Compliance Status Overview
| Certification | Status | Scope |
|---|---|---|
| SOC 2 | Compliant | Documenso Cloud |
| 21 CFR Part 11 | Compliant (Enterprise) | FDA-regulated industries |
| ISO 27001 | Planned | Information security |
| HIPAA | Planned | Healthcare data protection |
Compliance certifications apply to Documenso Cloud. Self-hosted deployments are responsible for
their own compliance based on configuration and operational practices.
SOC 2
Status: Compliant
What SOC 2 Covers
SOC 2 Type II
Documenso maintains SOC 2 Type II certification, which includes:- Type II audit - Tests controls over a period of time (not just at a point in time)
- Independent auditor - Third-party CPA firm evaluates controls
- Annual renewal - Audits conducted annually to maintain certification
Obtaining SOC 2 Reports
SOC 2 reports are available to customers and prospects under NDA:- Visit documen.so/trust to request access
- Reports include detailed control descriptions and test results
- Available for due diligence and vendor assessments
SOC 2 reports are confidential and require an NDA. Contact Documenso to request a report for your
compliance review.
21 CFR Part 11
Status: Compliant (Enterprise License)
Industries Affected
21 CFR Part 11 applies to organizations in:- Pharmaceutical manufacturing
- Medical device manufacturing
- Biotechnology
- Clinical research and trials
- Food and beverage production
- Any FDA-regulated industry using electronic records
Main Requirements
Electronic Signature Requirements
Under 21 CFR Part 11.50, electronic signatures must:| Requirement | Documenso Implementation |
|---|---|
| Unique to one individual | Email-based identity, optional MFA |
| Verified identity | Authentication required before signing |
| Non-reusable | Each signature event is unique and timestamped |
| Non-transferable | Signatures tied to authenticated user accounts |
Part 11 Compliance Features (Enterprise)
The following features are available with Enterprise licensing for 21 CFR Part 11 compliance:- Validation documentation - IQ/OQ/PQ documentation
- Enhanced audit trails - Extended retention and reporting
- Advanced access controls - Granular permissions and approval workflows
- Compliance templates - Pre-configured workflows for regulated industries
- Signature meanings - Customizable signature manifestations
- Training records - User training and certification tracking
Read more about 21 CFR Part 11 with Documenso or contact
sales for Enterprise licensing.
Self-Hosted Part 11 Compliance
Self-hosted deployments seeking 21 CFR Part 11 compliance should:- Tab Title
- Tab Title
- Tab Title
System Validation Requirements
- Conduct IQ (Installation Qualification)
- Perform OQ (Operational Qualification)
- Complete PQ (Performance Qualification)
- Document and maintain validation records
- Re-validate after significant changes
ISO 27001
Status: Planned
What ISO 27001 Covers
Current Implementation
While formal ISO 27001 certification is planned, Documenso already implements many ISO 27001 controls:- Information security policies
- Risk assessment processes
- Access control and authentication
- Encryption at rest and in transit
- Incident response procedures
- Security monitoring and logging
- Vendor security assessments
Timeline
ISO 27001 certification is targeted for 2025. Progress updates are available on the roadmap.HIPAA
Status: Planned
HIPAA Applicability
HIPAA applies to:- Covered entities - Healthcare providers, health plans, healthcare clearinghouses
- Business associates - Vendors that process PHI on behalf of covered entities
HIPAA Requirements for Business Associates
Business Associate Agreement (BAA)
When HIPAA compliance is achieved, Documenso will offer a Business Associate Agreement (BAA) for
customers processing PHI.
- Permitted uses and disclosures of PHI
- Safeguards to protect PHI
- Breach notification obligations
- Termination procedures
- Subcontractor requirements
Self-Hosted HIPAA Compliance
Self-hosted deployments used for PHI should implement:- Encryption at rest and in transit (TLS 1.2+)
- Access controls and authentication (MFA recommended)
- Audit logging of all PHI access
- Automatic session timeout
- Secure backup and disaster recovery
- Documented security policies and procedures
- Workforce training on HIPAA requirements
- Risk assessments and mitigation
Timeline
Full HIPAA compliance and BAA availability are targeted for late 2025. Track progress on GitHub.Other Compliance Frameworks
GDPR (General Data Protection Regulation)
Documenso complies with GDPR for EU data protection. See GDPR for detailed information.PIPEDA (Canada)
Documenso’s privacy practices align with PIPEDA (Personal Information Protection and Electronic Documents Act) requirements for Canadian privacy law.CCPA (California Consumer Privacy Act)
Documenso supports CCPA compliance through data access, deletion, and portability features.FedRAMP
Status: Not planned - FedRAMP authorization is not currently on the roadmap.
Compliance for Self-Hosted Deployments
Self-hosted Documenso deployments have additional flexibility and responsibility for compliance:Advantages
- Data residency - Store data in your chosen jurisdiction
- Infrastructure control - Choose your own security controls
- Customization - Configure features to meet specific requirements
- Validation - Conduct your own system validation
- Audit access - Direct access to databases and logs
Responsibilities
- Infrastructure security - Implement appropriate safeguards
- Configuration - Enable security features correctly
- Monitoring - Detect and respond to security incidents
- Updates - Apply security patches promptly
- Documentation - Maintain compliance documentation
- Training - Train users on security and compliance
Compliance Resources
For self-hosted compliance:- Review Security Configuration
- Implement Audit Logging
- Configure Access Controls
- Review Signing Certificates
Requesting Compliance Documentation
For compliance-related documentation requests:SOC 2 Reports
- Visit documen.so/trust
- Requires NDA
21 CFR Part 11
- Contact sales for Enterprise licensing
- Validation documentation included with Enterprise
Security Questionnaires
- Email: [email protected]
- Standard questionnaires available
- Custom security reviews for Enterprise customers
Data Processing Agreements
- GDPR DPA available upon request
- HIPAA BAA (when available)
- Custom agreements for Enterprise
Disclaimer
This documentation is provided for informational purposes only and does not constitute legal or
compliance advice.
- Your jurisdiction and applicable laws
- Industry-specific regulations
- The type of data you process
- Your role (controller vs processor)
- Specific use cases and risk factors
- Determine your compliance obligations
- Assess whether Documenso meets your requirements
- Implement appropriate policies and procedures
- Conduct risk assessments
- Prepare for audits and certifications
Related
- GDPR - Data protection compliance
- E-Sign Compliance - ESIGN, UETA, eIDAS regulations
- Standards - Technical standards (PAdES, X.509, PDF/A)
- Security Policy - Security practices and measures
- Self-Hosting - Deploy on your own infrastructure