DocuSign Digital Transaction Management Capabilities and xdtm Standard V1.0 Certification

Transcription

1 DocuSign Digital Transaction Management Capabilities and xdtm Standard V1.0 Certification

2 Introduction Today, DocuSign has over 225,000 customers and 85 million users, who generate nearly 950,000 Digital Transaction Management (DTM) transactions per day and growing. DocuSign is a leader in DTM, both as a global provider of DTM solutions and as a participant in xdtm.org, a crossindustry standards organization that helps companies accelerate their transition to digital transactions and workflows safely, securely, and with a strong return on their investment. DocuSign is certified for the xdtm Standard, Version 1.0, the first of its kind to focus specifically on the quality and reliability of digital transactions. In this white paper, DocuSign s capabilities, policies, and technologies are presented within the context of the of the eight requirement areas of the xdtm Standard: Security Assurance Privacy Validity Availability Scalability Interoperability Universality DocuSign s Digital Transaction Management Solution and the xdtm Standard With DocuSign, you can make any decision, agreement, or approval process 100-percent digital end-to-end. You can also be assured that your digital transactions will be safe, secure, and executed reliability, because DocuSign meets and exceeds the requirements set for by the xdtm Standard. Summary of DocuSign s Adherence to s Security: Assurance: Privacy: Validity: Availability: Scalability: Universality: Interoperability: DocuSign delivers world-class security and meets or exceeds U.S. and international security standards. DocuSign warrants its compliance to the US ESIGN act and complies with applicable laws, regulations, and industry standards around the world. DocuSign business and technology measures ensure customer privacy and the protection of proprietary customer information and data. The DocuSign platform provides an audit trail, chain of custody, tamper-evident seals, and other measures to assure the validity of transactions executed on the platform. DocuSign has maintained more than 99.99% average availability over the past 5 years and doesn t schedule any downtime maintenance. DocuSign undertakes robust capacity planning to provide resilient system performance and ensure scalability for future growth With DocuSign, users can conduct business globally via an app or their platform of choice while both connected and offline. With platform APIs, a mobile SDK, out-of-the-box integrations, and a rich partner ecosystem, DocuSign integrates with a choice of solutions.

3 Table of Contents Security... 1 Assurance... 8 Privacy Validity Availability Scalability Universality Interoperability... 21

4 Security DocuSign delivers world-class security and meets or exceeds U.S. and international security standards. DocuSign is ISO/IEC 27001:2013 and xdtm certified, as well as SSAE 16, SOC 1 Type 2, SOC 2 Type 2 examined and tested across the entire company. In particular, DocuSign s organization-wide commitment to security is reflected in the scope of its ISO/IEC 27001:2013 compliance, which includes all 114 controls. The Information Security Management of DocuSign s electronic signature and enterprise support services, including Product Development, Engineering, Quality Assurance, Operations, Security, BCP/DR, Legal, Human Resources, IT, Customer Service, and the Datacenters, delivers a secure infrastructure and resilient environment. This is in accordance with the ISO/IEC 27001:2013 Statement of Applicability vers. 22 9/24/2014 (Certificate issued by British Standards Institute). Security technology at DocuSign spans encryption, system monitoring, penetration testing, environmental segmentation, data center security, robust authentication and encryption key management practices, and proactive monitoring of potential security threats. Details on DocuSign security technology and policies as they relate to xdtm Standard requirements are detailed below: 1. Sensitive customer data, encrypted or tokenized at rest or in transit, adheres to referable standard, such as NIST, ISO, or equivalent. How DocuSign Delivers World-Class Security No DocuSign employee, vendor, or contractor has access or visibility into customer documents within a DocuSign envelope. This includes envelopes resident on the DocuSign service, as well as envelopes the customer has transferred from the service. DocuSign maintains an Information Classification Policy to assure the security and protection of proprietary customer information and data. The policy defines classifications such as Secret, Restricted, Internal, and Public that specify the required security and handling of data. For example, customer documents in the production environment are classified as Secret and protected through systemic encryption, while customer recipient information utilized to route envelopes for signing is classified as Restricted, with access limited to customer service staff only. As noted above, only transactional data surrounding envelopes is permitted to be accessed such as username, address, phone number, address, and envelope metadata and is limited to customer validation, customer service, support, and similar purposes. Only DocuSign employees with a demonstrated need to know and specific job responsibilities may have access. As an additional safeguard, DocuSign tier-1 customer support is ISO 27001:2013 certified. DocuSign encrypts data end-to-end on its systems to ensure that data is secure while both in transit and at rest. In transit, DocuSign relies on TLS protocols using strong cipher suites (including 256-bit keys). For data at rest, DocuSign utilizes Advanced Encryption Standard (AES) 256-bit encryption with multiple layers of encryption keys. DocuSign stores two primary kinds of information on behalf of users: - 1 -

5 2. Secure segmentation or containment of data is provided. How DocuSign Delivers World-Class Security o Transactional metadata (who sent what, when, and to whom), stored in an authenticated SQL Server on an isolated back-end network (BEN) with Transport Layer Security (TLS) encryption o Customer documents inside DocuSign envelopes, stored using Binary Large Object (BLOB) with AES 256-bit encryption. During replication, data is encrypted at AES 256-bit encryption with multiple layers of encryption keys and is replicated via private fiber to secure datacenters, physically segregated from DocuSign's corporate networks (see Security: Section 6). Please see Figure 1: DocuSign s Network Architecture DocuSign maintains physically and logically separate networks for its electronic signature production service and corporate business systems. Any service not specifically allowed on DocuSign s networks is disallowed, and no customer data is used during development or testing. Within the production network, DocuSign maintains a formal secure segmentation program. Separate managed environments exist for development, quality assurance, pre-deployment staging, customer development, demonstration, and customer production. The secure segmentation program includes a demilitarized zone (DMZ) structure composed of a pair of firewalls separating the production Web and application hosts from direct Internet exposure. It also includes an internal firewall separating the DMZ servers from direct access to related storage data. The front-end firewall filters traffic that enters a data center, and traffic passes through a back-end firewall before reaching the BEN storage. As part of its multitenant architecture, all envelope and encrypted document data is keyed to its associated customer account using unique account and user identifiers. Every six months, DocuSign authorizes a third-party review of corporate and production firewalls. DocuSign maintains a third-party security assessment program and conducts security assessments against business partners important to DocuSign s service. Please see Figure 1: DocuSign s Network Architecture - 2 -

6 How DocuSign Delivers World-Class Security Figure 1: DocuSign Network Architecture Customer Data Is Encrypted at All Times 3. Standards-based encryption key management is offered (ISO, NIST, or equivalent). Standards-Based Encryption Key Management DocuSign maintains an encryption key management system that is certified and examined under ISO 27001:2013, PCI DSS, and SSAE. A qualified third-party audit firm validates and tests DocuSign s key management methodology, which is reported annually in DocuSign s SSAE 16 report. Comprehensive Technical Measures for Key Security DocuSign BLOBs are encrypted using a randomly assigned 256-bit key from a DocuSign Encryption Key Manager. No one person maintains the full encryption key to decrypt customer data. Keys in the DocuSign Encryption Key Manager are protected by a Database Master Key and an Operations Master Key, both of which must be present to access the document encryption key. This methodology results in a double-blind encryption key process as a further security measure (see Strict Segregation of Duties below). There are 1,000 active encryption keys at any point in time, with keys rotated quarterly. Key rotation process: o A purpose-built tool consumes keys from both the database credentials and the Operations Master Key on a quarterly basis. o The system generates 1,000 new encryption keys and uses them to encrypt all new documents that enter the system. All previous key batches remain to decrypt existing documents. Strict Segregation of Duties - 3 -

7 How DocuSign Delivers World-Class Security DocuSign enforces segregation of key custodianship duties to ensure customer data remains safe. Two different teams manage the two sets of keys that must be present together to access the document encryption key (Operations Master Key and Database Master Key). A member of each team is required in order to gain access to the document encryption keys. The technical operations team never has access to the Database Master Key, and the database team never has access to the Operations Master Key. As a further segregation measure, DocuSign personnel in trusted roles within the key management process don t have system accounts. Their role is limited to only providing authorizations during an emergency event. Please see Figure 2: Multilayered Protection of Encryption Keys Figure 2: Multi-layered Protection of Encryption Keys 4. Standards-based encryption key management is offered, including the ability for customers to hold encryption keys. How DocuSign Delivers World-Class Security For customers who may be required or choose to directly manage their encryption keys, DocuSign offers a Security Appliance. The DocuSign Security Appliance offloads the key storage and release policies from the DocuSign cloud onto a customer s private network, while also allowing them full use of the DocuSign platform. The physical and logical separation of cloud-based data and customer-retained - 4 -

8 encryption keys is designed to address customer scenarios where the highest level of security is required. The DocuSign Security Appliance follows cloud security best practices for high-security implementations, as recommended by the Cloud Security Alliance. 5. The company performs periodic penetration testing by qualified third parties. 6. Standard-based security systems at data centers (ISO or equivalent) are utilized. DocuSign is ISO 27001:2013 certified and PCI DSS compliant, with annual penetration testing conducted against both the DocuSign application and its infrastructure by credentialed, industry-recognized organizations. The testing scope includes phases such as architectural review, security assessment, and execution of attacks against the DocuSign external and internal network infrastructure. Penetration testing includes validation of anti-tampering controls. Actionable test findings become inputs into a remediation and response plan, where they re assigned a severity rating and tracked to closure. Comprehensive Standards-Based Data Center Security DocuSign uses data centers that are ISO 27001:2013, PCI DSS, and SSAE 16 certified. DocuSign maintains strong physical, environmental, and security access controls for its data centers, and these policies are ISO 27001:2013, PCI DSS, and SSAE 16 certified. Data centers employ measures such as 7x24x365 guards, mantraps, keyed access to DocuSign cages, and CCTV. Stringent Access Control Data center access is authorized by DocuSign s director of technical operations and includes notification to the security management team. DocuSign tracks access to the data center, with visitor logs reviewed daily and kept for 90 days. 7. Multifactor authentication methods are deployed and documented. Secure Access to Critical Environments DocuSign employs internal tools and controls to manage access to applications containing or retrieving sensitive or critical data sources. This includes internal access to the production environment as well as access to the administrative panel of the DocuSign service, which is used by DocuSign personnel to configure customer implementations. Access is restricted to designated personnel and connectivity utilizes a twofactor authorized VPN tunnel. Encryption is AES 256-bit, and two-factor authentication utilizes Active Directory credentials plus a soft token requiring a PIN and token code. Auditing of Users DocuSign captures and correlates logged events in real-time from systems and devices to both the operations and security teams. Examples include: o Identity of persons accessing the system; successful/unsuccessful login attempts o Additions, deletions, and modifications to user accounts/privileges o Switching of IDs during an online session o Attempts to perform unauthorized functions or access data that is unauthorized - 5 -

9 o Source of connection and system-level events. DocuSign maintains an authorization chain for employee access that requires management approval commensurate to the sensitivity of applications and data sources. Access is reviewed at least quarterly to verify that access levels are appropriate. In an initial configuration and provision, DocuSign staff configure some security-related settings, with customer permission. The administration interface provides an audit log of settings made to the account and by whom, enabling customers to see a record of changes. 8. The xdtm solution monitors for malicious and inappropriate activity on an ongoing basis. 9. The organization focuses on intelligence collection, leading to security breach detection and prevention. 10. The organization provides the ability to anonymize data for participation in threat intelligence networks. 11. The company employs a response model that adheres to applicable laws. DocuSign implements a defense-in-depth approach to hardening the production and corporate environments against exposure and attack. Network management controls in use include an intrusion detection system (IDS), malware protections, and system monitoring. Monitoring frequency: A qualified third-party performs monthly internal vulnerability scans and quarterly application scanning. Intrusion detection: Production systems are configured to send event and log data to a security information and event management (SIEM) system where a dedicated team correlates and analyzes events on a 24x7 basis. Antivirus/anti-malware: DocuSign utilizes enterprise-class antivirus/antimalware software. Endpoint workstations and other devices are monitored, and non-pdf documents are scanned for malicious content on conversion to PDF. Antivirus signatures are automatic and performed daily. Users are prevented from disabling these controls or altering their configuration. protection: DocuSign s production service utilizes both DomainKeys Identified Mail (DKIM) for signing outbound and TLS to assure that confidential communication occurs over an encrypted session. DocuSign maintains professional relationships for security notifications with organizations that include the Computer Emergency Readiness Team (CERT), High Tech Crime Consortium (HTCC), the Information Technology-Information Sharing and Analysis Center (IT-ISAC), and others. DocuSign operations and security operations personnel subscribe to multiple vendor and industry security advisory mailing lists. Threat intelligence is monitored throughout the organization and aggregated via DocuSign s security council. When a threat/risk is identified, its potential impact is assessed by the security organization and documented via the company s risk register for tracking and resolution. Due to security considerations, additional information regarding data anonymization may be made available upon request or in response to specific questions. DocuSign does participate in threat intelligence networks as means of helping to mitigate security threats. DocuSign maintains an ISO 27001:2013, PCI DSS, and SSAE 16 examined and tested incident response program that provides guidance and procedures to enact in the event of an incident. A Comprehensive Response Model The response policy classifies incidents by type and severity, sets the likely scope of response, and assigns roles and responsibilities. Requirements for incident detection and reporting are defined, and a range of - 6 -

10 specific containment measures are prescribed. Required response times are defined for incidents based on nature and severity. Requirements for evidence gathering are detailed, as well as eradication/recovery measures. Notification Program DocuSign maintains a data breach notification program to promptly notify customers in the event their information is lost or experiences unauthorized access. DocuSign will contact credit card issuers in the event of a compromise or removal of cardholder data. 12. The company has an incident playbook in place. 13. The company maintains a mature security/risk council. DocuSign maintains and executes an incident response playbook specialized to security threats and events. It addresses incidents both proactively and reactively, when necessary. The scope of the playbook includes guidance and procedures for detection, containment response, resolution, and iteration/improvement. Inputs are used to detect anomalies or identify policy violations and include security policies, legal and compliance violations, and threat and risk information. Guidance includes areas such as defining the scope of monitoring, use cases, and triggers/thresholds for monitoring systems. As part of the response process, all security incidents are prioritized based on impact and urgency. Service level agreements set response times for all stakeholders involved in the incident management process and provide an accurate measure of organizational performance. After resolution, incident management metrics are tracked and reported to ensure the process is performing as expected and to further fine-tune the response process. To ensure the playbook evolves to incorporate updated regulations and standards, as well as best practices, the process is reviewed semi-annually. DocuSign s security council manages security risk for DocuSign; addresses all areas of security risk, including operational risk, compliance, design, and legal/contractual risk; and ratifies the company s security policy. The security council maintains authority for verifying that compliance is maintained across identified controls and oversees a governance, risk, and compliance (GRC) program for the organization. The program assures GRC across areas, such as: o Customer information security o Security operations o Data breach notification o Business continuity o Key management o Security change approval o Security assessments o Secure segmentation o Incident response program - 7 -

11 o Third-party security assessment program. Risks to DocuSign are monitored throughout the organization via security council meetings. When a risk is identified, the risk level is assessed by the security team and added to the risk register. The risk register, including mitigation strategies, is reported to the security council on a regular basis. To ensure it has visibility and authority to meet its responsibilities, the council annually assesses the company s organizational structure, reporting lines, authorities, and responsibilities as part of ongoing risk assessment and management. Additionally, DocuSign has a deputy chief risk officer (CRO) who oversees the chief information security officer (CISO). In addition to defining security strategy, the deputy CRO performs in an independent audit and assessment capacity. Assurance DocuSign warrants its compliance to the US ESIGN act and complies with applicable laws, regulations, and industry standards around the world. DocuSign is directly certified for ISO 27001: 2103, PCI-DSS, and TRUSTe. The DocuSign platform contains capabilities that enable customers to meet their required compliance to specialized industry regulations, such as HIPAA, FDA Title 21 CFR Part 11, and specialized rules from the FTC FHA, IRS, and FINRA. Figure 3: DocuSign Highest and Broadest Set of Standards 1. The xdtm solution will comply with applicable laws, Certified to Leading Global Standards DocuSign complies with applicable laws, regulations, and industry standards around the world governing digital transactions and electronic signatures

12 regulations and industry standards. Certified to Leading Global Standards Engineered to Support a Breadth of Laws, Regulations, and Industry Standards The DocuSign service either complies directly with the laws and regulations below, or helps customers meet requirements needed for their own compliance: DocuSign warrants to the US ESIGN Act, EU legislation (European Regulation 910/2014), and the UK Electronic Communications Act. ISO 27001:2013: DocuSign is certified across all 133 controls and is the only esignature company certified as an information security management system (ISMS). SSAE 16, SOC 1 Type 2, SOC 2 Type 2: DocuSign complies with the reporting requirements stipulated by the by the American Institute of Certified Public Accountants (AICPA), undergoes yearly audits across all aspects of its enterprise business and production operations, and has sustained and surpassed all requirements. TRUSTe: DocuSign is certified by TRUSTe, and securely and safely handles customer data as outlined in its privacy policy (see Privacy: section 2). PCI DSS 3.1: DocuSign is PCI certified for safe and secure handling of credit card holder information; and while smaller companies may self-certify, DocuSign has reached a threshold of transactions that requires a third-party audit, ensuring the deepest level of examination. HIPAA, FDA Title 21 CFR Part 11: the DocuSign service supports the esignature practices that help organizations meet their compliance requirements for these regulations. DocuSign is certified as Skyhigh Enterprise-Ready under the Skyhigh CloudTrust program, which evaluates security controls and enterprise readiness based on Cloud Security Alliance (CSA) criteria. DocuSign meets specialized rules from the FDA, FTC, FHA, IRS, FINRA, and others. Detailed information can be provided on request. Obtains Required Consents DocuSign obtains required customer consent to do business electronically: Consent for business transactions is achieved through steps in the service s workflow. Consumer consent is obtained by the DocuSign service through the use of required disclosure documents and by obtaining a customer s affirmative consent to use electronic records for the transaction. The solution also enables a customer to withdraw consent

