Binding Corporate Rules:
Processor Policy
- PART I: INTRODUCTION
- PART II: OUR OBLIGATIONS
- PART III: DELIVERING COMPLIANCE IN PRACTICE
- PART IV: THIRD PARTY BENEFICIARY RIGHTS
- PART V: RELATED POLICIES AND PROCEDURES
- APPENDIX 1 - LIST OF DOCUSIGN GROUP MEMBERS
- APPENDIX 2 - MATERIAL SCOPE OF THIS PROCESSOR POLICY
- APPENDIX 3 - FAIR INFORMATION DISCLOSURES
- APPENDIX 4 - DATA PROTECTION RIGHTS PROCEDURE
- APPENDIX 5 - PRIVACY COMPLIANCE STRUCTURE
- APPENDIX 6 - PRIVACY TRAINING REQUIREMENTS
- APPENDIX 7 - AUDIT PROTOCOL
- APPENDIX 8 - COMPLAINT HANDLING PROCEDURE
- APPENDIX 9 - CO-OPERATION PROCEDURE
- APPENDIX 10 - UPDATING PROCEDURE
- APPENDIX 11 - GOVERNMENT DATA REQUEST PROCEDURE
PART I: INTRODUCTION
This Binding Corporate Rules: Processor Policy (“Processor Policy”) establishes DocuSign's approach to compliance with applicable data protection laws (and, in particular, European laws) when processing personal information on behalf of a third-party controller.
Scope of this Processor Policy
This Processor Policy applies when we process personal information as a processor on behalf of a third-party controller, including when the personal information is transferred to a group member for processing. This Processor Policy applies regardless of whether our group members process personal information by manual or automated means.
The standards described in the Processor Policy are worldwide standards that apply to all group members when processing any personal information as a processor. As such, this Processor Policy applies regardless of the origin of the personal information that we process, the country in which we process personal information, or the country in which a group member is established.
For an explanation of some of the terms used in this Processor Policy, like "controller", "process", and "personal information", please see the section headed "Important terms used in this Processor Policy" below.
The material scope of this Processor Policy
The material scope of this Processor Policy is set out in Appendix 2. This describes the types of personal information, data subjects, and transfers that are protected by this Processor Policy. However, we must apply the standards described in this Processor Policy to all transfers of personal information to and between group members, even if they are not explicitly listed in Appendix 2.
Our collective responsibility to comply with this Processor Policy
All group members and their staff must comply with this Processor Policy when processing personal information as a processor on behalf of a Customer, irrespective of the country in which they are located.
In particular, all group members who process personal information as a processor must comply with:
- the rules set out in Part II of this Processor Policy;
- the practical commitments set out in Part III of this Processor Policy;
- the third party beneficiary rights set out in Part IV; and
- the related policies and procedures appended in Part V of this Processor Policy.
Responsibility towards the Customer
As a data processor, DocuSign will have a number of direct legal obligations under applicable data protection laws. In addition, the Customer will also pass certain data protection obligations on to DocuSign in its contract appointing DocuSign as its processor. If DocuSign fails to comply with the terms of its processor appointment, this may put the Customer in breach of its applicable data protection laws and Customer may initiate proceedings against DocuSign for breach of contract, resulting in the payment of compensation or other judicial remedies.
A Customer may enforce this Processor Policy against any group member that is in breach of it. Where a non-European group member (or a non-European third-party processor appointed by a group member) processes personal information for which the Customer is a controller in breach of this Processor Policy, that Customer may enforce the Processor Policy against DocuSign International (EMEA) Ltd. In such event, DocuSign International (EMEA) Ltd will be responsible for demonstrating that such group member (or third-party processor) is not responsible for the breach, or that no such breach took place.
When a Customer transfers personal information to a group member for processing in accordance with this Processor Policy, a copy of this Processor Policy shall be incorporated into the contract with that Customer. If a Customer chooses not to rely upon this Processor Policy when transferring personal information to a group member outside Europe, that Customer is responsible for implementing other appropriate safeguards in accordance with applicable data protection laws.
Management commitment and consequences of non-compliance
DocuSign's management is fully committed to ensuring that all group members and their staff comply with this Processor Policy at all times.
Non-compliance may cause DocuSign to be subject to sanctions imposed by competent data protection authorities and courts, and may cause harm or distress to individuals whose personal information has not been protected in accordance with the standards described in this Processor Policy.
In recognition of the gravity of these risks, staff members who do not comply with this Processor Policy will be subject to disciplinary action, up to and including dismissal.
Relationship with DocuSign's Binding Corporate Rules: Controller Policy
This Processor Policy applies only to personal information that DocuSign processes as a processor in order to provide a service to a Customer.
DocuSign has a separate Binding Corporate Rules: Controller Policy that applies when it processes personal information as a controller (i.e. for its own purposes). When a DocuSign group member processes personal information as a controller, it must comply with the Controller Policy.
In some situations, group members may act as both a controller and a processor. Where this is the case, they must comply both with this Controller Policy and also the Processor Policy as appropriate. If in any doubt which policy applies to you, please speak with the Office of the Chief Privacy Officer whose contact details are provided below.
Where will this Processor Policy be made available?
This Processor Policy is accessible on DocuSign's corporate website at www.docusign.com/trust/privacy.
Important terms used in this Processor Policy
For the purposes of this Processor Policy:
-
the term applicable data protection laws includes the data protection laws in force in the territory in which the controller of the personal information is located. Where a group member processes personal information on behalf of a European controller under this Processor Policy, the term applicable data protection laws shall include the European data protection laws applicable to that controller (including Europe's General Data Protection Regulation, when applicable);
-
the term controller means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal information. For example, DocuSign is a controller of its Customer data and staff data;
-
the term Controller Policy refers to DocuSign’s Binding Corporate Rules: Controller Policy, which is available on DocuSign's website at www.docusign.com/trust/privacy. The Controller Policy applies where DocuSign processes personal information as a controller (i.e. for its own purposes);
-
the term Customer refers to the third-party controller on whose behalf DocuSign processes personal information. This includes DocuSign's third-party customers, when we process personal information on their behalf in the course of providing data processing services to them;
-
the term DocuSign Platform is defined in Appendix 2 (Processor);
-
the term Europe (and European) as used in this Policy refers to the Member States of the European Economic Area – that is, the Member States of the European Union plus Norway, Liechtenstein and Iceland;
-
the term group member means the members of DocuSign's group of companies listed in Appendix 1;
-
the term personal information means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The term personal information shall include any information that is "personal data", "personally identifiable information", "personal information" and any analogous concept under applicable data protection laws;
-
the term processing means any operation or set of operations which is performed on personal information or on sets of personal information, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
-
the term processor means a natural or legal person which processes personal information on behalf of a controller. For example, DocuSign is a processor of the personal information it processes to provide services to its Customers;
-
the term Processor Policy refers to this Binding Corporate Rules: Processor Policy. The Processor Policy applies where DocuSign processes personal information as a processor on behalf of a third party controller;
-
the term sensitive personal information means information that relates to an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation. It also includes information about an individual's criminal offences or convictions, as well as any other information deemed sensitive under applicable data protection laws; and
-
the term staff refers to all employees, new hires, individual contractors and consultants, and temporary staff engaged by any DocuSign group member. All staff must comply with this Processor Policy.
How to raise questions or concerns
If you have any questions regarding this Processor Policy, your rights under this Processor Policy or applicable data protection laws, or any other data protection issues, you can contact the Office of the Chief Privacy Officer using the details below. The Office of the Chief Privacy Officer will either deal with the matter directly or forward it to the appropriate person or department within DocuSign to respond.
Attention: | Office of the Chief Privacy Officer |
Email: | privacy@docusign.com |
Address: | DocuSign Inc. 221 Main Street Suite 1000 San Francisco California 94105 |
The Office of the Chief Privacy Officer will ensure that changes to this Policy are notified to the group members and to individuals whose personal information is processed by DocuSign in accordance with Appendix 10.
If you want to exercise any of your data protection rights, please see the data protection rights procedure set out in Appendix 4. Alternatively, if you are unhappy about the way in which DocuSign has used your personal information, you can raise a complaint in accordance with our complaint handling procedure set out in Appendix 8.
PART II: OUR OBLIGATIONS
This Processor Policy applies in all situations where a group member processes personal information as a processor anywhere in the world. All staff and group members must comply with the following obligations:
Rule 1 – Lawfulness:
We must ensure that processing is at all times compliant with applicable law and this Processor Policy. |
We must at all times comply with any applicable data protection laws, as well as the standards set out in this Processor Policy, when processing personal information. The rights and obligations that apply to personal information within the scope of this Processor Policy “travel” with the personal information whenever it is transferred to or between group members (or their sub-processors). This means that where in-scope personal information is transferred to an importing group member (or its sub-processor) in another country, that personal information must be protected to the standards set out in this Processor Policy, even if the importing group member (or its sub-processor) is not subject to applicable data protection laws or is subject to applicable data protection laws that provide for lower standards. As such:
|
Rule 2 – Cooperation with Customers:
We must cooperate with and assist the Customer to comply with its obligations under applicable data protection laws in a reasonable time and to the extent reasonably possible. |
We must cooperate with and assist our Customer to comply with its obligations under applicable data protection laws. We must provide such assistance in a reasonable time and to the extent reasonably possible, and as required under the terms of our contract with the Customer. Assistance may include, for example, helping our Customer to keep the personal information we process on its behalf accurate and up to date, helping it to provide individuals with access to their personal information, or helping it to conduct data protection impact assessments in accordance with applicable data protection laws. |
Rule 3 – Fairness and transparency: We must, to the extent reasonably possible, assist a Customer to comply with the requirement to explain to individuals how their personal information will be processed. |
Our Customer has a duty to explain to the individuals whose information it processes (or instructs us to process), how and why that information will be used. This information must be given in a concise, transparent, intelligible and easily accessible form, using clear and plain language. This is usually done by means of an easily accessible fair processing statement. We will provide such assistance and information to the Customer in accordance with the terms of our contract with the Customer to comply with this requirement. For example, the terms of our contract with a Customer may require us to provide information about any sub-processors we appoint to process personal information on our Customer’s behalf. |
Rule 4 – Purpose limitation: We will only process personal information on behalf of, and in accordance with the instructions of, the Customer. |
We must only process personal information on behalf of the Customer and in accordance with its documented instructions (for example, as set out in the terms of our contract with the Customer and including instructions from individual users of the DocuSign Platform), including with regard to any international transfers of personal information. If we are unable to comply with our Customer’s instructions (or any of our obligations under this Processor Policy), we will inform the Customer promptly. The Customer may then suspend its transfer of personal information to us and/or terminate its contract with us (in accordance with the terms of the contract). In such circumstances, we will return or delete the personal information, including any copies of the personal information, in a secure manner or as otherwise required, in accordance with the terms of our contract with the Customer and, if requested, certify to the Customer that this has been done. If we are prevented from returning the personal information to our Customer or from deleting it (for example, due to applicable law requirements), we must inform the Customer. In such event, we must continue to maintain the confidentiality of the personal information and not process the personal information further other than in accordance with the terms of our contract with the Customer. |
Rule 5 – Data accuracy and minimisation: We will assist our Customer to keep the personal information accurate and up to date. |
We must assist our Customer to comply with its obligation to keep personal information accurate and up to date. In particular, where a Customer informs us that personal information is inaccurate, we must assist our Customer to update, correct or erase that information without delay. We must also take measures to inform group members or third-party processors to whom the personal information has been disclosed of the need to update, correct or erase that personal information. |
Rule 6 – Storage limitation: We will assist our Customer to store personal information only for as long as is necessary for the purpose for which the information was initially collected. |
Where a Customer instructs us that personal information we process on its behalf is no longer needed for the purposes for which it was collected, we will assist our Customer to erase, restrict or anonymise that personal information without delay and in accordance with the terms of our contract with the Customer. We must also take measures to inform group members or third-party processors to whom the personal information has been disclosed of the need to erase, restrict or anonymise that personal information. |
Rule 7 – Security, integrity and confidentiality: We must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk to the personal information we process on behalf of a Customer. |
Where we provide a service to a Customer which involves the processing of personal information, the contract between us and that Customer will set out the technical and organisational security measures we must implement to safeguard that information consistent with applicable data protection laws. We must ensure that any staff member who has access to personal information processed on behalf of a Customer does so only for purposes that are consistent with the Customer’s instructions and is subject to a duty of confidence. |
Rule 8 – Security incident reporting: We must notify a Customer of any security incident that we experience if it presents a risk to the personal information we process on the Customer’s behalf. |
When we become aware of a data security incident that presents a risk to the personal information that we process on behalf of a Customer, we must immediately inform the Office of the Chief Privacy Officer and follow our data incident management processes. DocuSign's Chief Privacy Officer will review the nature of the data security incident and determine whether a personal data breach has occurred and thus whether it is necessary to notify a Customer. The Chief Privacy Officer shall be responsible for ensuring that any such notifications, where necessary, are made without undue delay and in accordance with applicable law. |
Rule 9 – Engaging sub-processors We may only appoint, add or replace sub-processors with authorisation from the Customer and in accordance with its requirements. |
We must obtain a Customer’s authorisation before appointing, adding or replacing a sub-processor to process personal information on its behalf. Authorisation must be obtained in accordance with the terms of our contact with the Customer. We must make available to our Customer up-to-date information about the sub-processors we intend to appoint in order to obtain its authorisation. If, on reviewing this information, a Customer objects to the appointment of a sub-processor, that Customer may take such steps as are consistent with the terms of its contract with us and as referred to in Rule 4 of this Processor Policy regarding the return or destruction of the personal information. |
Rule 10 – Sub-processor contracts We must only appoint external sub-processors who protect personal information to a standard that is consistent with this Processor Policy and our contractual terms with Customers. |
We must only appoint external sub-processors who provide sufficient guarantees in respect of the commitments made by us in this Processor Policy. In particular, external sub-processors must implement appropriate technical and organisational security measures to protect the personal information they process, and such measures must be consistent with our commitments to our Customer under our contractual terms with the Customer. Where we intend to appoint an external sub-processor to process personal information, we must undertake due diligence to ensure it has in place appropriate technical and organisational security measures to protect the personal information. We must impose contractual obligations in writing on the sub-processor that require it:
|
Rule 11 – Respect for individuals’ data protection rights: We will assist a Customer to respond to queries or requests made by individuals in connection with their personal information. |
We must assist our Customer to comply with its duty to respect the data protection rights of individuals, in accordance with the instructions of our Customer and the terms of our contract with the Customer. In particular, if any group member receives a request from any individual wishing to exercise his or her data protection rights in respect of personal information for which the Customer is the controller, the group member must transfer such request promptly to the relevant Customer (in accordance with the Data Protection Rights Procedure in Appendix 4). |
PART III: DELIVERING COMPLIANCE IN PRACTICE
To ensure we follow the rules set out in our Processor Policy, in particular the obligations set out in Part II, DocuSign and all of its group members must also comply with the following practical commitments:
1. Resourcing and compliance: We must have appropriate staff and support to ensure and oversee privacy compliance throughout the business. |
DocuSign has appointed its Chief Privacy Officer to oversee and ensure compliance with this Processor Policy. The Office of the Chief Privacy Officer is responsible for overseeing and enabling compliance with this Controller Policy on a day-to-day basis. A summary of the roles and responsibilities of DocuSign's privacy team is set out in Appendix 5. |
2. Privacy training: We must ensure staff are educated about the need to protect personal information in accordance with this Processor Policy |
Group members must provide appropriate privacy training to staff members who:
We will provide such training in accordance with the Privacy Training Program (see Appendix 6). |
3. Records of Data Processing: We must maintain records of the data processing activities carried out on behalf of a Customer. |
We must maintain a record of the processing activities that we conduct on behalf of a Customer in accordance with applicable data protection laws. These records should be kept in writing (including electronic form) and we must make these records available to competent data protection authorities upon request. The relevant team or function overseeing or managing the processing activity is responsible for ensuring the accuracy of such records, in conjunction with the Office of the Chief Privacy Officer which will maintain such records. |
4. Audit: We must have data protection audits on a regular basis. |
We will have data protection audits on a periodic basis, which may be conducted by either internal or external accredited auditors. In addition, we will conduct data protection audits on specific request from the Chief Privacy Officer and/or the Board. We will conduct any such audits in accordance with the Audit Protocol (see Appendix 7). |
5. Data protection by design and by default: We must provide our products and services in a way that assists our Customer to apply data protection by design and by default principles. |
We must provide our products and services in a way that assists our Customer to implement data protection by design and data protection by default principles. This means that we must implement appropriate technical and organizational measures when providing our products and services that:
These measures must be implemented in accordance with the terms of our agreement with our Customer. |
6. Complaint handling: We must enable individuals to raise data protection complaints and concerns |
Group members must enable individuals to raise data protection complaints and concerns (including complaints about processing under this Processor Policy) by complying with the Complaint Handling Procedure (see Appendix 8). |
7. Cooperation with competent data protection authorities: We must always cooperate with competent data protection authorities |
Group members must cooperate with competent data protection authorities by complying with the Cooperation Procedure (see Appendix 9). |
8. Updates to this Processor Policy: We will update this Processor Policy in accordance with our Updating Procedure |
Whenever updating our Processor Policy, we must comply with the Updating Procedure (see Appendix 10). |
9. Conflicts between this Processor Policy and national legislation: We must take care where local laws conflict with this Policy, and act responsibly to ensure a high standard or protection for the personal information in such circumstances. |
If local laws applicable to any group member prevent it from fulfilling its obligations under the Processor Policy or otherwise has a substantial effect on its ability to comply with the Processor Policy or the instructions it has received from a Customer, the group member must promptly inform:
unless otherwise prohibited by law. |
10. Government requests for disclosure of personal information: We must notify the competent supervisory authorities in case of a legally binding request for disclosure of personal information. |
If a group member receives a legally binding request for disclosure of personal information by a law enforcement authority or state security body which is subject to this Processor Policy, it must:
In no event must transfers of personal information from a group member to any law enforcement, state security or similar public authority be massive, disproportionate and indiscriminate in a manner that would go beyond what is necessary in a democratic society. |
PART IV: THIRD PARTY BENEFICIARY RIGHTS
Application of this Part IV
This Part IV applies where individuals’ personal information are protected under European data protection laws (including the General Data Protection Regulation). This is the case when:
-
those individuals’ personal information are processed in the context of the activities of a third-party controller or a group member (acting as processor) established in Europe;
-
a non-European Customer (acting as controller) or group member (acting as processor) offers goods and services (including free goods and services) to those individuals in Europe; or
-
a non-European Customer (acting as controller) or group member (acting as processor) monitors the behaviour of those individuals, as far as their behaviour takes place in Europe;
and that Customer or group member (as applicable) then transfers those individuals’ personal information to a non-European group member (or its sub-processor) for processing under the Processor Policy.
