EU ADVANCED SIGNATURE ATTACHMENT for DOCUSIGN SIGNATURE
If you started your subscription to DocuSign Signature before February 21, 2022, please go here: (https://www.docusign.com/company/legacy-agreements) to review your terms.
If your use of the Service includes the use of DocuSign ID Verification, the provisions of Section 8 of this Service Attachment apply to you.
Service Attachment version date: February 21, 2022. Unless otherwise defined in this EU Advanced Signature Attachment for DocuSign Signature (the “Service Attachment”), capitalized terms will have the meaning given to them in the Agreement.
1. DEFINITIONS
“Archiving Policy” means all legal, functional, operational, technical, and security rules that Customer must establish, implement, and respect for the management of Signer Identification and Certificate of Completion.
“Certificate(s)” means the Certificate generated by DocuSign France via the Service for a Signer, used by that Signer to electronically sign an eDocument addressed thereto by an Authorized User, via the Service. Each Certificate contains information such as the identity of the Signer that includes the name and/or alias, the Public Key of the Signer, the life cycle of the Certificate, the identity of the RA, and the signature of the issuing CA.
“Certification Authority” (or “CA”) is DocuSign France, the authority that generates Certificates and manages the Certificate life cycle (issuance, renewal, revocation) on the request of the Registration Authority, in accordance with the rules and practices defined in its Certificate Policy(ies) and the associated Certification Practice Statement. The DocuSign contracting entity described in Section 12 (Contracting Entity, Governing Law and Venue) of the MSA acts as agent for DocuSign France as CA hereunder.
“Certificate of Completion” (or “COC”) means the record of a Transaction created using the Service.
“Certificate Policy(ies)” means the set of rules published by the CA and describing the general characteristics of the Certificates that it issues and the roles of the CA, the RA, Signers and relying parties.The Certificate Policy applicable to the Advanced EU Signature offering is designated as 1.3.6.1.4.1.22234.2.14.3.33 and is available at: https://www.docusign.fr/societe/politiques-de-certifications
“Customer Verification” means configuration for Signer Identification set by the Customer that a) deviates from the settings established by the IDV Service or the IDP; or b) validates the identity of a Signer when the IDV Service or the IDP has rejected a Signer Identification.
“Delegated Registration Authority” (or “DRA”) means any entity expressly designated by the RA in order to perform all or part of RA tasks in accordance with the applicable Registration Policy.
“Documentation” means the commercial, functional, and technical documentation relating to the Service and provided by DocuSign to Customer, including DocuSign France’s applicable Certificate Policies. Documentation can be in a paper format, on magnetic storage medium or in any other format used by DocuSign. Documentation provided by DocuSign may be offered in English and/or French.
“DocuSign France” means DocuSign France SAS, an Affiliate of DocuSign.
“DocuSign ID Verification” (or the “IDV Service”) means the DocuSign Service that provides identification verification services to parties executing eDocuments using DocuSign Signature. The IDV Service allows a Customer to verify the identity of a Signer prior to Signer executing an eDocument sent by Customer through DocuSign Signature.
“DocuSign Signature” means DocuSign’s on-demand electronic signature service, which provides online display, certified delivery, acknowledgement, electronic signature, and storage services for eDocuments via the Internet.
“eIDAS” means EU Regulation No. 910/2014.
“Identity Provider(s)” (or “IDP”) means the third-party service authorized to confirm the identity of a Signer by verifying a form of Signer Identification as part of the IDV Service.
“Private Key” means a mathematical key that is secret and that is uniquely contained within a device and remotely activated by the Signer to sign eDocuments. In the context of the Service, the Private Keys are generated only for the purpose of a single transaction and are erased after the completion of such transaction.
“Registration Authority” (or “RA”) means the entity in a contractual relationship with the CA to register requests for issuance of Certificates, and to validate or reject them. The RA applies Signer identification and authentication procedures in accordance with the rules and practices defined in the Registration Policy. For the purposes herein, the RA is Customer.
“Registration Policy” means the procedures and rules defined and implemented by the Registration Authority in order to identify and authenticate Signers, to verify and store supporting documents for Signers’ registration, and to register requests to issue Signer Certificates.
