SERVICE ATTACHMENT of THE STANDARD CONTRACTUAL CLAUSES (PROCESSORS) for DOCUSIGN SIGNATURE v161215
This Service Attachment was last updated on December 15, 2016. Unless otherwise defined in this Service Schedule, capitalized terms will have the meaning given to them in the Agreement.
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection,
Customer (as data exporter, whose execution of the applicable agreement
for DocuSign Signature includes execution of the Clauses and their appendices)
and
DocuSign, Inc. (as data importer, whose execution of the applicable agreement
for DocuSign Signature includes execution of the Clauses and their appendices),
each a “party,” together “the parties,”
HAVE AGREED on the following Contractual Clauses (the “Clauses”) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
Clause 1
Definitions
For the purposes of the Clauses:
(a) 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data[1];
(b) 'the data exporter' means the controller who transfers the personal data;
(c) 'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) 'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) 'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) 'technical and organisational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Clause 2
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 below which forms an integral part of the Clauses.
Clause 3
Third-party beneficiary clause
1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Clause 4
Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 below;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Clause 5
Obligations of the data importer[2]
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
(ii) any accidental or unauthorised access, and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11; and
(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
Clause 6
Liability
1. The parties agree that any data subject who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Clause 7
Mediation and jurisdiction
1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Clause 8
Cooperation with supervisory authorities
1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
Clause 9
Governing Law
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Clause 10
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
Clause 11
Subprocessing
1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses[3]. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement.
2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.
Clause 12
Obligation after the termination of personal data processing services
1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
Appendix 1 to the Standard Contractual Clauses
Data exporter
The data exporter is (please specify briefly your activities relevant to the transfer):
Customer is the data exporter. The data exporter is a user of DocuSign Signature as defined in the Service Schedule for DocuSign Signature.
Data importer
The data importer is (please specify briefly activities relevant to the transfer):
The data importer is DocuSign, Inc., a provider of an enterprise cloud computing solution.
Data subjects
The personal data transferred concern the following categories of data subjects (please specify):
Data subjects include the data exporter’s representatives and end-users including employees, contractors, collaborators, and customers of the data exporter. Data subjects may also include individuals attempting to communicate or transfer personal information to users of the services provided by data importer.
Categories of data
The personal data transferred concern the following categories of data (please specify):
The personal data transferred includes name, e-mail, documents and other data in an electronic form in the context of the DocuSign Signature service.
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify):
The personal data transferred includes any special categories of data, the extent of which is determined and controlled by the data exporter in its sole discretion, in an electronic form in the context of the DocuSign Signature service.
Processing operations
The personal data transferred will be subject to the following basic processing activities (please specify):
a. Duration and Object of Data Processing. The duration of data processing shall be for the term designated under the applicable service agreement and/or schedule for DocuSign Signature between data exporter and the DocuSign entity to which these Contractual Clauses are annexed (“DocuSign”). The objective of the data processing is the performance of DocuSign Signature.
b. Scope and Purpose of Data Processing. The scope and purpose of processing personal data is described in the applicable service agreement and/or schedule for DocuSign Signature. The data importer operates a global network of data centers and management/support facilities, and processing may take place in any jurisdiction where data importer or its sub-processors operate such facilities.
c. Customer Data Access. For the term designated under the applicable service agreement and/or schedule for DocuSign Signature, data importer will at its election and as necessary under applicable law implementing Article 12(b) of the EU Data Protection Directive, either: (i) provide data exporter with the ability to correct, delete, or block Customer Data, or (ii) make such corrections, deletions, or blockages on its behalf.
d. Data Exporter’s Instructions. For DocuSign Signature, data importer will only act upon data exporter’s instructions as conveyed to DocuSign.
e. Customer Data Deletion or Return. Upon expiration or termination of data exporter’s use of DocuSign Signature, it may extract Customer Data and data importer will delete eContracts, each in accordance with the applicable service agreement and/or schedule for DocuSign Signature.
Subcontractors: The data importer may hire other companies to provide limited services on data importer’s behalf, such as providing customer support. Any such subcontractors will be permitted to obtain Customer Data only to deliver the services the data importer has retained them to provide, and they are prohibited from using Customer Data for any other purpose.
Appendix 2 to the Standard Contractual Clauses
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):
1. Personnel. Data importer’s personnel will not process Customer Data without authorization. Personnel are obligated to maintain the confidentiality of any Customer Data and this obligation continues even after their engagement ends.
2. Data Privacy Contact. The data privacy officer of the data importer can be reached at the following address:
DocuSign, Inc.