13 Privacy DocuSign is committed to customer privacy and the protection of proprietary information and data, and employs measures across multiple business and technology areas. With DocuSign: Contractual privacy protections assure confidentiality of customer information and prohibit employees from viewing customer documents. Customers set their own privacy and document management settings on the platform. Independent, external organizations, such as TRUSTe, certify the platform as part of the company s compliance with global privacy and data protection regulations. 1. Personal data is used for the purpose it was intended and is consistent with the organization s privacy policy. How DocuSign Protects Your Privacy DocuSign maintains a comprehensive privacy policy and is committed to the privacy principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. DocuSign has received TRUSTe's Privacy Seal, signifying that its privacy policy and practices have been reviewed for compliance with the TRUSTe program. TRUSTe reviews DocuSign s privacy policy annually across both the business and production site. Transparency in Data Usage The collection and use of personal data described below is included in DocuSign s publicly posted privacy policy. Personal data collected by DocuSign includes user-provided information, such as name, addresses, mailing address, and billing information. It also includes technical information, such as IP address, location information, device identifiers, usage data related to how a user interacts with the service, and transactional data associated with contracts uploaded or signed on the DocuSign service. Personal information is used for the services of the DocuSign platform, the creation of records reflecting users transactions, identity verification, and fraud prevention. This applies to data collected by the service, externally facing websites, or other means of data collection. Employees are prohibited from viewing the content in customer documents, and customer support personnel are limited to viewing only data that describes digital transactions on the service (see Security: Section 1). In the case of a merger, acquisition, or sale, DocuSign will notify users of any changes in how personal data is used, as well as any choices users have regarding their information. Third parties that provide services to DocuSign are required to only use data shared with them for the services they re providing to DocuSign

14 2. Treatment of notice, consent, and choice is clearly reflected in a publicly available, written privacy policy. How DocuSign Protects Your Privacy DocuSign s posts its privacy policy on the company s public-facing website and describes the privacy practices of the company, including notice and consent. Clear Notice on Consent, Choice, and Notifications A customer s use of DocuSign s websites or mobile applications constitutes consent to the privacy policy and to the collection and use of information described in it. Customers are requested to not use DocuSign s services if they don t agree to the policy. Visitors to DocuSign s public-facing website may opt out of receiving tailored advertising or data tracking. DocuSign does send s related to completing signings or other transactions on the service (required as part of the services under customer contracts). In the course of a transaction, users of the DocuSign service may access personal information of other participants in a transaction. The company s privacy policy specifies that this information may only be used in connection with DocuSign s services and may not be used for unsolicited commercial messages. Adherence to International Privacy Considerations DocuSign has a corporate commitment to pursue Binding Corporate Rules, a binding organizational data governance policy framework reviewed and approved by European data protection authorities. DocuSign will make a data processing addendum to customers that incorporates the European Commission s model clauses. 3. Policies addressing transaction retention and purging are clearly stated. Customers Set Their Management Policies With DocuSign, customers set their own document management policies. Customers may keep their documents on DocuSign s secure servers, download them, or purge them from the DocuSign service, at their discretion. Retention Most customers leave signed documents in the DocuSign system indefinitely as a means to retain an independent third party that can warrant the documents have been securely stored and not altered. Customers may also utilize the DocuSign Connect publisher service to transfer copies of signed documents to document repositories behind their own firewall. Deletion Deleted documents are removed from a user s view, but are not explicitly purged as a result of deleting them. When a user moves an envelope into the deleted folder, only a pointer to the envelope is removed. It s only when no pointers are left, that the envelope and documents are purged (meaning the envelope no longer resides in any DocuSign user folder). Purging Customers can configure document retention to specify the number of days to retain documents (measured from the date the envelope is completed, voided, or declined). Once the purge date for an envelope arrives, it s put into the purge

15 4. Private information is only provided to government organizations when there is a good faith belief that such disclosure is reasonably necessary to comply with any applicable subpoena or other legal process, or to protect the rights, property, or safety of anyone. 5. Company policies include measures to evaluate the potential to cause harm by releasing private data. How DocuSign Protects Your Privacy queue and purged from the system 14 days later. Notification s are sent to both the sender and recipients as an envelope enters the purge queue. Envelopes and the documents that are purged from DocuSign are permanently removed. While the DocuSign service will remove a document from the system, it will maintain the audit log to vouch for the execution history of the documents. DocuSign has a policy of providing notice to its customers when there s an external request for information about their accounts, such as law enforcement. DocuSign s publicly posted policy, Responding to User Data Requests, details how the company responds to requests, what information DocuSign may provide, and the circumstances where it works with law enforcement. DocuSign maintains multiple policies and measures for evaluating the potential harm from a release of private data (for example, due to a data breach or accidental data disclosure). The approaches below enable both an assessment of the scale and impact from a release of private data as well as the effectiveness of available mitigations. DocuSign has a formal risk management program that s ISO 27001:2013 certified and includes likelihood, impact, qualitative and quantitative analysis, and regulatory requirements. DocuSign s CRO oversees the company s GRC program that assesses risk and ensures that controls applicable to a breach are in place (see Security: Section 13). DocuSign maintains a security/risk council as an accountability point for the reporting, assessing, tracking, and mitigating of identified risks (see Security: Section 13). DocuSign has an incident response model that includes impact assessment, corresponding service level agreements (SLAs) for response, and SLAs for resolution activities (see Security: Section 11). DocuSign maintains an incident response playbook that requires proactive measures to detect potential incidents, such as a security threat. It also prescribes DocuSign s response to such an incident, including assessing impact and responding within the required SLAs, (see Security: Section 12). DocuSign maintains a breach notification program to notify users after a breach and other incidents are discovered. DocuSign will identify the individuals whose personal information was affected and provide descriptions of the categories of personal information involved for each person, how and when the incident occurred, how and when the incident was discovered, steps taken to address the incident, and any steps taken to prevent a recurrence (see Security: Section 10)