Entitlement to effective remedies
When this Part IV applies, individuals have the right to pursue effective remedies in the event their personal information is processed by DocuSign in breach of the following provisions of this Processor Policy:
-
Part II (Our Obligations) of this Processor Policy;
-
Paragraphs 5 (Complaints Handling), 6 (Cooperation with Competent Data Protection Authorities), 8 (Conflicts between this Processor Policy and national legislation) and 9 (Government requests for disclosure of personal information) under Part III of this Processor Policy; and
-
Part IV (Third Party Beneficiary Rights) of this Processor Policy.
Individuals’ third party beneficiary rights
When this Part IV applies, the right for individuals to pursue effective remedies against DocuSign apply only if either (i) the requirements at stake are specifically directed at DocuSign as a processor in accordance with applicable data protection law (and in accordance with the guidance published by competent data protection authorities), or (ii) the individuals cannot bring a claim against a Customer because:
-
the Customer has factually disappeared or ceased to exist in law or has become insolvent; and
-
no successor entity has assumed the entire legal obligations of the Customer by contract or by operation of law.
In such cases, individuals may exercise the following rights:
-
Complaints: Individuals may complain to a group member and/or to a European data protection authority, in accordance with the Complaints Handling Procedure at Appendix 8;
-
Proceedings: Individuals may commence proceedings against a group member for violations of this Processor Policy, in accordance the Complaints Handling Procedure at Appendix 8;
-
Compensation: Individuals who have suffered material or non-material damage as a result of an infringement of this Processor Policy have the right to receive compensation from DocuSign for the damage suffered.
-
Transparency: Individuals also have the right to obtain a copy of the Processor Policy, which they may exercise by making a request to the Office of the Chief Privacy Officer at privacy@docusign.com or by directly accessing the Processor Policy as published on www.docusign.com/trust/privacy.
Responsibility for breaches by non-European group members
DocuSign International (EMEA) Ltd will be responsible for ensuring that any action necessary is taken to remedy any breach of the Processor Policy by a non-European group member (or any non-European sub-processor appointed by a group member).
In particular:
-
If an individual or a Customer (acting as controller) can demonstrate damage it has suffered likely occurred because of a breach of this Processor Policy by a non-European group member (or a non-European sub-processor appointed by a group member), DocuSign International (EMEA) Ltd will have the burden of proof to show that the non-European group member (or non-European sub-processor) is not responsible for the breach, or that no such breach took place.
-
where a non-European group member (or any non-European third-party sub-processor acting on behalf of a group member) fails to comply with this Processor Policy, individuals may exercise their rights and remedies above against DocuSign International (EMEA) Ltd and, where appropriate, receive compensation (as determined by a competent court or other competent authority) from DocuSign International (EMEA) Ltd for any material or non-material damage suffered as a result of a breach of this Processor Policy.
Shared liability for breaches with controllers
Where DocuSign is engaged by a Customer to conduct processing and both are responsible for harm caused by the processing in breach of this Processor Policy, DocuSign accepts that both DocuSign and the Customer may be held liable for the entire damage in order to ensure effective compensation of the individual.
PART V: RELATED POLICIES AND PROCEDURES
APPENDIX 1 - LIST OF DOCUSIGN GROUP MEMBERS
The table below lists the DocuSign group members which are bound by DocuSign’s “Binding Corporate Rules: Controller Policy” and “Binding Corporate Rules: Processor Policy”.
Name |
Details |
Country |
DocuSign International (EMEA) Limited |
Address: 5 Hanover Quay, Ground Floor, Dublin 2, Republic of Ireland Reg no.: 549615 |
Ireland |
DocuSign Brasil Soluções Em Tecnologia Ltda. (formerly, Comprova.com) |
Address: Rua Gomes de Carvalho, 1306 6º andar, Cj. 61 Vila Olímpia, São Paulo – SP CEP: 04547-005 Brazil Reg no.: 35.218.051.742 |
Brazil |
DocuSign Canada Ltd. |
Address: 3200 – 650 West Georgia Street, Vancouver BC V6B 4P7 Canada Reg no.: BC1081751 |
Canada |
Seal Software Egypt LLC |
Address: Cairo Festival City, Business Park B2, Building 12B04 Ground Floor, Street 90 Fifth Settlement, New Cairo Egypt Reg no.: 109958 |
Egypt |
DocuSign France SAS |
Address: Immeuble Central Park 9-15 rue Maurice Mallet 92130 Issy-les-Moulineaux France Reg no.: 812 611 150 |
France |
DocuSign Germany GmbH |
Address: Neue Rothofstrasse 13-19 60313 Frankfurt Germany Reg no.: HRB 111200 |
Germany |
DocuSign Israel Ltd |
Address: SIV Building 1 Ha’arava St. Floor 4, 5400804 Givat Shmuel Israel Reg no.: 511071086 |
Israel |
DocuSign Japan KK |
Address: Shiroyama Trust Tower 35F 4-3-1 Toranomon, Minato-ku Tokyo 105-6035 Japan Reg no.: 0100-01-167695 |
Japan |
Seal Software Norway AS |
Address: v/advokat Stale R Kristiansen c/o Advokatfirmaet Thommessen AS Haakon VIIs gate 10
Reg no.: 921 684 746 |
Norway |
DocuSign International (Asia-Pacific) Private Limited |
Address: 71 Robinson Road Singapore 068895 Reg no.: 201505623H |
Singapore |
Contract Analytics Development Sweden AB |
Address: Kungsgatan 34, 1 tr 411 19 Gothenburg, Sweden Reg no.: 556935-3674 |
Sweden |
DocuSign UK Limited |
Address: Broadgate Quarter 9 Appold Street, 2nd Floor London EC2A 2AP UK Reg no.: 10308354 |
United Kingdom |
Seal Software Limited |
Address: Broadgate Quarter 9 Appold Street, 2nd Floor London EC2A 2AP UK Reg no.: 06299540 |
United Kingdom |
DocuSign, Inc. |
Address: 221 Main Street, Suite 1550, San Francisco, CA 94105 Reg no.: 5711317 |
United States |
DocuSign International, Inc. |
Address: 221 Main Street, Suite 1550, San Francisco, CA 94105 Reg no.: 4980980 |
United States |
Seal Software Inc. |
Address: 221 Main Street, Suite 1550, San Francisco, CA 94105 Reg no.: 4936821 |
United States |
SpringCM, Inc. |
Address: 221 Main Street, Suite 1550, San Francisco, CA 94105 Reg no.: 3942077 |
United States |
Liveoak Technologies, Inc. |
Address: 221 Main Street, Suite 1550, San Francisco, CA 94105 Reg no.: 5675735 |
United States |
DocuSign Mexico, S. de R.L de C.V. |
Address: Insurgentes Sur 1650, Piso 12, C.P. 03900, Mexico CDMX Reg no.: N-2020078264 |
Mexico |
APPENDIX 2 - MATERIAL SCOPE OF THIS PROCESSOR POLICY
- Background
- DocuSign’s “Binding Corporate Rules: Controller Policy” and “Binding Corporate Rules: Processor Policy” (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") provide a framework for the transfer of personal information between DocuSign group members.
- This document sets out the material scope of the Processor Policy. It specifies the data transfers or set of transfers, including the nature and categories of personal information, the type of processing and its purposes, the types of individuals affected, the identification of the third country or countries and lists the DocuSign products that are covered by the Processor Policy.
-
Important terms used within this Appendix
The following terms have the following meanings:
"Customer Services" means services provided by DocuSign to Customers through the DocuSign Platform. Such services include hosting and processing contract documentation and other documents of Customers on the DocuSign Platform on behalf of Customers.
"DocuSign Platform" means the digital transaction management platform provided by DocuSign to its Customers, which is used by Customers to facilitate digital transactions that include the signing process of contractual documents and other documents of the Customer. Specifically, the DocuSign Platform is comprised of the DocuSign products listed in paragraph 4.