Attn: Chief Privacy Officer
221 Main Street, Suite 1000
San Francisco, CA 94105
3. Technical and Organization Measures. The data importer has implemented and will maintain appropriate technical and organizational measures, internal controls, and information security routines intended to protect Customer Data, as defined in the applicable service agreement/schedule for DocuSign Signature, against accidental loss, destruction, or alteration; unauthorized disclosure or access; or unlawful destruction as follows:
DocuSign’s Information Security Program is designed to protect the confidentiality, integrity, and availability of Subscriber Data processed through DocuSign Signature by using a multi-tiered technical, procedural, and people-related control approach in accordance with industry best practices and applicable laws and regulations. While DocuSign is responsible for its implementation and operation of the Information Security Program and the protection measures described herein, security and privacy with respect to cloud services such as DocuSign Signature are shared responsibilities between the parties. Subscriber acknowledges that it is responsible for using and enforcing the controls and functionality available within DocuSign Signature to support its own compliance requirements for the Processing of Subscriber Data in accordance with Subscriber’s responsibilities to its end users and applicable laws and regulations.
1. DEFINITIONS. Unless otherwise defined in this Service Attachment, capitalized terms will have the meaning given to them in the Agreement.
“Personnel” means all employees and agents of DocuSign involved in the performance of DocuSign Signature service.
“Production Environment” means the System setting where software, hardware, data, processes, and programs are executed for their final and intended operations by end users of DocuSign Signature.
“Customer Data” means all electronic data entered into DocuSign Signature by Customer, Authorized Users, and recipients of Customer’s Envelopes.
“Subcontractor” means a third party that DocuSign has engaged to performs DocuSign Signature service on behalf of DocuSign.
“Unsuccessful Intrusion(s)” means unsuccessful attempts at unauthorized access, use, disclosure, modification, or destruction Customer Data processed by DocuSign Signature. Examples include but are not limited to: broadcast attacks on firewalls, denial of service attacks, port scans, login attempts, interception of encrypted data where the corresponding encryption key remains uncompromised.
2. APPLICABILITY. This Appendix 2 applies only to the processing of Customer Data through DocuSign Signature. Customer acknowledges that this Appendix 2 does not apply to any other DocuSign products or services that Customer may have now or in the future unless this Appendix 2 is specifically incorporated by reference in the Agreement for such products and services. To the extent Customer exchanges with DocuSign data or information that does not meet the definition of “Customer Data,” such data or information will be treated in accordance with the confidentiality terms of the Agreement.
3. CUSTOMER RESPONSIBILITIES. DocuSign Signature provides Customer with certain features and functionalities that customer may elect to use, including the ability to retrieve and delete eContracts in the System. Customer is responsible for properly (a) configuring DocuSign Signature, (b) using and enforcing controls available in connection with DocuSign Signature (including any security controls), and (c) taking such steps, in accordance with the functionality of DocuSign Signature, that Customer deems adequate to maintain appropriate security, protection, deletion, and backup of Customer Data, which include controlling the management of Authorized Users’ access and credentials to DocuSign Signature, controlling Customer Data that is processed by DocuSign Signature; and controlling the archival or deletion of eContracts in the System.
4. PERMITTED USE & DISCLOSURE. Subject to the requirements set forth in this Appendix 2, DocuSign will not process Customer Data in any manner other than as permitted or required by the Agreement or as otherwise instructed by Customer.
5. SECURITY MANAGEMENT.
Information Security Program. DocuSign maintains a written information security program that includes policies, procedures, and controls governing the processing of Customer Data through DocuSign Signature in accordance with the terms of the Agreement and this Appendix 2 (the “Information Security Program”). DocuSign will maintain its Information Security Program in accordance with the ISO 27001 standard or such other alternative standards that are substantially equivalent to ISO 27001 for the establishment, implementation, and control of the Information Security Program. Additionally, DocuSign will maintain controls sufficient to meet the objectives of PCI DSS, SOC1 and SOC 2, or equivalent standards and will be assessed against those standards annually. Upon Customer’s request, not to exceed once annually, DocuSign will provide Customer with third party attestations, certifications, and reports relevant to the establishment, implementation, and control of the Information Security Program, including DocuSign’s ISO 27001 certification, PCI DSS Attestation of Compliance, Service Organization Controls (SOC) reports, or equivalent certifications and reports.
5.2 Background Checks and Training. DocuSign conducts reasonable and appropriate background investigations on all Personnel in accordance with applicable laws and regulations. Personnel must pass DocuSign’s background checks prior to being assigned to positions in which they will, or DocuSign reasonably expects them to, have access to Customer Data. DocuSign conducts annual mandatory security awareness training to inform its Personnel on relevant security procedures and the consequences of violating those procedures.
