Usage Standards

In accordance with the Electronic Signatures Practice Directive

  • DocuSign can only be utilized for University business purposes and must not be used for personal transactions.
  • DocuSign is approved for use with Level 1 and Personally Identifiable Information (PII) data, including Social Security number, driver's license or state ID card information, and student information. For a full list, please refer to ITS' Confidential Data Practice Directive. DocuSign is not approved for use with PCI data (credit card information) or HIPAA data (medical records).
  • Electronic signatures are not appropriate for documents that are external or that are considered to be high risk.
  • Only risk assessed and approved business processes can be used in DocuSign.* The department that owns a particular business process is the only entity that may modify or upload the document for use in DocuSign.

*Memos and departmental forms routed internally (i.e., forms owned by your department and only sent to individuals within your department) are not required to undergo an electronic signature risk assessment, as long as there is no level 1 information contained in the document or any attachments.


Risk Assessment Process:

A risk assessment must be completed by the business process owner, Quality Assurance, and Enterprise Risk Management to determine whether it is appropriate to use electronic signatures for a particular business process and for the form to be approved for use in DocuSign. You can begin the process by filling out the Electronic Signatures Risk Assessment Form.

1. Complete the list assessment intake web form, 2. Attend the risk assessment meeting with other key stakeholders, 3. Discuss potential risks and mitigating factors, 4. Work with Quality Assurance to finalize the DocuSign workflow

When thinking about digitizing your business processes, best practices dictate that business process owners ensure accessibility of documents for all users. Below are some helpful resources for accessibility: