standards and guidelines, including:
General Data Protection Regulation (GDPR)
The GDPR represents the most important data protection regulation change in over 20 years. It aims to strengthen data protection for individuals within the European Union (EU), giving them greater say over what companies can do with the personal data that has been collected on them and creating a uniform baseline of data privacy rules for businesses handling EU personal data.
As an organisation focused on trust and careful handling of customer data, DocuSign demonstrates a commitment to privacy in a number of ways. Our strong compliance culture and robust security safeguards, which are reflected in our ISO 27001, 27017, and27018 certifications, provide a solid foundation for ongoing GDPR compliance efforts. In particular, ISO 27018 demonstrates alignment with “commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment”. Further, DocuSign operates under Binding Corporate Rules (BCR) approved by an EU data protection authority, which only a limited number of companies have attained approved BCRs.
California Consumer Privacy Act (CCPA)
The CCPA is a California-specific privacy law that requires organisations to protect the personal information of California residents and establishes similar individual rights and associated obligations as the GDPR. This is the first comprehensive state-specific privacy legislation in the United States, signaling an increasing level of regulatory attention on data protection practices. DocuSign’s commitment to privacy pursuant to CCPA as a critical capability further demonstrates our commitment to privacy despite an evolving data protection regulation landscape.
United States (U.S.) Federal Risk and Authorisation Management Program (FedRAMP)
FedRAMP is a standardised approach for assessing, monitoring, and authorising cloud computing products and services for U.S. Federal agencies. DocuSign has received numerous authorisations from U.S. Federal agencies and is listed on the U.S. Federal Government’s FedRAMP marketplace for both DocuSign eSignature and Contract Lifecycle Management (CLM) services.
U.S. Department of Defense (DoD) Impact Level 4 (IL 4)
U.S. DoD has a FedRAMP-equivalent program, IL4, to standardise the approach for assessing, monitoring, and authorising cloud computing products and services for U.S. Military agencies. DocuSign has completed the assessment for both the DocuSign eSignature and (CLM) services.
Japanese Center for Finance Industry Information Systems (FISC)
FISC develops security guidelines for information systems, which are followed by most financial institutions in Japan. These include guidelines for security measures to be put in place while creating system architectures, auditing of computer system controls, contingency planning, and developing security policies and procedures. DocuSign is a member of FISC and is compliant with FISC Security Guidelines.
Asia Pacific Economic Cooperation (APEC) Privacy Recognition Program (PRP)
DocuSign has achieved the APEC PRP System certification. APEC has established Cross-Border Privacy Rules (CBPR) and Framework to protect the privacy and security of personal information at-rest and in-transit. An independent auditor, Schellman Group, has assessed our capabilities and granted us this certification to demonstrate compliance with CBPR and Framework.
Industry best-practice standards
Regardless of industry, the need for data governance has driven the creation of best practices and standards to guide companies in their security and privacy strategy and capabilities. Evidence of DocuSign’s commitment to data governance at all levels is provided by the certifications and attestations of compliance we’ve earned, including:
- ISO 27001:2013, 27017:2015, 27018:2014
- SOC 1:Type 2, SOC 2:Type 2
- PCI DSS
- CSA STAR Program
Customer contractual agreements
DocuSign provides assurance to customers about data governance for privacy and security for all of our products and services, which are outlined in DocuSign’s contractual agreements.
Layered, defense-in-depth approach to protecting customer data
To implement an effective, multi-layered approach to data governance, DocuSign evaluates the collective industry requirements from multiple perspectives. We also have dedicated teams that continually review and assess our data governance posture to ensure customer needs are met and new risks are adequately mitigated. All teams collaborate to ensure alignment of security and privacy practices, providing regular updates to DocuSign’s executive staff. These teams are comprised of subject matter experts from some of the most security-conscious organisations in the world, including multinational financial institutions and law enforcement agencies in the United States and United Kingdom.
Reviewing and analysing a broad range of considerations from global regulations to contractual commitments significantly contributes to DocuSign’s approach to security and privacy. Dedicated teams focus on delivering the confidentiality, integrity, availability, and privacy that regulations dictate and that customers expect, so that companies can embark upon digital transformation with confidence.
Learn more in our whitepaper: How Data Governance Regulations and Standards Shape DocuSign’s Rigorous Security and Privacy Practices or contact us to speak to an expert.
Written by Stephanie Liais, Senior Product Marketing Manager.