-
Content data
Who transfers the personal information described in this section? |
Every DocuSign group member inside of the European Economic Area (“EEA”) may transfer the personal information that they process on behalf of a third-party Controller described in this section to every other DocuSign group member inside and outside of the EEA. Every group member outside of the EEA may also transfer the personal information that they process on behalf of a third-party Controller described in this section to every DocuSign group member inside and outside of the EEA. Transfers made directly from a third-party Controller (whether inside or outside of the EEA) directly to a group member as processor (whether inside or outside of the EEA) will also be within the scope of the Processor Policy. |
Who receives this personal information? |
Every DocuSign group member outside of the EEA may receive the personal information described in this section which is sent to them by other DocuSign group members or third-party controllers inside and outside of the EEA. Every group member inside of the EEA may also receive the personal information described in this section which is sent to them by other DocuSign group members or third-party controllers inside and outside of the EEA. |
What categories of personal information are transferred? |
Personal information of individuals processed by DocuSign as a processor in the course of delivering Customer Services. The type and nature of personal information that data subjects choose to enter into DocuSign's services is determined by the data subject, but may include (without limitation) some or all of the following:
|
What categories of sensitive personal information (if any) are transferred? |
DocuSign group members do not intentionally collect or process any sensitive personal information on behalf of controllers, unless expressly authorized and instructed by a respective Customer. |
Who are the types of individuals whose personal information are transferred? |
Individuals whose personal information is processed by DocuSign on behalf of its Customers through the DocuSign Platform. |
Why is this personal information transferred and how will it be used? |
|
Where is this personal information processed? |
The personal information described in this section may be processed in every territory where DocuSign group members or their processors are located. A list of DocuSign group member locations is available at Appendix 1 to this Processor Policy. |
-
DocuSign products
The DocuSign Platform covered by this Processor Policy will include all DocuSign products and services, including but not limited to the following DocuSign Products:
-
DocuSign eSignature and DocuSign eSignature-based products and services (including Rooms, DocuSign Gen and DocuSign Negotiate)
-
DocuSign CLM (Contract Lifecycle Management) service
-
SpringCM (Contract Management) service
-
Intelligent Seal-branded software and service, and other DocuSign products and services based on Seal technology
-
Liveoak digital software service and other DocuSign products and services based on the Liveoak technology
-
APPENDIX 3 - FAIR INFORMATION DISCLOSURES
-
Background
-
DocuSign’s “Binding Corporate Rules: Controller Policy” and “Binding Corporate Rules: Processor Policy” (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") provide a framework for the transfer of personal information between DocuSign group members.
-
This Fair Information Disclosure document sets out the transparency information that DocuSign must provide to individuals when processing their personal information.
-
-
Information to be provided where DocuSign collects personal information directly from individuals
-
When DocuSign collects personal information directly from individuals, it must provide the following transparency information:
-
the identity and contact details of the data controller and, where applicable, of its representative;
-
the contact details of the data protection officer, where applicable;
-
the purposes of the processing for which the personal information are intended as well as the legal basis for the processing;
-
where the processing is based on DocuSign's or a third party's legitimate interests, the legitimate interests pursued by DocuSign or by the third party;
-
the recipients or categories of recipients of the personal information, if any; and
-
where applicable, the fact that a group member in Europe intends to transfer personal information to a third country or international organisation outside of Europe, and the measures that the group member will take to ensure the personal information remains protected in accordance with applicable data protection laws and how to obtain a copy of such measures.
-
-
In addition to the information above, DocuSign shall also provide individuals with the following further information necessary to ensure fair and transparent processing, at the time of collection:
-
the period for which the personal information will be stored, or if that is not possible, the criteria used to determine that period;
-
information about the individuals' rights to request access to, rectify or erase their personal information, as well as the right to restrict or object to the processing, and the right to data portability;
-
where the processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
-
the right to lodge a complaint with the competent supervisory authority;
-
whether the provision of personal information is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the individual is obliged to provide the personal information and of the possible consequences of failure to provide such information; and
-
the existence of automated decision-making, including profiling, where such decisions may have a legal effect or significantly affect the individuals whose personal information are collected, together with any meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for those individuals.
-
-
The transparency information described in this paragraph must be provided at the time that DocuSign obtains the personal information from the individual.
-
-
Information to be provided where DocuSign collects personal information about individuals from a third party source
-
When DocuSign collects personal information from a third party source (that is, someone other than the individual him- or herself), it must provide the following transparency information:
-
the information described in paragraphs 2.1 and 2.2 above;
-
the categories of personal information that are being processed; and
-
details of the third party source from which DocuSign obtained the personal information including, if applicable, identifying whether the personal information came from publicly accessible sources.
-
-
The transparency information described in this paragraph must be provided within a reasonable period after DocuSign obtains the personal information and, at the latest, within one month, having regard to the specific circumstances in which the personal information are processed. In addition:
-
if the personal information are to be used for communication with the individual, the transparency information described in this paragraph must be provided at the latest at the time of the first communication to that individual; and
-
if a disclosure of the personal information to another recipient is envisaged, the transparency information described in this paragraph must be provided at the latest when the personal information are first disclosed.
-
-
-
Derogations from providing transparency disclosures
-
The requirements to provide transparency information as described in this Fair Information Disclosures document shall not apply where and insofar as:
-
the individual already has the information;
-
the provision of such information provides impossible or would involve a disproportionate effort, and DocuSign takes appropriate measures, consistent with the requirements of applicable data protection laws, to protect the individual’s rights and freedoms and legitimate interests, including by making the transparency information publicly available;
-
obtaining or disclosure is expressly laid down by applicable laws to which DocuSign is subject and these laws provide appropriate measures to protect the individual’s legitimate interests; or
-
where the personal information must remain confidential subject to an obligation of professional secrecy regulated by applicable laws to which DocuSign is subject, including a statutory obligation of secrecy.
-
-
APPENDIX 4 - DATA PROTECTION RIGHTS PROCEDURE
-
Background
-
DocuSign's "Binding Corporate Rules: Controller Policy" and "Binding Corporate Rules: Processor Policy" (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") safeguard personal information transferred between the DocuSign group members.
-
Individuals whose personal information are processed by DocuSign under the Policies have certain data protection rights, which they may exercise by making a request to the controller of their information (whether the controller is DocuSign or a Customer) (a “Data Protection Rights Request”).
-
This Binding Corporate Rules: Data Protection Rights Procedure (“Procedure”) describes how DocuSign will respond to any Data Protection Rights Requests it receives from individuals whose personal information are processed and transferred under the Policies.
-
-
Individual’s data protection rights
-
DocuSign must assist individuals to exercise the following data protection rights, consistent with the requirements of applicable data protection laws:
-
The right of access: This is the right for individuals to obtain confirmation whether a controller processes personal information about them and, if so, to be provided with access to, and a copy of, that personal information. This process for handling this type of request is described further in paragraph 4 below.
-
The right to rectification: This is the right for individuals to require a controller to rectify without undue delay any inaccurate personal information a controller may be processing about them. The process for handling this type of request is described further in paragraph 5 below.
-
The right to erasure: This is the right for individuals to require a controller to erase personal information about them on certain grounds – for example, where the personal information is no longer necessary to fulfil the purposes for which it was collected. The process for handling this type of request is described further in paragraph 5 below.
-
The right to restriction: This is the right for individuals to require a controller to restrict processing of personal information about them on certain grounds. The process for handling this type of request is described further in paragraph 5 below.
-
The right to object: This is the right for individuals to object, on grounds relating to their particular situation, to a controller’s processing of personal information about them, if certain grounds apply. The process for handling this type of request is described further in paragraph 5 below.
-
The right to data portability: This is the right for individuals to receive personal information concerning them from a controller in a structured, commonly used and machine-readable format and to transmit that information to another controller, if certain grounds apply. The process for handling this type of request is described further in paragraph 6 below.
-
-
-
Responsibility to respond to a Data Protection Rights Request
-
Overview
-
The controller of an individual’s personal information is primarily responsible for responding to a Data Protection Rights Request and for helping the individual concerned to exercise his or her rights under applicable data protection laws.
-
As such, when an individual contacts DocuSign to make any Data Protection Rights Request then:
-
where DocuSign is the controller of that individual’s personal information under the Controller Policy, it must help the individual to exercise his or her data protection rights directly in accordance with this Procedure; and
-
where DocuSign processes that individual’s personal information as a processor on behalf of a Customer under the Processor Policy, DocuSign must inform the relevant Customer promptly and provide it with reasonable assistance (which may include in-product self-service functionality) to help the individual to exercise his or her rights in accordance with the Customer’s duties under applicable data protection laws.
-
-
-
Assessing responsibility to respond to a Data Protection Rights Request
-
If a group member receives a Data Protection Rights Request from an individual, it must pass the request to the Office of the Chief Privacy Officer at privacy@docusign.com immediately upon receipt indicating the date on which it was received together with any other information which may assist the Office of the Chief Privacy Officer to deal with the request.
-
The Office of the Chief Privacy Officer will make an initial assessment of the request as follows:
-
the Office of the Chief Privacy Officer will determine whether DocuSign is a controller or processor of the personal information that is the subject of the request;
-
where the Office of the Chief Privacy Officer determines that DocuSign is a controller of the personal information, it will then determine whether the request has been made validly under applicable data protection laws (in accordance with section 3.3 below), whether an exemption applies (in accordance with section 3.4 below) and respond to the Request (in accordance with section 3.5 below); and
-
where the Office of the Chief Privacy Officer determines that DocuSign is a processor of the personal information on behalf of a Customer, it shall pass the request promptly to the relevant Customer in accordance with its contract terms with that Customer.
