Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
DocuSign is a leading electronic signature and agreement management platform used by millions of organisations to sign, send, and manage legally binding documents digitally. When embedded on a website or used to redirect signers, DocuSign sets cookies and collects personal data including signer identity, IP address, and device information to authenticate the signing process. GDPR compliance depends on the context of use, with contract performance being the primary legal basis when DocuSign is used to execute agreements with data subjects.
DocuSign is the world''s leading electronic signature and agreement cloud platform, trusted by over a million customers across 180 countries. It allows organisations to prepare, sign, act on, and manage agreements entirely digitally. DocuSign integrates with common business platforms including Salesforce, Microsoft 365, Google Workspace, and many HR and legal tools. When a signer accesses a DocuSign envelope, either via a direct link or through an embedded signing session on a website, DocuSign collects personal data and sets cookies as part of the authentication and audit trail process. This makes it a service with specific GDPR obligations that vary depending on how it is used.
DocuSign collects signer name and email address, IP address at time of signing, geolocation derived from IP, device type and browser information, and a timestamp of each signature action. This data forms the legally binding audit trail attached to each completed document. DocuSign also sets session cookies and functional cookies to manage the signing interface, authenticate the session, and maintain state across multi-step signing flows. When DocuSign is embedded via its JavaScript SDK, additional tracking cookies may be set depending on the integration configuration.
DocuSign''s use intersects with two key European frameworks. Under GDPR, the collection of signer personal data (name, email, IP, device) requires a lawful basis. Under eIDAS, DocuSign qualifies as an advanced electronic signature provider for standard use cases and as a qualified electronic signature provider when used with qualified certificates in supported countries. The legal basis for processing under GDPR is typically contract performance under Article 6(1)(b) when signing a contract, or legal obligation under Article 6(1)(c) when a signature is legally required. Consent under Article 6(1)(a) is required for any non-essential cookies set by the signing interface.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The consent picture for DocuSign is nuanced. The core signature data collected for the audit trail does not require consent, as it is necessary for the performance of the contract being signed. However, if DocuSign is embedded on a website and sets non-essential tracking or analytics cookies as part of the interface, these require ePrivacy-compliant consent. Organisations should review their DocuSign integration type and the cookies set in their specific configuration. Signers must be informed about the data collected via the privacy notice before they sign, even if separate cookie consent is not required for the core signing function.
By default DocuSign processes agreement data on US infrastructure, constituting a third-country transfer under GDPR Chapter V. DocuSign offers EU data residency through its EU Agreement Cloud, which stores and processes data exclusively in Frankfurt and Dublin on AWS eu-central-1 and eu-west-1. Organisations subject to strict data localisation requirements, such as those in regulated sectors, should evaluate the EU Agreement Cloud. For those on standard plans, Standard Contractual Clauses and the EU-US Data Privacy Framework certification provide the applicable transfer safeguards. All transfers must be documented in the Records of Processing Activities.
To use DocuSign compliantly: sign a Data Processing Agreement with DocuSign and include them in your sub-processor list; disclose DocuSign in your privacy policy as a data processor used for electronic signatures, with a description of the data collected and the US transfer mechanism; inform signers of the data collected at the point of signing, either through the DocuSign email or your own pre-signing information page; review the cookies set by your DocuSign integration and add them to your cookie policy; evaluate EU data residency if you process regulated or sensitive documents; and document the legal basis for each processing activity involving DocuSign in your Records of Processing Activities.
Websites using DocuSign must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA should be considered when DocuSign is used at scale to process agreements containing special category data (health, financial, or HR documents), when automated workflows process large volumes of signers without individual review, or when DocuSign data is integrated into CRM or HR systems that extend the processing scope. The US data transfer is a key risk factor unless EU data residency is configured.
Sample consent text
We use DocuSign to manage the electronic signing of this agreement. DocuSign will collect your name, email address, IP address, and device information to authenticate your signature and create an audit trail. Your data may be processed on DocuSign servers in the United States. By proceeding to sign, you acknowledge this data processing as necessary for the performance of the agreement.
