Skip to content

The 27 DocuSign security checks Black Cat runs

Black Cat SSPM evaluates 27 security policies against your DocuSign configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.

access control

highWeak Password Length

Increase the minimum password length to at least 12 characters

highWeak Password Strength

Set password strength requirement to Strong in DocuSign password rules

highNo Password Expiration

Enable password expiration and set maximum age to 90 days or fewer

mediumNo Account Lockout

Enable account lockout policy with a lockout duration of at least 1 minute

mediumLong Web Session Timeout

Reduce web session timeout to 30 minutes or less in Security Settings

mediumLong Signing Session Timeout

Reduce signing session timeout to 30 minutes or less in Security Settings

mediumLong Mobile Session Timeout

Reduce mobile session timeout to 30 minutes or less in Security Settings

highExcessive Admins

Reduce the number of admin users by reassigning non-essential admins to least-privilege profiles

mediumInactive User With Access

Remove or deactivate inactive users who have not logged in recently

mediumOverly Broad Permission Profile

Create a restricted permission profile without account management for general users

lowUser Without Group

Assign ungrouped users to appropriate groups for consistent permission management

highNo SSO Configured

Configure SAML or OIDC SSO in DocuSign to enforce centralized authentication

highUnclaimed Domain

Verify and claim your organization's email domain to enforce SSO and prevent unauthorized accounts

highSSO Not Mandatory

Enforce SSO for all users and enable automatic provisioning via the configured identity provider

lowEmpty Group

Remove empty groups that have no members to reduce administrative clutter

mediumPermission Profile Manages Users

Remove user management permission from profiles that do not require full account administration

lowUnused Admin Permission Profile

Remove or disable unused permission profiles that have account management enabled

highDisabled Admin Account

Remove admin privileges from disabled or closed user accounts

mediumDomain Not Linked to Identity Provider

Link the reserved domain to an identity provider to enforce SSO for that domain

mediumPassword Security Questions Enabled

Disable security questions as a recovery mechanism in favor of stronger authentication methods

configuration

mediumSign On Paper Enabled

Disable sign-on-paper to enforce electronic-only signatures

mediumSigner Reassignment Enabled

Disable signer reassignment to prevent envelope forwarding to unintended recipients

mediumPowerForms Enabled

Disable PowerForms to prevent publicly accessible signing URLs

highNo Signer Certificate Required

Enable digital certificate requirement for signers to strengthen document integrity

mediumRecipient Domain Validation Disabled

Enable recipient domain validation to restrict which email domains can receive envelopes

highNo IP Restrictions

Configure IP address filtering to restrict API and web access to known corporate IP ranges

mediumBulk Recipients Enabled

Disable bulk recipients in Sending Settings unless required for documented business operations

See these checks run on your stack

Start a free 14-day trial — no credit card required.

Start Free Trial