16 Validity The DocuSign platform provides an audit trail, chain of custody, tamper-evident seals, and other measures that provide complete transaction detail and assure the validity of transactions executed on the platform. Multiple methods of authentication are available to validate transaction participants, and customers may combine authentication methods if warranted by the sensitivity of their documents. Finally, the structure of the DocuSign workflow provides evidence of agreement and intent to transact. 1. Transparency into relevant transaction attributes, such as message origin, author, content, and transmission time. How DocuSign Protects Your Privacy The DocuSign solution logs and provides detailed information on transactions that take place on the service. It also provides documents that customers can admit into court, as well as measures to prevent a transaction participant from repudiating their signature. The information-capture capabilities of DocuSign assure: Transparency to customers on the progress of their digital transactions A full audit trail (see Validity: Section 4). Complete Details of the Digital Transaction A document list indicates recipients and the status for each document, such as completed, waiting for others, voided, or draft. A document detail area provides information on each recipient's activity in the document. Examples include date viewed, which recipients have signed, or which have yet to complete the signing transaction. xdtm Compliance DocuSign provides the following transaction validation details: Number of items and pages for all documents or data in a transaction Identity or contact detail for the person or system that sent the documents or data, as well as the IP address Transaction status information, covering initiation through in-process and completion Storage information on where the completed documents and final data are held Recipient contact information for each document or data component Information that reports the authentication method used and whether it was satisfied Content and confirmation of disclosures agreed to by the recipient Event and action timestamps to support a detailed audit trail for the transaction with integrity protection. 2. A verifiable chain of custody for each custodian that includes document/transaction, metadata, and history/ The DocuSign solution includes capabilities spanning encryption, logging, and data security that support the legality of transactions by maintaining the integrity of data and documents. A digital audit trail, known as a certificate of completion, is created for every envelope and captures the signing parties names, addresses,

17 future length of contract. 3. Appropriate credentialing, such as criteria for credentials, credential creation, and documented treatment of cotransactors. How DocuSign Protects Your Privacy authentication method, public IP address, signing location (if provided), envelope action, and timestamps. In-system checks using a digital checksum (mathematical hash value) validate that the documents in an envelope haven t been tampered with outside of each signing event. Documents exported from DocuSign are digitally signed for the purpose of detecting any evidence of tampering. The tamper seal is an X.509 public key infrastructure (PKI), standards-based "digital signature" issued by a certificate authority. It s applied to a document at the time of download from DocuSign and indicates whether a document was changed since it was downloaded. DocuSign provides customers with multiple capabilities to authenticate participants to a transaction. Customers may also authorize different privileges among the participants. Multiple Options for Authenticating Participants in a Transaction Supported methods to authenticate signers in a digital transaction include: Access code: the recipient enters a code provided to them separately from DocuSign communications. SMS: the recipient enters a code received as an SMS text message at a specified phone number. Phone authentication: the recipient answers a phone call at a number supplied by the recipient and provides an authentication code. (Note: an additional available option enables the recording and generation of a biometric voiceprint as an additional layer to the authentication process). Knowledge-based authentication: This method requires the recipient to answer detailed questions about themselves based on data available in public records. Social ID: The recipient enters his or her social ID information, which is validated against that service, to access the documents for signing. Supported services include Salesforce.com, Google, Yahoo!, or Microsoft account credentials, with additional options for social network credentials from Facebook, Twitter, and LinkedIn. Require a Digital Certificate: The sender can require the signer to apply a digital certificate at the time of signing. This creates a final document that has been digitally signed. Two-factor authentication: DocuSign also allows a sender to require two authentication methods from the document signer. Specifically, access code authentication and one other type may be used for a single recipient. Ability for Senders to Set Privileges and Permissions for Co-Transactors DocuSign supports different roles for participants in a transaction: Participants may be signers. Participants may be designated as recipients or authorized for actions, such as manage envelopes, address recipients, manage recipients, receive a copy, or acknowledge receipt. Each recipient in a workflow may be assigned individualized authentication requirements. Envelope recipients can be reassigned by the sender or also by a specific

18 4. Clear evidence of agreement, including manifestation of assent, intent to transact, and attribution and audit trails. How DocuSign Protects Your Privacy recipient. Particular signing orders among the participants may be enforced. In situations with multiple documents in a DocuSign envelope, access may also be controlled at the document level, where a particular document may only be viewed by the intended signer. Clear Evidence of Agreement With DocuSign, the signer must agree to the use of electronic records and signatures in connection with the review and signing of any document and is given an electronic consent disclosure (ECD) before they can access document(s). Users are prompted by DocuSign to adopt a signature graphic. This graphic is related explicitly to their identity, establishes their mark in the transaction, and is applied directly to the document to indicate their assent at that location. Further, users may personalize their signature graphic by drawing it with their mouse or touchscreen, selecting from predefined styles, or uploading an image they already have. Audit processes within the DocuSign system securely capture all of these consent-related actions by the signer. Example granularity includes the date and time of the ECD acceptance or a unique identifier of the acceptance event. A Complete Audit Trail DocuSign provides digital audit trails for customers to track signing and access events over the lifetime of a document. They include a document history, a formal certificate of completion created upon signature of all document parties, and record permanence, as well as other capabilities. In combination, these serve to confirm the validity of transactions executed by the service. Document history: DocuSign tracks and logs all aspects of each transaction (name, address, IP address, date/time, authentication, and activity) and captures it all in a detailed transaction history that is stored in perpetuity as hashed and encrypted data within the DocuSign system. This data is available on demand from the system and may also be programmatically exported in realtime as transactions progress to a completed state. Certificate of completion: Once the transaction is complete, DocuSign issues a certificate of completion that contains transaction-level information, such as the unique transaction ID, the sender and all recipients, the timestamp of all events, DocuSign account information, and the executed consumer disclosure. The certificate of completion has been tested in court and found to be legally valid. Record permanence: Document audit logs are kept permanently even if the underlying document is delivered and purged by the owning account. This maintains DocuSign's ability to prove a transaction indefinitely. 5. Complete records management, including long-term records management with proof of integrity, designated document retention periods, and All retained customer data is stored at the level of security and encryption prescribed in DocuSign s customer data policy (see Security: Section 1). Customers may leave signed documents in the DocuSign system indefinitely. DocuSign will warrant that the documents have been securely stored and not altered. DocuSign also offers the DocuSign Connect publisher service that customers can