Third-party domains contacted
docusign.comdocusign.netapp.docusign.comaccount.docusign.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| DSSessionID | session | Session | Session identifier used to manage the signing interface state and authenticate the active signing session |
| DS-Signer-Auth-Token | session | Session | Authentication token for the active DocuSign signing session, used to verify signer identity throughout the signing flow |
| ds_cookie_support | session | Session | Technical detection cookie used to verify that the signer's browser supports cookie storage, required for secure session management |
DocuSign uses cookies for user preferences — inform visitors with a consent banner.
DocuSign sets session cookies to manage the signing interface and authentication state, and functional cookies to maintain progress through multi-step signing flows. When DocuSign is embedded on a website via its JavaScript SDK, additional cookies may be set depending on the integration configuration. Key cookies include DSSessionID (a session identifier) and DS-Signer-Auth-Token (an authentication token for the signing session). DocuSign also collects IP addresses and device information as part of the audit trail, which is not stored in a cookie but is processed server-side.
It depends on the context. The core personal data collected to create the legally binding audit trail (name, email, IP, device, timestamp) is processed under contract performance or legal obligation, not consent. However, if DocuSign is embedded on a website and sets non-essential cookies such as analytics or tracking cookies, ePrivacy consent is required for those cookies. Signers must always be informed about the data processing through your privacy notice before they sign.
The primary legal basis is contract performance under Article 6(1)(b) GDPR, where DocuSign is used to execute a contract with the person whose data is being processed. Legal obligation under Article 6(1)(c) may apply where electronic signatures are legally mandated. For any non-essential cookies set by the DocuSign interface, consent under Article 6(1)(a) is required. Legitimate interest under Article 6(1)(f) may apply for internal workflow automations that do not directly involve the data subject as a party to the contract.
Yes by default. DocuSign is headquartered in San Francisco, California and processes data on US infrastructure. This constitutes a third-country transfer under GDPR Chapter V. DocuSign offers EU data residency through its EU Agreement Cloud, with data hosted in Frankfurt and Dublin. For organisations on standard plans, transfers rely on Standard Contractual Clauses. DocuSign is also certified under the EU-US Data Privacy Framework. All transfers must be documented in the Records of Processing Activities.
A DPIA is recommended when DocuSign is used to process agreements containing special category data such as health records, financial data, or HR contracts at scale. It is also advisable when automated DocuSign workflows process large numbers of individuals without individual review, or when DocuSign integrations feed personal data into downstream CRM, HR, or analytics systems that significantly expand the processing scope. The US data transfer is an additional risk factor to assess.
Sign a Data Processing Agreement with DocuSign and add them to your sub-processor list. Disclose DocuSign in your privacy policy, describing the data collected (name, email, IP, device, signature timestamp) and the applicable legal basis. Inform signers before they sign, either in the DocuSign invitation email or on a pre-signing information page. Review the cookies set by your integration and add them to your cookie policy. If you handle sensitive or regulated documents, evaluate the EU Agreement Cloud for data residency. Document the legal basis and US transfer in your Records of Processing Activities.
Yes. Yousign is a French-headquartered electronic signature provider that stores all data in Europe and offers eIDAS-qualified signatures. Universign is another EU-based provider. For organisations requiring qualified electronic signatures under eIDAS, national trust service providers in France (such as Certigna or CertEurope), Germany, and other EU member states offer fully EU-resident signing solutions. These avoid third-country transfer concerns entirely.
If DocuSign is embedded on your website or sets cookies during a signing flow hosted on your domain, add the relevant cookies to your cookie policy table, listing their name, category (functional or strictly necessary), duration, and purpose. If signers are redirected to docusign.com, the cookies are set on DocuSign's own domain and do not need to appear in your cookie policy, though DocuSign should still be disclosed in your privacy policy as a data processor. Reference DocuSign's privacy policy at docusign.com/company/privacy-policy.