Docusign

0

DocuSign allows user to securely and legally sign and send documents online from any device with the most widely used e-Signature. DocuSign is based in Seattle, WA USA and has been operating since 2003. You can contact real, live, support people 24/7 through online chat. DocuSign encrypts all data in transit between your computer and their servers, but they may not encrypt your data while it is on their servers. DocuSign maintains geo-dispersed data centres which have been independently audited to stringent certifications that ensure your data is stored securely while still being easily available to you. These measures help DocuSign maintain its current availability of over 99.99% (DocuSign services have been inaccessible less than 0.01% of the time). All user data handled by DocuSign stays confidential so that nobody that you haven’t authorised (even DocuSign) have access to it.

This disclosure was provided and researched by Arrowrock. Sources are cited where possible.

Please report any inaccuracies in this report by leaving a reply below or sending us a private message. Thank you!

Company Identity

Trading Name Docusign
Company Website http://www.docusign.com/
Company Phone Number Corporate Offices: 206.219.0200
General Inquiries: 866.219.4318
Company Email Address info@docusign.com
euroservice@docusign.com
Physical Address 1301 2nd Ave. Suite 2000
Seattle, WA, 98101Europe:
Warnford Court | 29 Throgmorton Street | London EC2N 2AT
Contact: +44 203 510 6500

What services does this disclosure apply to?
DocuSign software options allow clients send, sign, track and store documents in the cloud. There are four levels (editions) of subscription: Personal, Professional, Workgroup and Enterprise.

What country holds legal jurisdiction over the service(s)?
United States

How long has your company been operating?
Since 2003.

How long has your company been providing the service(s) covered in this disclosure?
Since 2005.

Is your company currently profitable?
Not available

return to the top

Customer Support and Service Level Agreement

What are your standard customer support hours?
24/7 online support via online chat, tutorials, FAQ/response, and community board

Telephone support – wait times may exceed 10 minutes – voice message option offered with 2-6 hour response time.

What channels are available for communication with clients?
Email, posted updates on website and telephone.

Which is your preferred channel for client communications?
Online options

Do you collect any information from client communications?
If you send personal correspondence, such as emails, requests for demos or letters, DocuSign may collect information, such as name, email address and phone number, into a file specific to you.

http://trust.docusign.com/privacy-policy

What is your standard response time for customer support inquires?
2 -6 hours response to voice messages.

Do you proactively communicate information about future planned outages and maintenance to clients?
Yes. Website System Status page posts both current status and planned maintenance dates. Current maintenance notice is one month in advance.

http://trust.docusign.com/system-status

Do you proactively communicate information about current unscheduled outages and incidents to clients?
Yes. Website System Update page.

http://trust.docusign.com/system-status

Do you make incident reports available to clients after major incidents?
Not available

What is the expected uptime of the service?
Uptime over last year has been over 99%. 9 of 12 months at 100%

http://trust.docusign.com/system-status

Has the service experienced any outages in the last 12 months?
No

Does the SLA guarantee service uptime?
No guarantee found, however over the last three years, DocuSign’s overall percentage of uptime is: 99.9928%

https://www.docusign.com/content/driving-momentum-electronic-signatures-2010

return to the top

Security

Are logs kept of client logins and locations?
Not available

Does your service support password/account recovery?
Details not available. Company statement is as follows: We offer you the ability to automatically review and change the information you submit to us by logging into the Site and entering in the new information yourself. Generally, we will not modify your personal information based on your request because it is difficult to authenticate your account manually. You can change your password, contact information, financial information, and user preferences by going to the profile area. You must promptly update your personal information if it changes or is inaccurate. Changing your personal information will not impact any completed transactions.
http://trust.docusign.com/privacy-policy

Does the service monitor for any suspicious account activity?
Active monitoring and alerting. Details on action and client notification not provided.