-
-
-
Assessing the validity of a Data Protection Rights Request
-
If the Office of the Chief Privacy Officer determines that DocuSign is the controller of the personal information that is the subject of the request, it will contact the individual promptly in writing to confirm receipt of the Data Protection Rights Request.
-
A Data Protection Rights Request must generally be made in writing, which can include email, unless applicable data protection laws allow a request to be made orally (for example under Europe's General Data Protection Regulation). A Data Protection Rights Request does not have to be official or mention data protection law to qualify as a valid request.
-
If DocuSign has reasonable doubts concerning the identity of the individual making a request, it may request such additional information as is necessary to confirm the identity of the individual making the request. DocuSign may also request any further information which is necessary to action the individual's request.
-
-
Exemptions to a Data Protection Rights Request
-
DocuSign will not refuse to act on Data Protection Rights Request unless it can demonstrate that an exemption applies under applicable data protection laws.
-
DocuSign may be exempt under applicable data protection laws from fulfilling the Data Protection Rights Request (or be permitted to charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested) if it can demonstrate that the individual has made a manifestly unfounded or excessive request (in particular, because of the repetitive character of the request).
-
If DocuSign decides not to take action on the Data Protection Rights Request, DocuSign will inform the individual without delay and at the latest within one (1) month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with the competent supervisory authority and lodging a claim before the court
-
-
Responding to a Data Protection Rights Request
-
Where DocuSign is the controller of the personal information that is the subject of the Data Protection Rights Request, and DocuSign has already confirmed the identity of the requestor and has sufficient information to enable it to fulfil the request (and no exemption applies under applicable data protection laws), then DocuSign shall handle the Data Protection Rights Request in accordance with paragraph 4, 5 or 6 below (as appropriate).
-
DocuSign will respond to a Data Protection Rights Request without undue delay and in no case later than one (1) month of receipt of that request. This one (1) month period may be extended by two (2) further months where necessary, if the request is complex or due to the number of requests that have been made.
-
-
-
Requests for access to personal information
-
Overview
-
An individual may require a controller to provide the following information concerning processing of his or her personal information:
-
confirmation as to whether the controller holds and is processing personal information about that individual;
-
if so, a description of the purposes of the processing, the categories of personal information concerned, the recipients or categories of recipients to whom the information is, or may be, disclosed, the envisaged period(s) (or the criteria used for determining those period(s)) for which the personal information will be stored;
-
information about the individual’s right to request rectification or erasure of his or her personal information or to restrict or object to its processing;
-
information about the individual’s right to lodge a complaint with a competent data protection authority;
-
information about the source of the personal information if it was not collected from the individual;
-
details about whether the personal information is subject to automated decision-making (including automated decision-making based on profiling); and
-
where personal information is transferred outside Europe, the appropriate safeguards that DocuSign has put in place relating to such transfers in accordance with applicable data protection laws.
-
-
An individual is also entitled to request a copy of his or her personal information from the controller. Where an individual makes such a request, the controller must provide that personal information to the individual in intelligible form.
-
-
Process for responding to access requests from individuals
-
If DocuSign receives an access request from an individual, this must be passed to the Office of the Chief Privacy Officer at privacy@docusign.com immediately to make an initial assessment of responsibility consistent with the requirements of paragraph 3.2 above.
-
Where DocuSign determines it is the controller of the personal information and responsible for responding to the individual directly (and that no exemption to the right of access applies under applicable data protection laws), the Office of the Chief Privacy Officer will arrange a search of all relevant electronic and paper filing systems.
-
The Office of the Chief Privacy Officer may refer any complex cases to the Chief Privacy Officer for advice, particularly where the request concerns information relating to third parties or where the release of personal information may prejudice commercial confidentiality or legal proceedings.
-
The personal information that must be disclosed to the individual will be collated by the Office of the Chief Privacy Officer into a readily understandable format. A covering letter will be prepared by the Office of the Chief Privacy Officer which includes all information required to be provided in response to an individual's access request (including the information described in paragraph 4.1.1).
-
-
Exemptions to the right of access
-
A valid request may be refused on the following grounds:
-
if the refusal to provide the information is consistent with applicable data protection law (for example, where a European group member transfers personal information under the Controller Policy, if the refusal to provide the information is consistent with the applicable data protection law in the European Member State where the group member is located);
-
where the personal information is held by DocuSign in non-automated form that is not or will not become part of a filing system; or
-
the personal information does not originate from Europe, has not been processed by any European group member, and the provision of the personal information requires DocuSign to use disproportionate effort.
-
-
The Office of the Chief Privacy Officer will assess each request individually to determine whether any of the above-mentioned exemptions applies. A group member must never apply an exemption unless this has been discussed and agreed with the Office of the Chief Privacy Officer.
-
-
-
Requests to correct, update or erase personal information, or to restrict, cease or object to processing personal information
-
If DocuSign receives a request to correct, update or erase personal information, or to restrict or cease processing of an individual’s personal information, this must be passed to the Office of the Chief Privacy Officer at privacy@docusign.com immediately to make an initial assessment of responsibility consistent with the requirements of paragraph 3.2 above.
-
Once an initial assessment of responsibility has been made then:
-
where DocuSign is the controller of that personal information, the request must be notified to the Office of the Chief Privacy Officer promptly for it to consider and deal with as appropriate in accordance with applicable data protection laws.
-
where a Customer is the controller of that personal information, the request must be notified to the Customer promptly for it to consider and deal with as appropriate in accordance with its duties under applicable data protection laws. DocuSign shall assist the Customer to fulfil the request in accordance with the terms of its contract with the Customer.
-
-
To assist the Office of the Chief Privacy Officer in assessing an individual's objection to processing of his or her personal information, the grounds upon which an individual may object are when:
-
DocuSign processes the personal information on grounds that:
-
the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in DocuSign;
-
the processing is necessary for the purposes of legitimate interests pursued by DocuSign or by a third party; or
-
including profiling based on those grounds. When an individual raises an objection in such circumstances, DocuSign shall no longer process the personal information unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the individual or for the establishment, exercise or defence of legal claims.
-
-
DocuSign processes the personal information for direct marketing purposes, including profiling to the extent that it is related to direct marketing. When an individual raises an objection in such circumstances, DocuSign shall no longer process the personal information for such direct marketing purposes.
-
-
To assist the Office of the Chief Privacy Officer in assessing an individual's request for restriction of processing of his or her personal information, the grounds upon which an individual may request restriction are when:
-
the accuracy of the personal information is contested by the individual, for a period enabling DocuSign to verify the accuracy of the personal information;
-
the processing is unlawful and the individual opposes the erasure of the personal information and requests the restriction of its use instead;
-
DocuSign no longer needs the personal information for the purposes of the processing, but it is required by the individual for the establishment, exercise or defence of legal claims; or
-
the individual has exercised his or her right to object pending the verification whether the legitimate grounds of the controller override his or her objection right.
-
-
To assist the Office of the Chief Privacy Officer in assessing an individual's request for erasure of his or her personal information, the grounds upon which an individual may request erasure are when:
-
the personal information are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
-
the individual withdraws consent on which the processing is based and there is no other legal ground for the processing;
-
the individual exercises its right to object to processing of his or her personal information and there are no overriding legitimate grounds for continue processing;
-
the personal information have been unlawfully processed;
-
the personal information have to be erased for compliance with a legal obligation to which the controller is subject; or
-
the personal information have been collected in relation to the offer of information society services to a child under the age of 16 and a parent or guardian has not consented to the processing.
-
-
When DocuSign must rectify or erase personal information, either in its capacity as controller or on instruction of a Customer when it is acting as a processor, DocuSign will notify other group members and any sub-processor to whom the personal information has been disclosed so that they can also update their records accordingly.
-
Where DocuSign acting as a controller must restrict processing of an individual's personal information, it must inform the individual before it subsequently lifts any such restriction.
-
If DocuSign acting as controller has made the personal information public, and is obliged to erase the personal data pursuant to a Data Protection Rights Request, it must take reasonable steps, including technical measures (taking account of available technology and the cost of implementation), to inform controllers which are processing the personal information that the individual has requested the erasure by such controllers of any links to, or copy or replication of, the personal information.
-
-
Requests for data portability
-
If an individual makes a Data Protection Rights Request to DocuSign acting as controller to receive the personal information that he or she has provided to DocuSign in a structured, commonly used and machine-readable format and/or to transmit directly such information to another controller (where technically feasible), the Office of the Chief Privacy Officer will consider and deal with the request appropriately in accordance with applicable data protection laws insofar as the processing is based on that individual's consent or on the performance of, or steps taken at the request of the individual prior to entry into, a contract.
-
-
Questions about this Data Protection Rights Procedure
-
All queries relating to this Procedure are to be addressed to the Office of the Chief Privacy Officer or at privacy@docusign.com.
