DocuSign

Authentication & Authorization

• Docusign connects via OAuth 2.0 with Authorization Code Grant Flow.

• DataGrail owns a Docusign OAuth 2.0 App that provides the credentials to authenticate customers allowing the integration to connect by simply logging into their Docusign account with their admin credentials and accepting to install the app.

• DataGrail uses Refresh Token Flow to periodically update Access Token after it expires to keep the connection alive.

Scopes

Docusign API requires specific scopes that need to be approved by the customer in order to grant DataGrail read/write on certain objects necessary to complete privacy requests:

• openid (enables to grant consent to an OAuth application on behalf of your users);

• impersonation (required for applications that impersonate users to perform API calls);

• extended (used when requesting an access token using Authorization Code Grant);

• signature (required to call access and deletion API endpoints).

Endpoints Utilized

• Request authorization:

  • GET https://account.docusign.com/oauth/auth

• Get and refresh access token:

  • POST https://account.docusign.com/oauth/token

• Validate that credentials are good based on a successful response:

  • GET https://account.docusign.com/oauth/userinfo

Version

Docusign integration currently supports version 2.1.

Limits

• According to Docusign API rate limiting, DataGrail uses throttling rules to avoid rates faster than 800 requests per hour and 23500 requests per day.

• Additionally, DataGrail processes API responses with HTTP 429 status to interrupt requests, waiting and retrying (using an exponential backoff strategy).

Access

For an access request, DataGrail will take the following actions:

• Search account envelopes containing data subject email and updated in the last 5 years.

• Filter search to collect recipients related to subject email data only and drop all other recipients.

• Fetch all account contacts.

• Filter contacts list by data subject email.

• For all objects found, DataGrail will return a list of collected fields. Customer can edit which objects and fields he wants to provide to the Data Subject via our Portal Requests.

Endpoints Utilized

• GET https://account.docusign.com/restapi/v2.1/accounts/\{accountId\}/envelopes

• GET https://account.docusign.com/restapi/v2.1/accounts/\{accountId\}/contacts

Deletion

For a deletion request, DataGrail will take the following actions:

• Deletes a contact associated with an account.

• Delete a recipient from “draft” or “sent” envelopes. If the envelope is "In Process" (has been sent and is not completed or voided), recipients that have completed their actions cannot be deleted.

Endpoints Utilized

• DELETE https://account.docusign.com/restapi/v2.1/accounts/\{account\_id\}/contacts/\{contact\_id\}

• DELETE https://account.docusign.com/restapi/v2.1/accounts/\{account\_id\}/envelopes/\{envelope\_id\}/recipients/\{recipient\_id\}