Does your service offer two-step or multi-factor authentication?
Not available

Does your service offer login via other services?
Not available

Does your service secure all client data in transit?
Secure, private SSL 256 bit viewing session
http://trust.docusign.com/security-assurance-program

Does your service secure client data at rest?
Physically and logically separate networks
Two-factor, encrypted VPN access
Professional, commercial grade firewalls and border routers
Distributed Denial of Service (DDoS) mitigation
Active monitoring and alerting
http://trust.docusign.com/security-assurance-program

Does your service allow clients to collaborate with 3rd parties?
Except as otherwise expressly included in this Privacy Policy, this document only addresses the use and disclosure of information we collect from you. To the extent that you disclose your information to other parties using our system or follow links to other sites, different rules may apply to their use or disclosure of the information you disclose to them. Since DocuSign does not control the privacy policies of third parties, or other individuals’ actions, you are subject to the privacy policies of that third party or those individuals. We encourage you to be sure the recipients are authenticated to your satisfaction before you send them any documents.
http://trust.docusign.com/privacy-policy

Does your primary system reside in a data center with a security certification?
Three geo-dispersed, SSAE 16 audited datacenters
Near real-time secure data replication and encrypted archival
365x24x7 on-site security
Annual Business Continuity Planning (BCP) & Disaster Recovery (DR) testing
Third-party penetration testing
http://trust.docusign.com/security-assurance-program

Does your backup/disaster recovery system reside in a data center with a security certification?
Three geo-dispersed, SSAE 16 audited datacenters
Near real-time secure data replication and encrypted archival
365x24x7 on-site security
Annual Business Continuity Planning (BCP) & Disaster Recovery (DR) testing
Third-party penetration testing
http://trust.docusign.com/security-assurance-program

return to the top

Data Ownership

Do you claim ownership of any client data or information uploaded to your service?
No express claim made. From Security Assurance Policy:
Our customers’ content stays confidential, including from DocuSign. Customers’ documents and data are private, and access is workflow controlled.
http://trust.docusign.com/security-assurance-program

Does the client retain full ownership of any data of information transmitted or stored via upstream providers?
No. From Privacy Policy: We will retain in our files some personal information, and past document transactions to prevent fraud, collect any fees owed, resolve disputes, troubleshoot problems, assist with any investigations, enforce our User Agreement and comply with legal requirements as is permitted by law. Therefore, you should not expect that all of your personal information will be completely removed from our databases in response to your requests. However, such personal information will be deactivated from member viewing and will only be available to select DocuSign personnel.
http://trust.docusign.com/privacy-policy

Does client use of your service generate any metadata or other statistical information?
As above. Also, from Privacy Policy:

We use your personal information to facilitate the services you request. We use your personal information in the file we maintain about you, and other information we obtain from your current and past activities on the Site to: resolve disputes; troubleshoot problems; help promote safe exchange of documents for signature and delivery; collect fees owed; authenticate users, inform you about online and offline offers, products, services (if you wish to no longer receive these offers you may follow the unsubscribe instructions contained in each of the email communications you receive), and updates; customize your experience; detect and protect us against error, fraud and other criminal activity; enforce our User Agreement; and as otherwise described to you at the time of collection. At times, we may look across multiple users to identify problems or resolve disputes, and in particular we may examine your personal information to identify users using multiple User IDs or aliases. We may compare and review your personal information for errors, omissions and for accuracy.

If you choose to use our service and pay with credit card or corporate invoice, we use your address and billing information to bill you and provide associated support.

We use third-party advertising companies to serve ads when you visit our Website. These companies may use information(not including your name, address, email address or telephone number) about your visits to this and other Web sites in orderto provide advertisements about goods and services of interest to you. If you would like more information about this practiceand to know your choices about not having this information used by these companies, click here . If you wish to not have this information used for the purpose of serving you targeted ads, you may opt-out by clicking here . Please note this does not opt you out of being served advertising. You will continue to receive generic ads.

We post customer testimonials on our web site which may contain personally identifiable information. We do obtain the customer’s consent via email prior to posting the testimonial to post their name along with their testimonial. If you wish to request the removal of your testimonial, you may contact us at media@docusign.com.
http://trust.docusign.com/privacy-policy

return to the top

Data Location

Where are the primary systems that host client data located?
Not available

Where are the backup/disaster recovery systems that host client data located?
Not available

Are there any other systems that host client data on behalf of your service?
Not available

return to the top

Data Access and Use

Does the client have full access to their data during the service contract period?
Not available

Can the client freely download their data from the service during the contract period?
Upon request, DocuSign, Inc. will grant individuals reasonable access to personal information that it holds about them. In addition, DocuSign, Inc. will take reasonable steps to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete. We will respond to your request for access within 30 days.
Formats not disclosed.
http://trust.docusign.com/privacy-policy

Can the client easily import/upload their data from a competing service provider into your service?
Not available

Does your services include an API to access client data?
Not available

Following termination of the service, will the client be able to access their data?
Upon your request, we will deactivate your account, contact information, billing information, shipping information, and financial information from our active databases. To make this request, email sales@docusign.com. Such information will be deactivated as soon as reasonably possible based on your account activity and in accordance with our deactivation policy and applicable law.

