DocuSign Does Security Best: 3 Ways It Protects Your Data

Keith Krach
July 27, 2016

Recent studies indicate that the modern consumer is growing increasingly concerned with data privacy, but this is not surprising. With several big-name companies experiencing major data breaches over the last few years, customers are now wary of the way their personal information is handled by the companies with which they interact. In fact, a Gallup survey released in 2015 stated that only around 20 percent of respondents indicated that they had “a lot of trust” in the ability of their most-used businesses to adequately protect personal data.

Big Data, the Internet of Things, and the digital disruption that accompanies these two movements have rendered it more important than ever for companies to offer clients active privacy solutions built into products, services, and operations. One company that is making security a priority is DocuSign.

The following stringent measures DocuSign takes to provide clients with a secure digital transaction management platform makes its eSignature solution the kind of service that modern customers can depend on:

1.    DocuSign abides by some of the world’s strictest security standards. 

DocuSign has achieved security certifications beyond those of its competitors. For example, it is the only company providing digital transaction management services to meet the requirements for ISO 27001 certification, a technology-neutral, risk-based approach to data security that is awarded only after an organization has passed a formal assessment by a qualified firm or individual. During the assessment, examiners review all aspects of business operations, including leadership, planning, support, internal auditing, and commitment to continued security improvement. 

In addition to ISO 27001, DocuSign is also certified under the guidelines set down by SSAE 16, an ordinance established by the American Institute of Certified Public Accountants. The stipulations of SSAE 16 require DocuSign to undergo annual audits of many aspects of its operations, including the datacenters where it stores client information. Additional security credentials include compliance with the xDTM Standard, Version 1.0, and adherence to cloud privacy and data security programs from CloudTrust and TRUSTe.

DocuSign follows these standards to make sure clients have complete and exclusive access to their own documents and that all sensitive data is shielded from the view of unapproved people, even from DocuSign. Though clients’ virtual documents are stored in the company’s physically secure data centers, DocuSign is not able to view them. The company also does not sell client information.

2.    It uses encryption and the PKI protocol to protect digital signatures.

As a concept, encryption refers to a process by which data is converted into an unreadable format to be decoded by a key. Applied to eSignature and digital transaction management software, encryption is a method by which DocuSign keeps the full documents of all clients safe from unauthorized viewers.

To deliver the highest possible standard in data security to its customers, DocuSign employs AES 256 bit encryption. This symmetric block cipher is the same tool used by organizations like the US Government and the National Security Agency to protect confidential, secret, and top-secret information stored in a digital format. DocuSign also leverages the power behind this level of encryption in order to create a secure digital signature option that meets Public Key Infrastructure (PKI) requirements.

To meet the qualifications for designation as a safe digital signature provider, DocuSign’s digital signature technology generates (via an algorithm) two long numbers that act as keys. One of these keys is public, for use by outside parties to verify a DocuSign user’s signature. The other key is private, kept secret by the signer at all times. When a document receives a digital signature, the original algorithm deciphers the encryption of the two keys to determine whether or not they match. If they do, a digital signature is created. If they do not, it indicates an unauthorized signing, and the document cannot be endowed with a user’s signature.

3.    DocuSign allows senders complete control over who can see documents.

In addition to the operational security standards followed by the system, enhanced privacy options are available for signers and senders when using DocuSign’s eSignature platform. For senders, the DocuSign Document Visibility tool can be useful when a virtual envelope containing multiple pages must be sent to a group of signers, but not every signer is permitted to view all documents contained within the envelope. When the Visibility feature is activated, a signer will only be able to access those documents in which a tag has been added for his or her personal signature. This enables individuals to sign document pages with sensitive data related only to them while also signing pages that require the signature of multiple parties—all within the same envelope.

Additional tools that enhance the personal security of DocuSign users include multiple signer authentication options for different levels of desired security. All package options offered by DocuSign have the option for access code authentication, while a selection of plans also offer other methods including SMS Authentication, Phone Authentication, ID Check, and Live or Social ID Check. 

Keith Krach

Keith Krach is Chairman of DocuSign, The Global Standard for Digital Transaction Management.