-
APPENDIX 5 - PRIVACY COMPLIANCE STRUCTURE
-
Background
DocuSign's compliance with global data protection laws and the “Binding Corporate Rules: Controller Policy” and “Binding Corporate Rules: Processor Policy” (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") is overseen and managed throughout all levels of the business by a global, multi-layered, cross-functional Privacy Compliance Structure.
DocuSign’s Privacy Compliance Structure has the full support of DocuSign’s executive management. Further information about DocuSign's Privacy Compliance Structure is set out below and in the structure chart provided at Annex 1.
-
Chief Privacy Officer
DocuSign has appointed a Chief Privacy Officer who provides executive-level oversight of, and has responsibility for, ensuring DocuSign's compliance with applicable data protection laws and the Policies.
The Chief Privacy Officer has direct line reporting to DocuSign's Board of Directors on all material or strategic issues relating to DocuSign's compliance with data protection laws and the Policies, and is also accountable to DocuSign's independent audit committee.
The Chief Privacy Officer is supported in the exercise of its responsibilities by the office of the Chief Privacy Officer, the Security & Privacy Council, and any other personnel that the Chief Privacy Officer may designate from time to time to provide such support.
-
The Office of the Chief Privacy Officer
The Office of the Chief Privacy Officer is comprised of members of the Legal department and supports the Chief Privacy Officer in the exercise of his/her responsibilities.
The activities of the Office of the Chief Privacy Officer include:
-
maintaining a comprehensive privacy program that defines, develops, maintains and implements Policies and processes to comply with data protection laws.
-
supervising compliance with the Policies;
-
providing periodic reports, as appropriate, to the Chief Executive Officer and other business executives and staff on data protection risks and compliance issues;
-
overseeing privacy program activities, including privacy impact assessment, data protection impact assessment, and records of processing activities;
-
ensuring that effective data privacy controls as implemented across DocuSign are in place for any third party with which DocuSign share personal information or any third party from whom DocuSign receives personal information;
-
deciding on complaints as described the Complaint Handling Procedure; and
-
overseeing official investigations or inquiries into the processing of personal information by a public authority or employee representative body.
-
-
Security & Privacy Council
The DocuSign Security & Privacy Council comprises representatives from key functional groups for DocuSign’s business, including the office of the Chief Privacy Officer, Information Security, Risk & Compliance, Legal, Engineering, Technical Operations, Finance and Information Technology to ensure appropriate oversight for privacy controls implemented across the business and ensuring business ownership for applicable aspects of DocuSign's data protection compliance.
The Security & Privacy Council is accountable for assessing privacy controls and identifying potential areas of improvement for DocuSign's data privacy program internally . In this way, the Security & Privacy Council is actively engaged in addressing matters relating to DocuSign's privacy compliance across such key functional groups of DocuSign.
-
DocuSign Staff
All staff members within DocuSign are responsible for supporting the functional Security & Privacy Council members on a day-to-day basis and adhering to DocuSign privacy policies.
In addition, DocuSign personnel are responsible for escalating and communicating any potential violation of the privacy policies to the appropriate Security & Privacy Council member, or, if they prefer, the office of the Chief Privacy Officer. On receipt of a notification of a potential violation of the privacy policy the issue will be investigated to determine if an actual violation occurred. Results of such investigations will be documented.
Annex 1: Overview of DocuSign's Privacy Compliance Structure
APPENDIX 6 - PRIVACY TRAINING REQUIREMENTS
-
Background
- The “Binding Corporate Rules: Controller Policy” and “Binding Corporate Rules: Processor Policy” (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") provide a framework for the transfer of personal information between DocuSign group members. The document sets out the requirements for DocuSign to train its staff members on the requirements of the Policies.
- DocuSign must train staff members (including new hires, temporary staff and individual contractors whose roles bring them into contact with personal information) on the basic principles of data protection, confidentiality and information security awareness. This must include training on applicable data protection laws, including European data protection laws and may include training on any other relevant data protection laws that apply to DocuSign. Training may also include guidance on data protection best practices and any security standards controls applicable to DocuSign (such as ISO 27001 and SSAE 18).
- Staff members who have permanent or regular access to personal information and who are involved in the processing of personal information or in the development of tools to process personal information must receive additional, tailored training on the Policies and specific data protection issues relevant to their role. This training is further described below and is repeated on a regular basis.
-
Responsibility for the Privacy Training Program
- DocuSign's Office of the Chief Privacy Officer has overall responsibility for privacy training at DocuSign, with input with colleagues from other functional areas including Information Security, HR and other departments, as appropriate. They will review training from time to time to ensure it addresses all relevant aspects of the Policies and that it is appropriate for individuals who have permanent or regular access to personal information, who are involved in the processing of personal information or in the development of tools to process personal information.
- DocuSign's senior management is committed to the delivery of data protection training courses, and will ensure that staff are required to participate, and given appropriate time to attend, such courses. Course attendance will be recorded and monitored via regular audits of the training process. These audits are performed by DocuSign's internal training administration team and/or independent third-party auditors.
- If these training audits reveal persistent non-attendance, this will be escalated to the Office of the Chief Privacy Officer for action. Such action may include escalation of non-attendance to appropriate managers within DocuSign who will be responsible and held accountable for ensuring that the individual(s) concerned attend and actively participate in such training.
-
Delivery of the training courses
- DocuSign will deliver mandatory electronic training courses, supplemented by live training for staff members in appropriate cases. The courses are designed to be both informative and user-friendly, generating interest in the topics covered.
- All DocuSign staff members must complete data protection training (including training on the Policies):
-
as part of their onboarding activities;
-
as part of a regular refresher training at least once every calendar year;
-
as and when necessary to stay aware of changes in the law; and
-
as and when necessary to address any compliance issues arising from time to time.
-
- Certain staff members may be required to receive supplemental specialist training, such as staff members who work in Marketing, Sales, and Customer Support or whose business activities include processing sensitive personal data. Specialist training shall be delivered as additional modules to the basic training package, and may be tailored as necessary to the course participants.
-
Training on data protection
- DocuSign's training on data protection and the Policies will cover the following main areas:
-
What is data protection law?
-
What are key data protection terminology and concepts?
-
What are the data protection principles?
-
How does data protection law affect DocuSign globally?
-
An overview of the Controller and Processor Policies
-
Practical examples of how and when the Controller and Processor Policies apply
-
- DocuSign's training on data protection and the Policies will cover the following main areas:
APPENDIX 7 - AUDIT PROTOCOL
-
Background
-
DocuSign's “Binding Corporate Rules: Controller Policy” and “Binding Corporate Rules: Processor Policy” (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") safeguard personal information transferred between the DocuSign group members. Roles are defined in Appendix 5.
-
DocuSign must audit its compliance with the Policies on a regular basis and this document describes how and when DocuSign must perform such audits. Although this Audit Protocol describes the formal assessment process by which DocuSign will audit its compliance with the Policies, this is only one way in which DocuSign ensures that the provisions of the Policies are observed and corrective actions taken as required.
-
In particular, DocuSign's Privacy Team provides ongoing guidance about the processing of personal information and must continually assess the processing of personal information by group members for potential privacy-related risks and compliance with these Policies.
-
-
Conduct of an audit
-
Overview of audit requirements
-
Compliance with the Policies is overseen on a day to day basis by the office of the Chief Privacy Officer. The internal audit team (for itself or through its delegate) is responsible for performing independent audits of compliance with the Policies periodically and will ensure that such audits address all aspects of the Policies, to be overseen by the office of the Chief Privacy Officer. The Chief Privacy Officer will determine the specific privacy controls that the internal audit team will audit in advance of any such audit.
-
The internal audit team is responsible for ensuring that any issues or instances of non-compliance with the Policies are brought to the attention of the Chief Privacy Officer and that any corrective actions are determined and implemented within a reasonable time. Serious non-compliance issues will be escalated to the Board of Directors in accordance with paragraph 2.5.1. Any non-compliance with the Policies will be reported back to the Responsible Executive.
-
Where DocuSign acts as a processor, the Customer (or auditors acting on its behalf) may audit DocuSign for compliance with the commitments made in the Processor Policy and may extend such audits to any sub-processors acting on DocuSign's behalf in respect of such processing. Such audits shall be conducted in accordance with the terms of Customer's contract with DocuSign. Where the Customer agrees, DocuSign and its sub-processors may fulfil such Customer audit requirements by providing relevant, complete and accurate evidence of recent data protection and information security audits to which they have been subject.
-
All audits shall be conducted by an inspections body composed of independent members and in possession of the required professional qualifications, bound by a duty of confidentiality.
-
-
Frequency of audit
-
Audits of compliance with the Policies are conducted:
-
at least annually in accordance with DocuSign's audit procedures;
-
at the request of the Chief Privacy Officer and/or the Board of Directors;
-
as may be determined necessary by the office of the Chief Privacy Officer (for example, in response to a specific incident); and/or
-
(with respect to audits of the Processor Policy), as required by the terms of the Customer's contract with DocuSign.
-
-
-
Scope of audit
-
The Chief Privacy Officer will determine the scope of an audit following a risk-based analysis, taking into account relevant criteria such as:
-
areas of current regulatory focus;
-
areas of specific or new risk for the business;
-
areas with changes to the systems or processes used to safeguard information;
-
use of innovative new tools, systems or technologies
-
areas where there have been previous audit findings or complaints;
-
the period since the last review; and
-
the nature and location of the personal information processed.