19 transferability. 6. An industry-standard clock time convention from a trusted third-party source of time. How DocuSign Protects Your Privacy use if they wish to keep a local copy behind their firewall. DocuSign Connect can push signed documents to a customer application or push status updates to a customer listener application. Once notified, customers can retrieve signed documents via the DocuSign API, in line with their workflow. DocuSign integrates with external third-party vault solutions, such as eoriginal, that provide customers with additional records management capabilities. Customers may also download stored documents and transaction data, which are secured with an X.509 PKI, standards-based "digital signature" that is applied at the time of download. The certificate of completion is also secured with a tamper-evident seal to ensure that it can t be modified after download, just like the document. DocuSign utilizes the National Institute of Standards & Technology (NIST) atomic clock service as a synchronized time-service protocol to ensure all systems have a common time reference. Availability DocuSign has maintained more than 99.99% average availability over the past 5 years. The service is engineered to provide always-on availability and DocuSign doesn t post or schedule any planned downtime for maintenance. DocuSign s system architecture includes multiple, simultaneously active DocuSign systems in different geographic locations, each supporting customer transactions while staying synchronized with each other. This way, data for in-process and completed transactions is saved in multiple locations, providing high availability and a superior protection against data loss and corruption. Figure 4: DocuSign System Status (Publicly available in the DocuSign Trust Center)

20 1. The solution offers carrier-grade availability/system uptime. 2. The solution is continuously available online/offline with no maintenance downtime. 3. Customer data is continuously accessible for customer use. 4. Redundant geographically dispersed data centers are used. 5. There is zero data loss during catastrophic events. 6. There is a sub-minute service restoration after disruption. Carrier-Grade Performance and Reliability DocuSign has maintained more than 99.99% average availability over the past five years DocuSign posts twelve months of uptime data for its service, across four different environments on its publically available Trust Center DocuSign provides customers with credits against fees, if service levels aren t met DocuSign has a zero-maintenance downtime service. The company doesn t schedule offline maintenance. Under DocuSign's architecture, secure replication of customer data is performed at both the data center in use, as well as in near real-time to geo-diverse data centers. Data is replicated at the OLTP level, and all historical and document data is synchronized using a proprietary document replication service. DocuSign makes eight perpetual backups of BLOB data; and data replication takes the place of traditional backups. DocuSign data is replicated to geographically dispersed data centers. In the US, three active sites are located in different geographical regions. In Europe, two active sites are more than 400 km apart. In the event of a failure in any of the active systems, all user activity may be served by the remaining centers DocuSign s infrastructure is constructed to deliver a recovery point objective of five minutes in the event of a single site catastrophic failure. In support of data protection, DocuSign designs all deployments to be fully redundant and fault tolerant to eliminate single points of failure. Data travels via half-gigabit fiber to facilitate the required data replication (see Availability: Section 3). DocuSign maintains a disaster recovery plan (DR) to be implemented in the event of a disaster (or prolonged interruption of service) and a business continuity plan (BCP). The table of contents of the plan and the last annual test results are available for inspection but for security reasons aren t shared outside of DocuSign. DocuSign s infrastructure is constructed to meet a recovery time objective of 15 minutes. DocuSign s architecture features simultaneously active and redundant systems and near-real-time data replication. Additionally, DocuSign s datacenters are commercial-grade, PCI DSS compliant, and SSAE 16 examined and tested (see Security: Section 5). Combined, this enables DocuSign s service to consistently demonstrate high availability (as shown in publicly available site statistics) and be capable of surviving disruptions, such as a full site outage. Failover capabilities are tested monthly along with a full, formal BCP/DR test conducted annually. Per company policy, these test results are validated and signed by stakeholders, including the chief technology officer, chief security

21 7. Customer transaction support is provided. Carrier-Grade Performance and Reliability officer, and chief legal officer. Comprehensive Support Resources DocuSign support resources include: 24x7 live support, along with full-time system availability monitoring Online case submission and management, with response SLAs Escalated tier-two support A support team that, on average, answers calls in less than 10 seconds, responds to s within 2 business hours, and has an average first-contact completion rate of over 80 percent; and has access to DocuSign professional services, a customer s assigned strategic account manager, and DocuSign engineering teams. Robust Capabilities for Integration and Compatibility Support DocuSign provides free developer accounts into a full-featured environment for development and testing. Sample code, SDKs, and code libraries are also provided at the DocuSign Developer Center. DocuSign offers preview and demonstration environments for customers to validate their system integrations and give feedback on new releases. DocuSign supplies support and documentation for out-of-the-box integrations to complementary solutions from Salesforce, Microsoft, Google, and others (see Interoperability: Section 1). Supplemental Training Resources DocuSign offers training, courses, and certifications through DocuSign University, such as administrator training, specialized training for Salesforce users, training for workflow developers, API use, and more. Courses are available online, in-person at DocuSign training facilities, or on premise at a customer s site. 8. The organization maintains a trust center for transparency into service performance, availability, certification status, and privacy. DocuSign maintains a public-facing Trust Center that provides continuous updates on service availability, 12 months of uptime data, and technical best practices. The Trust Center provides status confirmations that services are available and operating normally and will communicate information about service disruptions or security alerts. The Trust Center enables customers to report to DocuSign any security concerns, suspected fraudulent , or system issues. On the Trust Center, DocuSign publicly confirms compliance with a number of security certifications, including: o ISO 27001:2013 o SSAE 16, SOC 1 Type 2, SOC 2 Type 2 o xdtm Standard, Version 1.0 o PCI DSS 3.1 o TRUSTe