We will retain in our files some personal information, and past document transactions to prevent fraud, collect any fees owed, resolve disputes, troubleshoot problems, assist with any investigations, enforce our User Agreement and comply with legal requirements as is permitted by law. Therefore, you should not expect that all of your personal information will be completely removed from our databases in response to your requests. However, such personal information will be deactivated from member viewing and will only be available to select DocuSign personnel.
http://trust.docusign.com/privacy-policy

Following termination of the service, is all client data deleted?
Upon your request, we will deactivate your account, contact information, billing information, shipping information, and financial information from our active databases. To make this request, email sales@docusign.com. Such information will be deactivated as soon as reasonably possible based on your account activity and in accordance with our deactivation policy and applicable law.

We will retain in our files some personal information, and past document transactions to prevent fraud, collect any fees owed, resolve disputes, troubleshoot problems, assist with any investigations, enforce our User Agreement and comply with legal requirements as is permitted by law. Therefore, you should not expect that all of your personal information will be completely removed from our databases in response to your requests. However, such personal information will be deactivated from member viewing and will only be available to select DocuSign personnel.
http://trust.docusign.com/privacy-policy

Does anyone in your organization (including contractors and upstream providers) have the ability to directly access client data?
We may use third parties that we refer to as internal service providers to facilitate or outsource one or more aspects of the business, product and service operations that we provide to you (e.g., search technology, authentication systems, bill collection, and fraud detection, a customer support vendor to provide live chat services, and a recruiting provider to power our career center), and therefore we may provide some of your personal information directly to these internal service providers. These internal service providers are subject to confidentiality agreements with us and other legal restrictions that prohibit their use of the information we provide them for any other purpose except to facilitate the specific outsourced DocuSign related operation, unless you have explicitly agreed or given your prior permission to them for additional uses.
http://trust.docusign.com/privacy-policy

Does your company use client data or information for any business function (other than the provision of the service)?
No

Does your company use client data or information to generate revenue (other than the provision of the service)?
No

Do you access client data in any additional circumstance not yet specified in this disclosure?
From time-to-time, we may provide you the opportunity to participate in contests or surveys on our site. If you participate, we will request certain personally identifiable information from you. Participation in these surveys or contests is completely voluntary and you therefore have a choice whether or not to disclose this information. The requested information typically includes contact information (such as name and shipping address), and demographic information (such as zip code).

We use this information to notify contest winners and award prizes, to personalize the site (in the case of anonymous information collected in surveys), and to occasionally send participants an email newsletter.

We may use a third party service provider to conduct these surveys or contests; that company is prohibited from using our users’ personally identifiable information for any other purpose. We will not share the personally identifiable information you provide through a contest or survey with other third parties unless we give you prior notice and choice.
http://trust.docusign.com/privacy-policy

return to the top

Data Breach Notification

Do you have a policy in place for dealing with data loss or breach?
Policy information not found. Security information as follows: DocuSign is the only eSignature company that is ISO 27001 certified as an information security management system (ISMS). This is the highest level of global information security assurance available today, and provides customers assurance that DocuSign meets stringent international standards on security.

http://trust.docusign.com/trust

Do you notify clients if their data has been lost or compromised?
Per Safe Harbor compliance.
http://export.gov/safeharbor/eu/eg_main_018365.asp

return to the top

Backup and Maintenance

Does your service support data versioning?
Not available

How often are service/client data backups performed?
Not available

What method is used to perform service/client data backups?
Not available

How long is backup data retained for?
Not available

return to the top

Disclaimer

The information in this report is provided “AS IS” without warranty of any kind, express or implied. Please use good judgement and verify the information you consider important before basing any decisions on it.