-
-
If a Customer exercises its right to audit DocuSign for compliance with the Processor Policy, the scope of the audit shall be limited to the data processing facilities, data files and documentation relating to DocuSign's processing of Personal Information for that Customer under the Processor Policy. DocuSign will not provide a Customer with access to systems which process personal information of another Customer.
-
-
Auditors
-
Audit of the Policies (including any related procedures and controls) will be undertaken by the internal audit team and/or the office of the Chief Privacy Officer. In addition, DocuSign may appoint independent and experienced professional auditors acting under a duty of confidence and in possession of the required professional qualifications as necessary to perform audits of the Policies (including any related procedures and controls).
-
If a Customer exercises its right to audit DocuSign for compliance with the Processor Policy, such audit may be undertaken by that Customer, or by independent and suitably experienced auditors approved by that Customer, in accordance with the terms of the Customer's contract with DocuSign.
-
-
Reporting
-
Data protection audit reports must be submitted to the Office of the Chief Privacy Officer and, if the report reveals breaches or the potential for breaches of a serious nature (for example, presenting a risk of potential harm to individuals or to the business), to the Board of Directors.
-
Upon request and subject to applicable law, DocuSign will:
-
provide copies of the results of data protection audits of the Policies (including any related procedures and controls) to the competent data protection authorities; and
-
to the extent that an audit of compliance with the Processor Policy relates to personal information DocuSign processes on behalf of a Customer, to that Customer.
-
-
The Office of the Chief Privacy Officer is responsible for liaising with the competent data protection authorities for the purpose of providing the information outlined in paragraph 2.5.2.
-
-
Data protection authority audits
-
The competent data protection authorities audit group members for compliance with the Policies (including any related procedures and controls) in accordance with the Binding Corporate Rules: Cooperation Procedure (see Appendix 9).
-
-
APPENDIX 8 - COMPLAINT HANDLING PROCEDURE
-
Background
-
DocuSign's "Binding Corporate Rules: Controller Policy" and "Binding Corporate Rules: Processor Policy" (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy") safeguard personal information transferred between the DocuSign group members.
-
This Complaint Handling Procedure describes how complaints brought by an individual whose personal information is processed by DocuSign under the Policies must be addressed and resolved.
-
This procedure will be made available to individuals whose personal information is processed by DocuSign under the Controller Policy and to Customers on whose behalf DocuSign processes personal information under the Processor Policy.
-
-
How individuals can bring complaints
-
Any individuals may raise a data protection question, concern or complaint (whether related to the Policies or not) by e-mailing DocuSign’s Office of the Chief Privacy Officer at privacy@docusign.com.
-
-
Complaints where DocuSign is a controller
-
Who handles complaints?
-
The Office of the Chief Privacy Officer will handle all questions, concerns, or complaints in respect of personal information for which DocuSign is a controller (such as personal information processed in the context of HR admin or customer relationship management), including questions, concerns or complaints arising under the Controller Policy. The Office of the Chief Privacy Officer will liaise with colleagues from relevant business and support units as necessary to address and resolve such questions, concerns and complaints.
-
-
What is the response time?
-
The Office of the Chief Privacy Officer will acknowledge receipt of a question, concern or complaint to the individual concerned without undue delay, investigating and making a substantive response within one (1) month.
-
If, due to the complexity of the question, concern or complaint, a substantive response cannot be given within this period, the Office of the Chief Privacy Officer will advise the individual accordingly and provide reasons why an extension is necessary and a reasonable estimate (not exceeding two (2) months) of the timescale within which a substantive response will be provided.
-
If, having reviewed the question, concern or complaint, the Office of the Chief Privacy Officer does not take action that has been requested by the individual, the Office of the Chief Privacy Officer shall inform the individual without delay and of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
-
-
What happens if an individual disputes a finding?
-
If the individual notifies the Office of the Chief Privacy Officer that it disputes any aspect of the response finding and wishes to further escalate the matter within DocuSign, the Office of the Chief Privacy Officer will refer the matter to the Chief Privacy Officer. The Chief Privacy Officer will review the case and advise the individual of his or her decision either to accept the original finding or to substitute a new finding. The Chief Privacy Officer will respond to the complainant within one (1) month from being notified of the escalation of the dispute.
-
As part of its review, the Chief Privacy Officer may arrange to meet the parties to the dispute in an attempt to resolve it. If, due to the complexity of the dispute, a substantive response cannot be given within one (1) month of its escalation, the Chief Privacy Officer will advise the complainant accordingly and provide a reasonable estimate for the timescale within which a response will be provided which will not exceed two (2) months from the date the dispute was escalated.
-
If the complaint is upheld, the Chief Privacy Officer will arrange for any necessary steps to be taken as a consequence (for example, implementing procedures to remedy the complaint and prevent recurrence).
-
-
-
Complaints where DocuSign is a processor
-
Communicating complaints to the Customer
-
Where a complaint is brought in respect of the processing of personal information for which DocuSign is a processor on behalf of a Customer, DocuSign will communicate the details of the complaint to the relevant Customer without delay and without handling it (unless DocuSign has agreed in the terms of its contract with the Customer to handle complaints).
-
DocuSign will cooperate with the Customer to investigate the complaint, in accordance with the terms of its contract with the Customer and if so instructed by the Customer.
-
-
What happens if a Customer no longer exists?
-
In circumstances where a Customer has disappeared, no longer exists or has become insolvent, and no successor entity has taken its place, individuals whose personal information are processed under the Processor Policy have the right to complain to DocuSign and DocuSign will handle such complaints in accordance with paragraph 3 of this Complaint Handling Procedure.
-
In such cases, individuals also have the right to complain to a competent data protection authority and to file a claim with a court of competent jurisdiction, including where they are not satisfied with the way in which their complaint has been resolved by DocuSign. Such complaints and proceedings will be handled in accordance with paragraph 5 of this Complaint Handling Procedure.
-
-
-
Right to complain to a competent data protection authority and to commence proceedings
-
Overview
-
Where individuals' personal information:
-
are processed in Europe by a group member acting as a controller and/or transferred to a group member located outside Europe under the Controller Policy; or
-
are processed in Europe by a group member acting as a processor and/or transferred to a group member located outside Europe under the Processor Policy;
then those individuals have certain additional rights to pursue effective remedies for their complaints, as described below.
-
-
The individuals described above have the right to complain to a competent data protection authority (in accordance with paragraph 5.2) and/or to commence proceedings in a court of competent jurisdiction (in accordance with paragraph 5.3), whether or not they have first complained directly to the Customer in question or to DocuSign under this Complaints Handling Procedure. However, DocuSign's endeavours to resolve all complaints amicably and directly, wherever possible, and for that reason encourages any individual with a complaint to contact the Office of the Chief Privacy Officer before complaining to a competent data protection authority and/or commencing proceedings.
-
DocuSign accepts that complaints and claims made pursuant to paragraphs 5.2 and 5.3 may be lodged by a non-for-profit body, organisation or association acting on behalf of the individuals concerned.
-
-
Complaint to a data protection authority
-
If an individual wishes to complain about DocuSign’s processing of his or her personal information to a data protection authority, on the basis that a European group member has processed personal information in breach of the Policies or in breach of applicable data protection laws, he or she may complain about that European group member to the data protection authority in the European territory:
-
of his or her habitual residence;
-
of his or her place of work; or
-
where the alleged infringement occurred.
-
-
If an individual wishes to complain about DocuSign’s processing of his or her personal information to a data protection authority, on the basis that a non-European group member has processed personal information in breach of the Policies or in breach of applicable data protection laws, then DocuSign International (EMEA) Ltd will submit to the jurisdiction of the competent data protection authority (determined in accordance with paragraph 5.2.1 above) in place of that non-European group member, as if the alleged breach had been caused by the DocuSign International (EMEA) Ltd.
-
-
Proceedings before a national court
-
If an individual wishes to commence court proceedings against DocuSign, on the basis that a European group member has processed personal information in breach of the Policies or in breach of applicable data protection laws, then he or she may commence proceedings against that European group member in the European territory:
-
in which that European group member is established; or
-
of his or her habitual residence.
-
-
If an individual wishes to commence court proceedings against DocuSign, on the basis that a non-European group member has processed personal information in breach of the Policies or in breach of applicable data protection laws, then DocuSign International (EMEA) Ltd will submit to the jurisdiction of the competent data court (determined in accordance with paragraph 5.3.1 above) in place of that non-European group member, as if the alleged breach had been caused by the DocuSign International (EMEA) Ltd.
-
-
An individual's right to lodge proceedings before a competent court shall be without prejudice to any administrative or non-judicial remedy available to that data subjects, including the right to lodge a complaint with a competent data protection authority.
APPENDIX 9 - CO-OPERATION PROCEDURE
-
Background
-
DocuSign’s Binding Corporate Rules: Cooperation Procedure sets out the way in which DocuSign will cooperate with competent data protection authorities in relation to the "DocuSign Binding Corporate Rules: Controller Policy" and "Binding Corporate Rules: Processor Policy" (together the “Policies” or, respectively, the "Controller Policy" and the "Processor Policy").