22 Scalability To provide resilient system performance during peak traffic in the near term, as well as ensure scalability for required future growth, DocuSign undertakes robust capacity planning. Every day, DocuSign processes approximately 30 billion pieces of telemetry to monitor and assess the end-to-end customer experience as one of multiple inputs into planning for required scalability. Currently, the multi-tenant structure ensures that the DocuSign platform runs at less than 50 percent of total capacity and that no single customer's spike in usage impinges on other customers. 1. There is a formal process in place to anticipate future business growth/needs with the ability to provide ongoing system capacity monitoring. 2. There is a formal lifecycle management in place with proactive implementation of architectural changes and hardware purchasing. How DocuSign Manages Scale DocuSign maintains a formal planning process that includes both real-time performance indicators and long-term capacity planning mechanisms to ensure adequate capacity. System load is evaluated and projected via a scheduled process, and ongoing projections using gathered data are made for server load, storage load, database load, and network load/bandwidth. Projections are tracked and compared with current load to ensure accuracy, and adjustments are made to the overall environment to ensure projected load is met or exceeded. DocuSign maintains a baseline configuration program for software and hardware. All production systems are configured according to these standards to ensure capacity requirements. Benchmarks from the Center for Information Security (CIS) are part of the program s verification process. Capacity increases are achieved by scaling the platform both vertically and horizontally, using collected data on usage trends as well as projections of contractual commitments in an 18-month moving window. In addition, DocuSign has developed automated performance testing tools that create a static load on DocuSign via both the API and the user interface. The system is loaded and then dynamic evaluation is done to compare both the formal and observed system characteristics. Universality With DocuSign, users can conduct business globally, use an app or site built for their device or platform of choice, and transact while both connected and offline. DocuSign offers 13 sending languages and 43 languages for signing, and the system is compatible with leading browsers and mobile platforms. It s also available as a dedicated app on multiple platforms, and offline capabilities allow users to continue the transaction process when carrier service isn t available. 1. The solution is available across heterogeneous computing platforms. DocuSign Supports Transactions Worldwide The DocuSign service requires only a Web browser for signing and a PDF reader to optionally view documents. No additional software, browser plug-ins, extensions, or add-ons are necessary

23 DocuSign Supports Transactions Worldwide Available on Multiple Platforms DocuSign is available to over 90 percent of desktop and mobile users in the regions where it s offered because of the range of platforms supported by the service. o Desktop: DocuSign supports final release versions of Internet Explorer 8.0 or above, Windows Edge, Mozilla Firefox 3.0 or above (Windows and Mac), Safari 3.0 or above (Mac OS only), and Google Chrome 5.0 (Windows and Mac). Although other browsers aren t officially supported, signing typically works on any application that can render HTML. o Mobile Web: DocuSign supports Apple ios 6.0 and above, and Android 2.3 or above. o Mobile applications: DocuSign offers native apps for ios, Android, and Windows. Respective requirements are Apple ios 8.0 and above, Android 4.0 and above, Windows 8.1 and above, Windows 10, and Windows phone 8.1. In addition, DocuSign s interface is responsive and will automatically optimize its interface to fit the device and form factor on which it s being viewed. Capabilities for Working Offline DocuSign s solution includes offline functionality for continued productivity when network or carrier service isn t available. While offline, document senders can tag a document to indicate required signatures and selected recipients. Once a network connection is available, the document will be sent out for signature. Document recipients can sign a document while offline, and once reconnected to a network, signed documents will be uploaded to the DocuSign cloud, routing to other signatories, if required, or confirming a completed transaction. 2. The solution is accessible worldwide. DocuSign offers users the ability to sign documents in 43 localized languages: English (US), Spanish (Latin America), Japanese, German, French, Italian, Spanish (Spain Modern Sort), French (Canada), Chinese Simplified, Portuguese (Brazil), Russian, Turkish, Korean, Portuguese (Portugal), Chinese Traditional, Polish, Romanian, Dutch, Hungarian, Czech, Greek, Swedish, Finnish, Danish, Norwegian, Ukrainian, Serbian-Latin, Bulgarian, Croatian, Slovakian, Lithuanian, Slovenian, Latvian, Estonian, British English, Arabic, Hebrew, Farsi, Hindi, Bahasa Indonesia, Bahasa Melayu, Thai, and Vietnamese. DocuSign offers 13 languages for global users to send documents for signature in their native language: English (U.S.), Chinese Simplified, Chinese Traditional, Dutch, French, German, Italian, Japanese, Korean, Portuguese (Brazil), Portuguese (Portugal), Russian, and Spanish. The DocuSign solution can automatically detect a customer s browser language and present information in the appropriate language. Alternatively, a transaction initiator may specify language settings, or a transaction receiver may select from supported languages. With DocuSign, users aren t required to sign up for an account before signing

