Which regulatory agencies enforce this type of clause?

{'agency': 'FTC', 'reason': 'The FTC has jurisdiction over deceptive or unfair practices related to data controller/processor accountability in consumer-facing services.', 'complaint_url': 'https://reportfraud.ftc.gov/'}

What is the severity of this clause?

ConductAtlas classifies this Dual Role: Data Controller and Data Processor clause as medium severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Do other platforms have similar clauses?

Yes. ConductAtlas has identified similar Dual Role: Data Controller and Data Processor clauses across approximately 1 other tracked platforms. You can compare how platforms differ on this clause type in the cross-platform comparison view.

Dual Role: Data Controller and Data Processor — DocuSign

Share 𝕏 Share in Share 🔒 PDF

Recent governance activity DocuSign recorded 2 documented changes in the last 30 days.

Start monitoring updates

Monitor governance changes for DocuSign Create a free account to receive the weekly governance digest and monitor one platform for governance changes.

Create free account No credit card required.

Document Record

What it is

DocuSign acts as a data controller when handling your data for its own purposes (like marketing), but acts as a data processor when handling data on behalf of business customers who use DocuSign's platform.

ⓘ

This analysis describes what DocuSign's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

The dual role designation establishes different data governance responsibilities depending on the product used. When DocuSign acts as controller rather than solely as processor, it assumes independent obligations regarding data retention, use, and compliance with data protection regulations, which affects the scope of accountability between DocuSign and its customers.

Consumer impact (what this means for users)

Individual signers may have limited direct rights against DocuSign when data is controlled by a business customer; they should contact the sending organization to exercise their privacy rights in those contexts.

How other platforms handle this

Smartsheet Medium

When we provide the Service to our customers, we act as a data processor on behalf of those customers. Our customers are the data controllers, meaning that they determine the purposes and means of the processing of personal data that is submitted into the Service. If you are an end user of a custome...

LinkedIn Medium

If you are in the 'Designated Countries', LinkedIn Ireland Unlimited Company ('LinkedIn Ireland') will be the controller of your personal data provided to, or collected by or for, or processed in connection with our Services. If you are outside of the Designated Countries, LinkedIn Corporation will ...

Anthropic Medium

This Privacy Policy does not apply where Anthropic acts as a data processor and processes personal data on behalf of commercial customers using Anthropic's Commercial Services – for example, your employer has provisioned you a Claude for Work account, or you're using an app that is powered on the ba...

See all platforms with this clause type →

Monitoring

DocuSign has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.

Start Watcher free trial Or create a free account →

▸ View Original Clause Language DOCUMENT RECORD

"
When our business customers use certain Services, we generally process and store limited personal information on their behalf as a data processor. For certain products such as Docusign's Contract Lifecycle Management (CLM) and Identity products, we may act as a processor and as a controller in certain circumstances (e.g., retention of transactional data to comply with Docusign's legal obligations).

— Excerpt from DocuSign's DocuSign Privacy Statement

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

The controller/processor distinction has significant implications under GDPR Articles 4, 26, and 28; enterprise customers must ensure a valid Data Processing Agreement (DPA) is in place with DocuSign and that sub-processor obligations are flowed down appropriately.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 1 platform — free Try Watcher free for 14 days

Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.

Applicable agencies

FTC

The FTC has jurisdiction over deceptive or unfair practices related to data controller/processor accountability in consumer-facing services.
File a complaint →

Applicable regulations

CCPA/CPRA

California, USA

CAN-SPAM

United States Federal

ePrivacy Directive

European Union

FTC Act Section 5

United States Federal

GDPR

European Union

Provision details

Document information

Document

DocuSign Privacy Statement

Entity

DocuSign

Document last updated

May 5, 2026

Tracking information

First tracked

March 20, 2026

Last verified

March 20, 2026

Record ID

CA-P-001053

Document ID

CA-D-00198

Evidence Provenance

Source URL

https://www.docusign.com/company/privacy-policy

Wayback Machine

View archived versions →

Content hash (SHA-256)

fa237cd26dd39fb681a04c81ee495ed2c1828ea7d4d6e7935ee1004d94aea5d7

Analysis generated

March 20, 2026 05:54 UTC

Methodology

summarize_document-v7

Evidence

✓ Snapshot stored ✓ Hash verified

Citation Record

Entity: DocuSign
Document: DocuSign Privacy Statement
Record ID: CA-P-001053
Captured: 2026-03-20 05:54:25 UTC
SHA-256: fa237cd26dd39fb6…
URL: https://conductatlas.com/platform/docusign/docusign-privacy-statement/dual-role-data-controller-and-data-processor/
Accessed: May 20, 2026

Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.

Classification

Severity

Medium

Other risks in this policy

Third-Party Data Sharing for Advertising medium
Cross-Border Data Transfers (Standard Contractual Clauses) medium
Cookie and Tracking Technology Use medium
User Data Rights (Access, Deletion, Correction, Portability) low
Data Retention Policy medium
Marketing Communications and Opt-Out low

Related Analysis

What 38 AI Companies Actually Say About Your Data (2026)
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.

Professional Governance Intelligence

Need to monitor specific governance provisions?

Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies

Start Professional free trial

Or start with Watcher →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does DocuSign's Dual Role: Data Controller and Data Processor clause do?

How does this clause affect you?

How many platforms have this type of clause?

ConductAtlas has identified this type of provision across 1 platforms. See the full comparison.

Is ConductAtlas affiliated with DocuSign?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by DocuSign.