“Service” means the DocuSign EU Advanced Signature service provided to the Customer by DocuSign France as trust service provider to offer Signers a service via DocuSign Signature to electronically sign eDocuments.
“Signer(s)” (or “Signatory”) means any individual who signs the eDocument(s) presented thereto after giving consent in accordance with the Service consent protocol.
“Signer Identification” means any data (including personal data) identifying a Signer that is collected by Customer either through the Service or IDV Service (or both services together) for the purpose of confirming the identity of such Signer. Such data may include a government-issued identification (e.g., a passport) or identification issued to Signer by a bank or national authority (e.g., an electronic ID), or Signer-held certificate (e.g., an electronic national ID card or equivalent delivered by a national authority).
“Transaction(s)” means the performance of a signature process, defined by a set of eDocuments submitted for electronic Signature by one or more Signers.
2. EU ADVANCED SIGNATURE
2.1 The parties acknowledge and agree that: (a) DocuSign France is a “trust service provider” for the purpose of providing Certificates under the Service; and (b) where Customer contracts with DocuSign for the provision of a Certificate under the Service and related certification services, DocuSign is authorized to act as an agent for and on behalf of DocuSign France for the purpose of contracting with Customer while DocuSign France is the entity providing the actual delivery of any Certificate under the Service; and (c) the use of the Certificate under the Service is conditional upon Customer adhering to the terms of this Service Attachment.
2.2 During the Term and subject to the terms and conditions of the Agreement, Customer will have the right to send eDocuments to Signers to be signed with the Service via the DocuSign Signature application. The right to use the Service is limited to Authorized Users, and Customer may not resell or otherwise provide or assist with the provision of the Service: (a) for the benefit of another party; (b) as a part of a service Customer offers to third parties; or (c) as a sublicensed or service bureau arrangement.
2.3 Certificate Policies. Customer acknowledges and agrees it has been or hereby is fully informed by DocuSign that:
(a) the Service is based on DocuSign France’s applicable Certificate Policies;
(b) that the Certificate Policies constitute essential commitments from DocuSign France and its delegated Registration Authorities to any third party relying on the Service;
(c) that the Certificate Policies have been or will be made available to Customer before the Order Start Date of the Service and can be accessed on DocuSign’s website, https://www.docusign.fr/societe/certification-policies; and
(d) the essential commitments deriving from the Certificate Policies and are applicable to both Customer and DocuSign France in the context of the use of the Service.
2.4 Certification Services. DocuSign France, in its capacity as Certificate Authority, shall be responsible for the proper functioning of the Service’s components and the compliance of its Certificate management system and procedures with the provisions set forth in applicable Certificate Policy(ies). DocuSign France shall technically manage the life cycle of Signer Certificates throughout their validity period to meet the needs relating to the use of the Service, in accordance with the terms and conditions defined in the applicable Certificate Policies. The characteristics of the Signer Certificates as well as the terms and conditions applying to the management of their life cycles are defined in the applicable Certificate Policy(ies).
3. CUSTOMER RESPONSIBILITIES
3.1 Customer expressly acknowledges having received from DocuSign France (or DocuSign) all of the information it requires to assess whether the Service meets its needs and to take all necessary precautions for the implementation and operation of the Service.
3.2 This Agreement designates Customer as Registration Authority, and Customer hereby accepts such duties and responsibilities. In this capacity, Customer shall implement procedures to: (a) identify and authenticate Signers as required under Article 26 of eIDAS; (b) validate the accuracy of the information in requests prior to submitting Signer Certificate requests to the CA via the Service; and (c) protect all identity and authentication data provided by Signer in this process. Customer will develop a Registration Policy that will at minimum detail the responsibilities and procedures for an RA set forth in this Service Attachment that includes but is not limited to its identification and authentication requirements under Article 26 of eIDAS in a manner reasonably designed to meet the obligations set forth hereunder.
