docusign

Genuine Customer Inquiry | What International Certifications and Standards Has DocuSign Obtained?

A Comprehensive Guide to DocuSign’s Global Certification System!

Many customers evaluating e-signature solutions often ask: “Is DocuSign compliant with major global certifications and standards? Is it legally valid in regions like Europe, the U.S., Canada, and Asia? Does its information security meet compliance requirements?” These questions are critical, especially for cross-border operations or sensitive data (e.g., personal privacy, financial contracts, medical records).

As a global leader in e-signatures, DocuSign holds multiple international certifications and regional compliance frameworks (e.g., ISO 27018SOC 2 Type II), ensuring legal validity and data security across North America, Europe, Asia, and other key markets.

This article details DocuSign’s certification system, covering international standardsindustry-specific accreditations, and regional compliance requirements. By analyzing the practical implications of these certifications, we’ll demonstrate how DocuSign safeguards data and meets legal/regulatory demands worldwide.

01. ISO 27001, ISO 27017 & ISO 27018

ISO certifications validate compliance with international standards set by the International Organization for Standardization (ISO).

DocuSign is certified for:

  • ISO 27001:2022 (Information Security Management)

  • ISO 27017:2015 (Cloud Service Security Controls)

  • ISO 27018:2019 (Public Cloud Personal Data Protection)

These certifications confirm DocuSign’s commitment to securing sensitive data in cloud environments.

🔗 Explore ISO Standards

02. Payment Card Industry Data Security Standard (PCI DSS)

DocuSign is a PCI DSS v4.0-compliant service provider, certified by Visa’s Global Registry. It adheres to strict controls for securing payment card data, as mandated by the PCI Security Standards Council (PCI SSC).

🔗 Learn About PCI DSS

03. SOC 1 Type II & SOC 2 Type II

DocuSign follows the AICPA Trust Services Criteria, undergoing annual audits to verify compliance across data centers and operational processes.

🔗 AICPA Trust Services Details

04. Cloud Computing Compliance Controls Catalog (C5)

DocuSign holds C5 Type II certification from Germany’s Federal Office for Information Security (BSI), confirming compliance with stringent cloud security requirements for the DACH region (Germany, Austria, Switzerland).

05. Australian IRAP

The Information Security Registered Assessors Program (IRAP), managed by the Australian Signals Directorate (ASD), assesses cybersecurity frameworks. DocuSign meets the Australian Government ISM and Protective Security Policy Framework (PSPF) standards.

🔗 Explore IRAP

06. FedRAMP

DocuSign is FedRAMP-authorized, offering DocuSign Federal (eSignature) and CLM solutions for U.S. federal agencies via the FedRAMP Marketplace.

🔗 FedRAMP Authorization Details

07. StateRAMP

DocuSign’s Federal eSignature and CLM are StateRAMP-authorized, ensuring compliance with U.S. state/local government cloud security standards for handling PII, PHI, and PCI data.

🔗 StateRAMP Overview

08. DoD IL4 (Impact Level 4)

DocuSign holds DoD IL4 Provisional Authorization from the Defense Information Systems Agency (DISA), permitting use for sensitive unclassified data under the DoD Cloud Computing SRG.

🔗 DoD IL4 Details

09. EU QSCD/SSCD Notifications

Under eIDAS Article 39, DocuSign’s remote signing devices are listed as Qualified Signature Creation Devices (QSCD), enabling eIDAS-compliant Qualified Electronic Signatures (QES).

🔗 QSCD/SSCD Requirements

10. EU Trust List

DocuSign France SAS is an eIDAS-certified Trust Service Provider (TSP), listed on the EU Trust List by ANSSI (France). It offers QES, AES, timestamps, and e-seals across the EU.

🔗 EU Trust List

11. APEC Cross-Border Privacy Certification

DocuSign is APEC Cross-Border Privacy Rules (CBPR) and Processor Privacy Recognition (PRP) certified, aligning with APEC’s data protection framework.

🔗 APEC Certification

12. EU Data Transfer Compliance (BCR)

DocuSign’s Binding Corporate Rules (BCR) are approved by EU data protection authorities, enabling lawful cross-border data transfers.

🔗 BCR Details

13. Standardized Information Gathering (SIG)

DocuSign uses the SIG questionnaire (by Shared Assessments) for third-party risk evaluations, covering 21 risk domains annually.

🔗 SIG Framework

14. CSA STAR (Canada)

DocuSign completes the Consensus Assessments Initiative Questionnaire (CAIQ) annually, published in the CSA STAR Registry for transparency.

🔗 CSA STAR

15. Canada Protected-B

DocuSign meets Protected-B requirements for handling sensitive Canadian government data, including security assessments and personnel clearances.

16. FISC (Japan)

As a member of the Center for Financial Industry Information Systems (FISC), DocuSign adheres to Japanese financial sector security guidelines (non-mandatory but industry-respected).

🔗 FISC Guidelines

DocuSign’s Global Certification Summary

DocuSign’s certifications validate its global compliance leadership:

  • U.S.: FedRAMP, DoD IL4

  • EU: eIDAS QES, ANSSI Trust List

  • APAC: APEC CBPR

  • Canada: Protected-B

  • Japan: FISC

These ensure secure, compliant data handling for customers worldwide.

🔗 Explore All Certifications

Please enable JavaScript in your browser to complete this form.