DocuSign collects and stores the actual content of documents you send, receive, or sign through its platform, including any personal information those documents contain.
This analysis describes what DocuSign's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Documents signed through DocuSign frequently contain sensitive personal, financial, legal, or medical information, and this clause confirms that content is collected and processed by DocuSign as part of its service.
Interpretive note: The extent of DocuSign's use of document content for its own purposes versus purely as a processor for enterprise customers depends on separate customer agreements not contained in this public notice.
Any sensitive information in your contracts, agreements, or forms processed through DocuSign, such as social security numbers, financial account details, or health information, is collected and stored by DocuSign and subject to the terms of this notice or, for enterprise users, the applicable customer agreement.
Cross-platform context
See how other platforms handle Document Content Collection and similar clauses.
Compare across platforms →Monitoring
DocuSign has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We collect and process information you provide when you use our products and services. This includes the content of the documents you send and receive through our products, including any personal information contained in those documents.— Excerpt from DocuSign's DocuSign Privacy Statement
(1) REGULATORY LANDSCAPE: Document content processing may implicate GDPR Article 9 if documents contain special category data, as well as HIPAA if the enterprise customer is a covered entity and the documents contain protected health information. The FTC Act applies to any unfair or deceptive practices in how this data is handled in the US. The extent of DocuSign's obligations depends on whether it acts as a controller or processor for a given data set. (2) GOVERNANCE EXPOSURE: Medium. As a data processor for enterprise customers, DocuSign's obligations for document content are defined by customer agreements rather than this public notice. However, if DocuSign uses document-derived data for its own purposes such as product improvement or AI model training, that use could trigger controller obligations and heightened scrutiny under GDPR and CCPA. (3) JURISDICTION FLAGS: EU and UK users are protected by GDPR and UK GDPR requirements for lawful bases and data minimization in document content processing. California residents may have rights under CPRA to know and limit the use of sensitive personal information contained in documents. Healthcare-adjacent organizations should evaluate HIPAA Business Associate Agreement requirements. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers should confirm that their DocuSign Data Processing Agreement explicitly addresses document content as processor data, restricts secondary use by DocuSign, and identifies all sub-processors with access to document content. Procurement teams should request current sub-processor lists. (5) COMPLIANCE CONSIDERATIONS: Legal teams should map document content data flows to confirm appropriate lawful bases are in place, particularly for any automated processing or AI-assisted features applied to document content. Organizations in regulated industries should assess whether DocuSign's processor commitments satisfy sector-specific requirements.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Documents signed through DocuSign frequently contain sensitive personal, financial, legal, or medical information, and this clause confirms that content is collected and processed by DocuSign as part of its service.
Any sensitive information in your contracts, agreements, or forms processed through DocuSign, such as social security numbers, financial account details, or health information, is collected and stored by DocuSign and subject to the terms of this notice or, for enterprise users, the applicable customer agreement.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by DocuSign.