3.3 In its capacity as RA, Customer shall:
(a) Comply with its Registration Policy and provide written proof to DocuSign France, DocuSign, or any accredited auditing body appointed by DocuSign, to verify the compliance of the RA with its Registration Policy procedures and communicate the requested information to DocuSign;
(b) Notify DocuSign within 24 hours of any breach of security or loss of integrity that has a significant impact the personal data maintained therein;
(c) Seek approval from DocuSign prior to designating any DRAs;
(d) Establish a written enforceable agreement with any DRAs that defines their obligations and responsibilities in accordance with the applicable Registration Policy;
(e) Take appropriate technical and organizational measures to manage the risks associated with its IT systems and networks; and
(f) Securely store and archive all supporting documents used for Signer identification, authentication, and registration and Certificate of Completion for at least five (5) years and, in the case of a request from a government agency to DocuSign or for DocuSign’s internal audit, make that documentation available to DocuSign.
3.4 The Service can be accessed by Customer by means of a secure remote connection. ACCORDINGLY, CUSTOMER IS SOLELY RESPONSIBLE FOR ANY AND ALL CONSEQUENCES ARISING FROM THE UNAUTHORIZED USE BY A THIRD PARTY OF ITS PRIVATE KEYS AND CUSTOMER CERTIFICATES ENABLING ACCESS TO THE SERVICE, REGARDLESS OF THE MEANS BY WHICH THEY WERE OBTAINED FROM CUSTOMER.
3.5 The registration of Signers for the issue of Signer Certificates is the exclusive responsibility of Customer in its capacity as Registration Authority. Customer is responsible for the accuracy and completeness of the information sent to DocuSign for the issuing of Signer Certificates. DocuSign does not verify any identification information and DocuSign (including DocuSign France) disclaims all liability regarding the accuracy of the Signer identification information communicated by Customer and contained in the Signer Certificates.
4. DOCUSIGN RESPONSIBILITIES
4.1 Trust Service Provider. DocuSign shall ensure: (a) its and its Affiliates’ data centers are secured and trustworthy in accordance with industry standards and use high-performance products in terms of reliability, security, and confidentiality; and (b) that electronic signatures created with the Service, subject to the Customer fulfilling its responsibilities under the Agreement, will conform with the definition of Advanced Electronic Signature set out in Article 26 of eIDAS.
5. INSPECTION
5.1 In its capacity as CA, DocuSign France has a duty to inspect a Customer in its role as RA in order to confirm its compliance with the Registration Policy applicable to Signer Certificates. For this inspection, the CA may carry out, or select a mutually agreeable inspector to carry out, an annual compliance inspection on the Customer’s premises. Depending on inspector choice, the inspection may cover the following areas:
(a) Any obligation under Sections 3.2 or 3.3;
(b) Content and availability of the agreement between Customer and potential sub-contracting entities involved in the performance of Customer’s obligations;
(c) Management of eDocuments presented and made available to the Signer in connection with the signature workflow;
(d) If and only if RA has designated one or more Delegated Registration Authority pursuant to Section 3.3 above:
(i) Monitoring of DRAs in accordance with the Registration Policy defined by the RA and the Contract between the RA and each DRA; and
(ii) Requirements to be met by DRAs regarding Signer authentication and identification and the secure transmission of Signer identification data to the Customer by DRAs.
5.2 If the inspection reveals a major incident of noncompliance (such as evidence that a Certificate has been or may be issued to a Signer that has not been properly identified), Customer shall correct its procedures as soon as reasonably possible and, in any event, no later than the timeframe set by DocuSign France. If the correction has not been made within the timeframe set by DocuSign France, DocuSign France (or DocuSign as its agent and upon its instructions) may suspend services included in the operation of the Service until compliance is achieved. In this case, Customer cannot claim a breach by DocuSign France (or by DocuSign acting as DocuSign France agent) of its contractual obligations under this Agreement or claim any indemnity of any kind due to this suspension. Customer acknowledges and agrees that DocuSign France is permitted to suspend its performance under this Agreement whenever Customer is reasonably believed to be out of compliance with its obligations as the RA, and such suspension may continue until DocuSign France in its sole good faith discretion determines that the compliance failures have been remedied.
