Security for Docusign Notary
Security is in Docusign’s DNA, and like all of our products, Docusign Notary is researched, designed, and developed with security as a top priority.
This document outlines the security technologies, policies, and practices that protect your documents and data within Docusign Notary, including information that enables you to configure security in accordance with the specific risk management and compliance requirements of your organization. For security details common to all Docusign products, visit product security on the Trust Center.
Physical and logical security
Docusign maintains around-the-clock onsite security with strict physical access control that complies with industry-recognized standards, such as SOC 1, SOC 2, and ISO 27001.
We also use world-class security software to protect the integrity of Docusign Notary computer systems and networks that process customer data. We do this through a centralized management system that controls access to the production environment through a global two-factor authentication process.
This production environment is protected by industry-leading network management systems, anti-virus software, and malware detectors. The anti-virus software is integrated with processes that generate alerts to Docusign’s cyber incident response team if potentially harmful code is detected.
Security testing and vulnerability management
The quality and integrity of Docusign Notary is ensured by a formal product development lifecycle that includes secure coding practices in accordance with OWASP. Rigorous automated and manual code reviews are designed to pinpoint security weaknesses. We also perform internal and external vulnerability scans and penetration tests against the Docusign Notary platform. Any identified weaknesses from these industry-compliant tests are remedied in a commercially reasonable manner and in a timeframe commensurate with their severity.
Security monitoring
We monitor Docusign Notary from both an operational and a security perspective. Intrusion prevention and detection events are logged, and tailored alerts are sent to our operations and security teams to ensure that Docusign Notary can be used without security exposure from any location by those authorized to access it.
Storage, encryption, and disposal
To ensure your data stays protected, Docusign follows industry best practices to:
Logically separate individual customer data
Encrypt customer data—all data access and transfer activities use HTTPS and other secure protocols, such as SSL, SSH, IPsec, SFTP, or secure channel signing and sealing
Support only recognized cipher suites
Encrypt all documents with AES 256-bit encryption or the most recent FIPS-approved methods
Maintain a data disposal and re-use policy for managing data assets
Business continuity and disaster recovery
Docusign maintains written business continuity and disaster recovery plans that ensure the continuing availability of Docusign Notary. The continuity plan includes crisis management, business recovery, and infrastructure elements, and we test both plans on an annual basis.
Configurable security features
Docusign Notary offers the following customer-configurable features:
Multi-factor authentication
provides an additional level of assurance that only those authorized to access Docusign eSignature and associated documents can access them
Role-based authorization
for all business transaction types enables you to designate access to specific individual
Allowlists for Docusign Notary service
Our top priority is to make your Docusign Notary experience safe and secure, and it’s our intention to provide the most robust and reliable service possible to enable your business transactions. We also want to proactively share information that may be of interest to you regarding our service and understand the requirement to configure security to the needs of your organization.
Docusign customers should configure their spam filters and other software to allow for the following allowlisted domains to be accepted. They should also explicitly allow Internet addresses advertised by Docusign Notary. It’s important to keep up-to-date with our current IP address ranges.
Domains
We recommend allowlisting all subdomains under the following domains:
.docusign.com
.docusign.net
.liveoak.net
Vonage (Formerly TokBox.com)
Docusign Notary uses technology provided by Vonage (aka Tokbox) for its video and audio conferencing solution. To ensure optimal performance of Docusign Notary, we recommend allowlisting all subdomains under the following domains:
.tokbox.com
.opentok.com
We also recommend allowlisting the following AWS S3 URLs used for secure asset storage:
loa-production-us.s3.amazonaws.com
loa-production-us-1.s3.amazonaws.com
loa-production-us-2.s3.amazonaws.com
loa-production-us-3.s3.amazonaws.com
loa-production-us-4.s3.amazonaws.com
loa-production-us-5.s3.amazonaws.com
TCP and UDP ports
Since Docusign Notary allows for real-time collaboration with clients, there are certain TCP and UDP ports that need to be open for traffic:
TCP port 443
UDP port 3478
(This port only accepts inbound traffic after an outbound request is sent. The connection is bidirectional but is always initiated from the corporate network/client, so it isn’t possible for an external entity to send malicious traffic in the opposite direction.)
For optimal performance, we also recommend allowlisting UDP ports 1025 – 65535.