-
-
Cooperation Procedure
-
Where required, DocuSign will make the necessary personnel available for dialogue with a competent data protection authority in relation to the Policies.
-
DocuSign will review, consider and implement:
-
any advice or decisions of relevant competent data protection authorities on any data protection law issues that may affect the Policies; and
-
any guidance published by data protection authorities (including the European Data Protection Board or any successor to it) in connection with Binding Corporate Rules for Processors and Binding Corporate Rules for Controllers.
-
-
Subject to applicable data protection law, DocuSign will provide upon request copies of the results of any audit it conducts of the Policies to a competent data protection authority.
-
DocuSign agrees that:
-
a data protection authority may audit any group member over which it exercises jurisdiction for compliance with the Policies, in accordance with the applicable data protection law(s) of that jurisdiction; and
-
a data protection authority may audit any group member who processes personal information for a Customer over which that data protection authority exercises jurisdiction for compliance with the Policies, in accordance with the applicable data protection law(s) of that jurisdiction and with full respect to the confidentiality of the information obtained and to the trade secrets of DocuSign (unless this requirement is in conflict with applicable data protection law).
-
-
DocuSign agrees to abide by a formal decision of any competent data protection authority on any issues relating to the interpretation and application of the Policies (unless and to the extent that DocuSign is entitled to appeal any such decision and has chosen to exercise such right of appeal).
-
APPENDIX 10 - UPDATING PROCEDURE
-
Background
- DocuSign’s Binding Corporate Rules: Updating Procedure describes how DocuSign must communicate changes to the "Binding Corporate Rules: Controller Policy" ("Controller Policy") and to the "Binding Corporate Rules: Processor Policy" ("Processor Policy") (together the "Policies") to competent data protection authorities, individual data subjects, its Customers and to DocuSign group members bound by the Policies.
- The Chief Privacy Officer is accountable for ensuring that the commitments made by DocuSign in this Updating Procedure are met.
-
Records keeping
- DocuSign must maintain a change log which sets out details of each and every revision made to the Policies, including the nature of the revision, the reasons for making the revision, the date the revision was made, and who authorised the revision.
- DocuSign must also maintain an accurate and up-to-date list of group members that are bound by the Policies and of the sub-processors appointed by DocuSign to process personal information on behalf of Customers. This information must be made available on request to competent data protection authorities and to Customers and individuals who benefit from the Policies.
- The Office of the Chief Privacy Officer shall be responsible for ensuring that the records described in this paragraph 2 are maintained and kept accurate and up-to-date.
-
Changes to the Policies
- All proposed changes to the Policies must be reviewed and approved by the Chief Privacy Officer in order to ensure that a high standard of protection is maintained for the data protection rights of individuals who benefit from the Policies. No changes to the Policies shall take effect unless reviewed and approved by the Chief Privacy Officer.
- DocuSign will communicate all changes to the Policies (including reasons that justify the changes) or to the list of group members bound by the Policies:
-
to the group members bound by the Policies via written notice (which may include e-mail or posting on an internal Intranet accessible to all group members);
-
to Customers and the individuals who benefit from the Policies via online publication at www.docusign.com (and, if any changes are material in nature, DocuSign must also actively communicate the material changes to Customers before they take effect, in accordance with paragraph 4.2 below); and
-
to the data protection authority that was the lead authority for the purposes of granting DocuSign’s BCR authorisation (“Lead Authority”), and any other relevant data protection authorities the Lead Authority may direct, at least once a year.
-
-
Communication of material changes
- If DocuSign makes any material changes to the Policies or to the list of group members bound by the Policies that affect the level of protection offered by the Policies or otherwise significantly affect the Policies (for example, by making changes to the binding nature of the Policies), it will promptly report such changes (including the reasons that justify such changes) to the Lead Authority and all other DocuSign group members.
- If a proposed change to the Processor Policy will materially affect DocuSign’s processing of personal information on behalf of a Customer, DocuSign will also:
-
actively communicate the proposed change to the affected Customer before it takes effect, and with sufficient notice to enable the affected Customer to raise objections; and
-
the Customer may then suspend the transfer of personal information to DocuSign and/or terminate the contract, in accordance with the terms of its contract with DocuSign.
-
-
Transfers to new group members
- If DocuSign intends to transfer personal information to any new group members under the Policies, it must first ensure that all such new group members are bound by the Policies before transferring personal information to them.
APPENDIX 11 - GOVERNMENT DATA REQUEST PROCEDURE
-
Introduction
- This Binding Corporate Rules: Government Data Request Procedure sets out DocuSign's procedure for responding to a request received from a law enforcement or other government authority (together the "Requesting Authority") to disclose personal information processed by DocuSign (hereafter "Data Disclosure Request"). The term "Data Disclosure Request" includes requests for voluntary disclosure of personal information, as well as compelled disclosure orders pursuant to a subpoena, warrant or court order.
- Where DocuSign receives a Data Disclosure Request, it will handle that Data Disclosure Request in accordance with this Procedure. If applicable data protection law(s) require a higher standard of protection for personal information than is required by this Procedure, DocuSign will comply with the relevant requirements of applicable data protection law(s).
-
General principle on Data Disclosure Requests
- As a general principle, DocuSign does not disclose personal information in response to a Data Disclosure Request unless either:
-
it is under a compelling legal obligation to make such disclosure; or
-
taking into account the nature, context, purposes, scope and urgency of the Data Disclosure Request and the privacy rights and freedoms of any affected individuals, there is an imminent risk of serious harm that merits compliance with the Data Disclosure Requests in any event.
-
- For that reason, unless it is legally prohibited from doing so or there is an imminent risk of serious harm, DocuSign will notify and consult with the competent data protection authorities (and, where it processes the personal information on behalf of a Customer, the Customer) in order to address the Data Disclosure Request.
- As a general principle, DocuSign does not disclose personal information in response to a Data Disclosure Request unless either:
-
Handling of a Data Disclosure Request
- Receipt of a Data Disclosure Request
- If a DocuSign Group Member receives a Data Disclosure Request, the recipient of the request must pass it to DocuSign's Office of the Chief Privacy Officer (or any other group or person within DocuSign's legal department as instructed by the Chief Privacy Officer) (the "Responsible Party") promptly upon receipt, indicating the date on which it was received together with any other information which may assist the Responsible Party to deal with the request.
- The request does not have to be made in writing, made under a Court order, or mention data protection law to qualify as a Data Disclosure Request. Any Data Disclosure Request, howsoever made, must be notified to the Office of the Chief Privacy Officer for review.
- Initial steps
- DocuSign's Responsible Party will carefully review each Data Disclosure Request on a case-by-case basis, and will liaise with the legal department as appropriate to deal with the request to determine the nature, context, purposes, scope and urgency of the Data Disclosure Request, as well as its validity under applicable laws, in order to identify whether action may be needed to challenge the Data Disclosure Request and/or to notify the Customer and competent data protection authorities in accordance with paragraph 4.
- Receipt of a Data Disclosure Request
-
Notice of a Data Disclosure Request
- Notice to the Customer
- If a request concerns personal information for which a Customer is the controller, DocuSign will ordinarily ask the Requesting Authority to make the Data Disclosure Request directly to the relevant Customer, and DocuSign will support the Customer in accordance with the terms of its contract to respond to the Data Disclosure Request.
- If this is not possible (for example, because the Requesting Authority declines to make the Data Disclosure Request directly to the Customer), DocuSign will notify and provide the Customer with the details of the Data Disclosure Request prior to disclosing any personal information, unless legally prohibited or where an imminent risk of serious harm exists that prohibits prior notification.
- Notice to the competent data protection authorities
- If the Requesting Authority is located in a country that does not provide an adequate level of protection for the personal information in accordance with applicable data protection laws, then DocuSign will also put the Data Disclosure Request on hold in order to notify and consult with the competent data protection authorities, unless legally prohibited or where an imminent risk of serious harm exists that prohibits prior notification.
- Where DocuSign is prohibited from notifying the competent data protection authorities and suspending the Data Disclosure Request, DocuSign will use its best efforts (taking into account the nature, context, purposes, scope and urgency of the request) to inform the Requesting Authority about its obligations under applicable data protection law and to obtain the right to waive this prohibition. Such efforts may include asking the Requesting Authority to put the Data Disclosure Request on hold so that DocuSign can consult with the competent data protection authorities, which may also, in appropriate circumstances, include seeking a court order to this effect. DocuSign will maintain a written record of the efforts it takes.
- Notice to the Customer
-
Transparency reports
- DocuSign commits to preparing an annual report (a Transparency Report), which reflects to the extent permitted by applicable laws, the number and type of Data Disclosure Requests it has received for the preceding year and the Requesting Authorities who made those requests. DocuSign shall make this report available upon request to competent data protection authorities.
-
Bulk transfers
- In no event will any Group Member transfer personal information to a Requesting Authority in a massive, disproportionate and indiscriminate manner that goes beyond what is necessary in a democratic society.
20210803