5.3 If it is suspected that the RA and/or one or more DRAs are in breach of this Agreement, or if a certification body or government authority makes the express request, DocuSign France also reserves the right to conduct, with reasonable advance notice, an inspection on the premises of the RA and the relevant DRAs at any time to determine any noncompliance with this Agreement and/or the applicable Certificate Policies.
6. TERMINATION
Upon the expiration or termination of this Service Attachment for any reason: Customer shall adhere to the terms of Section 3.3 (f).
7. THIRD-PARTY CLAIMS
In addition to the third-party claims obligations set forth in the Agreement, Customer will indemnify DocuSign and its Indemnified Parties from, and defend DocuSign and the Indemnified Parties against, any Claim to the extent arising from or related to non-performance of any obligations by Customer, in its capacity as Registration Authority, defined under this Service Attachment and the applicable Certificate Policy.
8. DOCUSIGN ID VERIFICATION
This Section defines the obligations of the parties when DocuSign EU Advanced Signature is used with DocuSign ID Verification. When used together, the provisions of this attachment (as modified below) and the terms governing the ID Verification service (as set forth in the Service Schedule for DocuSign Signature) shall apply.
8.1 Except in instances of Customer Verification, Section 1 shall be amended by deleting the definitions for “Archiving Policy” and “Delegated Registration Authority.”
8.2 Section 1 shall be amended by deleting the existing definition of “Registration Authority” and replacing it with the following definition:
“Registration Authority” (or “RA”) means the entity in a contractual relationship with the CA to register requests for issuance of Certificates and to validate or reject them. For the purposes of this Agreement, the RA is DocuSign except in cases of Customer Verification in which case the Customer is the RA.”
8.3 Section 1 shall be amended by adding all definitions in the ID Verification terms within the Service Schedule for DocuSign Signature.
8.4 Section 2.4 shall be deleted and replaced as follows:
"2.4 Certification Services. Except in instances of Customer Verification, DocuSign France, in its capacity as CA, and DocuSign, in its capacity as RA, shall be responsible for the proper functioning of the Service’s components and the compliance of its Certificate and Signer Identification management system and procedures with the provisions set forth in applicable Certificate Policy(ies). DocuSign France and DocuSign shall technically manage the life cycle of Signer Certificates and its associated Signer Identification throughout their validity period to meet the needs relating to use of the Service, in accordance with the terms and conditions defined in the applicable Certificate Policy(ies). The characteristics of the Signer Certificates as well as the terms and conditions applying to the management of their life cycles are defined in the applicable Certificate Policy(ies).”
8.5 Except in instances of Customer Verification, Section 3.2 shall be deleted in its entirety and the remaining subsections of Section 3 shall be renumbered accordingly including any references thereto.
8.6 Except in instances of Customer Verification, Section 3.3 shall be deleted and amended as follows:
“3.3 When using the Service, Customer shall securely store and archive the COC for at least five (5) years.”
8.7 Except in instances of Customer Verification, Section 3.5 shall be deleted and replaced as follows:
"3.5 Customer is exclusively responsible for the collection of Signer email addresses to contact Signer with DocuSign Signature.
Customer is responsible for the accuracy and completeness of the information sent to DocuSign. DocuSign does not verify Signer email addresses, and DocuSign, including DocuSign France, disclaims all liability regarding the accuracy of the Signer Identification provided by Customer in the DocuSign Signature application.”
8.8 Section 4 shall be modified as follows:
"4.2 Proof of ID Verification. In its capacity as CA, DocuSign France has a duty to maintain data that supports Certificate issuance for a Signer including proof of ID Verification. Except in instances of Customer Verification or where Customer deletes that data, in which case Customer shall comply with the terms of Section 3.3(f), DocuSign shall keep the following information for five (5) years after and instance of ID Verification occurs:
(a) Signer’s email address;
(b) Signer’s full name, as provided by Customer;
(c) Name of IDP;
(d) Country of issued ID;
(e) ID Verification date;
(f) Signer IP address at transaction time;
(g) Certificate of Completion.”
8.9 Except in instances of Customer Verification, Section 5 shall be deleted in its entirety.