The document summarizes the security features and certifications of DocuSign's electronic signature platform. It describes how security was designed as a core part of the platform from the beginning to protect customers' intellectual property and transaction data. Key security elements discussed include dedicated and isolated production environments, encrypted data transmission and storage, authentication and authorization controls, monitoring and incident response systems, and digital auditing trails. DocuSign has multiple security certifications including ISO 27001, SSAE 16, PCI DSS, and TRUSTe to provide assurance around its security practices.
1. Continued
Share:
DocuSign’s Chief Security Officer provided this
presentation to current and potential customers at
DocuSign’s 2012 Momentum event held in San Francisco,
California, on May 2, 2012.
Electronic signatures (eSignatures) have become instrumental
in a competitive business strategy and essential to closing and
transacting business faster than ever before. As more businesses
contemplate the ease of use in moving to cloud-based solutions,
security remains of paramount importance. More than ever, a
globally available service needs to offer optimum levels of security
and assurance that controls are consistent, reliable and resilient.
An organization’s most valuable asset outside of their employees is
their intellectual property around the data they transact. Protecting
this IP related data is DocuSign’s specialty and number one mission.
So important in fact, security was designed as an elemental and
essential component into the DocuSign eSignature transaction
management platform from the very beginning.
DocuSign is the most continuously audited and highest certified
global eSignature service to provide these optimum levels of
security assurance. DocuSign is the world’s only eSignature service
to achieve global ISO/IEC 27001:2005 certification as an information
security management system (ISMS). DocuSign is also continuously
SSAE 16 examined and tested, PCI DSS 2.0 compliant as both service
provider and as a merchant, TRUSTe certified, and a member of the
U.S. Department of Commerce Safe Harbor. DocuSign provides
transparency by making these reports and certifications available
upon request.
DocuSign’s eSignature service distinguishes itself in the following
secure and certified design.
Security is DocuSign’s Core Differentiator: DocuSign’s approach to
designing security within the eSignature service is unique. Layered
and embedded controls provide defense in depth and a systematic
reliability for ensuring the customer data owner is always in control
of their transaction, and the data can only be transacted and signed
by recipients authorized by the sender. The customer is always able
to securely view who among their recipients has viewed and signed
their documents as the transaction lifecycle process progresses and
completes in record time.
Dedicated and Isolated Production Environment: DocuSign’s
eSignature service is physically and logically isolated away from any
corporate network. The purpose was to provide a high-availability,
critical service that was always available and protected from the
common vulnerabilities associated with corporate networks with
a minimal customer entry point via a secure protocol. This greatly
reduces any potential attack vectors, and the condensed and
restricted internet footprint is carefully monitored and protected.
Secure transaction sessions: DocuSign protects viewing and
signing transaction sessions over secure sockets layer (SSL) with 256
bit encryption anytime, anywhere, from static or mobile computing
devices.
Encrypted data in Transit and at Rest: DocuSign is the only
eSignature service that provides application level encryption of
data using the 256 bit American encryption standard (AES). This
ensures that customer data remains confidential from the viewing
session throughout the transaction lifecycle, including the signing
process and for as long as the document is securely archived within
the DocuSign service. DocuSign’s encryption and key management
process is examined, tested, and certified by qualified third parties.
Customers with high security requirements chose to store their
documents within DocuSign because DocuSign’s certified encryption
process ensures continued archival protections for sensitive data at
rest.
Authentication and Authorization: By choosing the preferred,
required level of authentication, the customer sender at all times
determines who is authorized to view and sign their documents.
DocuSign offers a variety of industry standard authentication options
as basic as email address to additional access codes, knowledge
based authentication, directory service and federated integration.
The full list of authentication options is available at:
http://www.docusign.com/products/features/authentication
Visual Dashboard Monitoring and Alerting: DocuSign maintains
continuous monitoring controls over any attempts to penetrate
or execute malicious code within the DocuSign production
environment. DocuSign visual dashboard display system alerts on
attempts whether they are intentional or unintentional and DocuSign
vigorously enacts procedures for continued service protections.
These procedures are often onerous for protects viewing and
signing transaction sessions over secure sockets layer (SSL) with 256
bit encryption anytime, anywhere, from static or mobile computing
devices.
Digital Audit Trail: DocuSign provides a systematically generated
digital audit trail that records the signing activities associated with
encrypted documents within the DocuSign service. This unalterable
Secure by Design
WHITE PAPER