24 Interoperability Everyday, the DocuSign platform services over 8 million API calls in support of over 1,000 API integrations. With platform APIs, a mobile SDK, out-of-the-box integrations with leading solution providers, and a rich partner ecosystem, customers can integrate DocuSign with their choice of solutions. DocuSign exposes the entire core platform functionality through its API and includes prebuilt integrations with Salesforce, Microsoft, Google, SAP, and others. Taken together, these integration options give customers flexibility and control across their organization, infrastructure, workflow, and technology partners, allowing them to scale from simple esignature integrations to complex company-specific solutions. DocuSign also accepts multiple digital/ PKI certificates as part of its support for digital signatures and provides solutions for enterprises to manage digital signing in their organization. DocuSign is also a certificate authority and issues digital certificates. 1. The solutions has published integration guidelines. DocuSign Exposes Its Full Platform for Complete Integration Support DocuSign offers robust interoperability capabilities, including REST/SOAP APIs, dedicated integrations with market-leading solution providers, and DocuSign s Connect service that provides status updates within integrations. Multiple APIs and SDKs DocuSign offers both REST and SOAP APIs and exposes the entire core DocuSign platform functionality so that features and functionality can be integrated into any website, app, or embedded system that makes http requests. Example workflows supported by the DocuSign API include: o Bringing users directly to specific views within the transaction workflow o Requesting legally binding signatures on the document types supported by the system o Embedding the signing or sending workflow into a customer s UI or app o Retrieving form-field data o Enabling multifactor recipient authentication o Simplifying authentication via reuse of existing credentials from other authorities (via standards-based SSO). DocuSign offers a mobile SDK for ios to integrate DTM and esignature functionality into mobile apps. With it, developers can create a DocuSign sending and signing experience fully native to their app. The DocuSign Development Center includes a developer sandbox and developer keys, as well as SDKs, code libraries, sample code, and other developer resources. Out-of-the-Box Integrations with Leading Applications DocuSign has business partnerships and technical integrations with leading enterprise solutions to provide more seamless signing services and enable more complex DTM use cases. Out-of-the-box integrations include: Salesforce.com includes Send with DocuSign functionality from any Salesforce

25 DocuSign Exposes Its Full Platform for Complete Integration Support object and integrates Salesforce contact data into DocuSign, eliminating rekeying of data. Microsoft: DocuSign and Microsoft have a strategic relationship in place and have worked together to enable users to securely send, sign, and track documents within Microsoft Office 365 using DocuSign. The partnership has since been expanded to include deeper integration of DocuSign within Microsoft Dynamics CRM online. In addition to these products, DocuSign also integrates with many earlier editions of Microsoft products, including Outlook, SharePoint, Dynamics CRM, and Windows. Google: DocuSign integrates with Gmail and Google Drive and offers a Google Chrome extension. These integrations enable users to sign documents, send to others, and complete other workflow integrations from within the Google applications they may already be using. DocuSign also integrates with Google Apps for Work suite, enabling administrators to install DocuSign and provision accounts for all users in the domain. SAP: Integrations with Ariba Contract Management and Success Factors Recruiting Management allow users to leverage SAP technology and DocuSign s DTM platform in their workflow. DocuSign s Solution Showcase provides details on 120+ integrations with DocuSign s partner ecosystem. DocuSign Connect Status Updates for Integrations DocuSign Connect is a push service that sends real-time envelope and recipient data updates to customer listener applications using HTTP or SOAP messages. These updates are generated by changes to the DocuSign envelope as it progresses from sending to completion. DocuSign Connect provides organizations with a centralized location and a realtime view of transactions across their user base. This information may also be customized to support reporting or workflow specific to a customer organization. 2. The solution accepts multiple digital/pki certificates. DocuSign enables DTM solutions globally and accepts multiple certificates to align with customer needs and regional requirements. Certificate Acceptance With DocuSign, customers can require use of a digital signature to complete a signing transaction. The DocuSign service accepts digital/pki certificates that conform to X.509 standards. Certificates that conform to EU Directive 1999/93/EC or European Regulation 910/2014 (as applicable) are accepted. DocuSign currently supports digital certificates from the following root certificate authorities: OpenTrust, DocuSign, and SAFE-BioPharma (approved for use with FDA- or EMA-regulated processes). Certificate Issuance DocuSign also acts as the certificate authority with Express or OpenTrust certificates (an accredited E.U.-based digital signature provider certified against key ETSI esignature standards). This provides customers with an additional

26 DocuSign Exposes Its Full Platform for Complete Integration Support means to obtain PKI-standard and X.509-compliant digital signatures for any DocuSign transaction. Certificate Policy DocuSign maintains certificate policies covering their role as both a certificate authority (issuer) and which certificate authorities they ll accept certificates from within the context of digital signatures. These policies address: o Accepted third-party certificate providers, including criteria for validating user identity o The ways a user attests to their identity in order for DocuSign to create a signature on their behalf o Operational and physical controls (e.g. specific trusted roles and functions, backup, segregation of duties, revocation, and audit trails). Solutions for Enterprise Digital Signing, and the DocuSign Signature Appliance With DocuSign s Signature Appliance, users within an enterprise can digitally sign documents directly from their document authoring or management application or through the DocuSign Appliance (desktop, mobile, or Web interfaces). DocuSign s Signature Appliance can integrate with a company s existing ID management system or use digital certificates issued by a company s preferred certificate Authority. This capability enables companies to manage their certificates from within their own data center and is geared to highly regulated industries. The appliance is certified for the Common Criteria organization and FIPS (Federal Information Processing Standard) security standards. Please see Figure.5: DocuSign Signature Appliance (below) DocuSign also supports card/token-based digital signatures where required by law. Customers sign using existing physical or software-based certificates in their possession, including smartcard-based National ID s or employee badges

27 Figure 5: DocuSign Signature Appliance 3. Data will migrate to current standards over time to enable ongoing accessibility and document longevity. DocuSign Exposes Its Full Platform for Complete Integration Support Regulatory Compliance DocuSign complies with regulatory requirements that necessitate documents remain accessible in a form that can be accurately reproduced for later reference. Adoption of New File Formats, End-of Life, and Ongoing Support for Older File Formats On a periodic basis, DocuSign will assess the feasibility of supporting new document and data formats for the platform. DocuSign will also assess the viability of continuing to accept older file and data formats, using commercially available data and internal benchmarks to determine whether a particular format is obsolete. If necessary, DocuSign will communicate a timeframe when the format will no longer be accepted by the platform for new documents. DocuSign will announce successor formats, if required. DocuSign will also indicate whether data or agreements already on the platform will migrate to a new format (consistent with upholding regulatory requirements and its internal determination of feasibility). Accepted Data Formats DocuSign accepts a broad range of file formats and provides supplemental tools to ensure that documents can be accepted into the platform for setup