5.3. Subcontractors. All Subcontractors: (a) are evaluated by DocuSign to ensure that such Subcontractors maintain appropriate physical, technical, organizational, and administrative controls consistent with the requirements of this Appendix 2; and (b) fall into scope for independent audit assessment as part of DocuSign’s ISO 27001, or equivalent, audit, where their roles and activities are reviewed per control requirements. DocuSign remains responsible for the acts and omissions of its Subcontractors as if it had performed the acts or omissions itself and any subcontracting will not in any way reduce DocuSign’s obligations to Customer under the Agreement.
5.4. Risk and Security Assurance Framework Contact. Customer’s account management team at DocuSign will be Customer’s first point of contact for information and support regarding DocuSign’s Information Security Program and obligations under this Appendix 2. The account management team will work directly with Customer to escalate Customer’s questions, issues, and requests to internal DocuSign groups as necessary.
6. PHYSICAL SECURITY MEASURES. DocuSign maintains appropriate physical security measures designed to protect the tangible items, such as physical computer systems, networks, servers, and devices, that process Customer Data. DocuSign utilizes commercial grade security software and hardware to protect DocuSign Signature and the Production Environment.
6.1 Facility Access. Access to DocuSign’s corporate facilities is tightly controlled. Visitors must sign in, agree to confidentiality obligations, and be escorted by Personnel at all times. The DocuSign security team reviews visitor logs on a regular basis. At termination of employment, DocuSign promptly revokes terminated Personnel’s physical access to DocuSign all corporate facilities.
6.2 Data Center Access. DocuSign’s commercial-grade data center service providers used in the provision of DocuSign Signature are included in DocuSign’s ISO 27001 or equivalent certification and must maintain an on-site security operation responsible for all physical data center security functions and formal physical access procedures in accordance with SOC1 and SOC 2, or equivalent, standards.
7. LOGICAL SECURITY.
7.1. Access Controls. DocuSign maintains a formal access control policy and employs a centralized access management system to control employee access to the Production Environment.
(a) All access to the Production Environment is subject to successful two-factor authentication globally from both corporate and remote locations and is restricted to authorized Personnel who demonstrate a legitimate business need for such access. DocuSign maintains an associated access control process for reviewing and implementing access requests. DocuSign regularly reviews the access rights of authorized Personnel and, upon change in scope of employment necessitating removal or employment termination, Personnel access rights are removed.
(b) DocuSign monitors and assesses the efficacy of access restrictions applicable to the control of DocuSign's system administrators in the Production Environment by, for example, generating system individual administrator activity information and retaining such information for a period of at least 12 months.
7.2. Network Security. DocuSign maintains a defense-in-depth approach to hardening the Production Environment against exposure and attack. The Production Environment is isolated and includes commercial grade network management controls such as load balancers, firewalls, intrusion detection systems distributed across production networks, and malware protections. DocuSign compliments its Production Environment architecture with prevention and detection technologies that monitor all activity-generated, risk-based alerts to the relevant security groups.
7.3. Malicious Code Protection. DocuSign’s information systems and file transfer operations have effective and operational anti-virus software. All anti-virus software is configured for deployment and automatic update. Anti-virus software is integrated with processes and will automatically generate alerts to DocuSign’s Cyber Incident Response Team if potentially harmful code is dedicated for their investigation and analysis.
7.4. Code Reviews. DocuSign maintains a formal software development lifecycle that includes secure coding practices against OWASP and related standards. DocuSign performs both manual and automated code reviews. Engineering, product development, and product operations management review changes included in production releases to verify that developers performed automated and manual code reviews designed to minimize associated risks. In the event that a significant issue is identified in a code review, it is brought to senior management’s attention and is closely monitored until resolution prior to release into the Production Environment.
7.5. Vulnerability Scans and Penetration Tests. DocuSign performs both internal and external vulnerability scanning and application scanning. Quarterly external scans and annual penetration tests against DocuSign Signature and the Production Environment are conducted by external qualified, credentialed, and industry recognized organizations. DocuSign will remedy vulnerabilities identified during scans and penetration tests in a commercially reasonable manner and timeframe based on severity. DocuSign will provide third party attestations resulting from such vulnerability scans per independent external audit reports upon Customer’s reasonable written request. Under no circumstance will Customer be permitted to conduct any vulnerability scanning or penetration testing against the Production Environment.
8. STORAGE, ENCRYPTION, AND DISPOSAL.
8.1. Separation. DocuSign logically separates Customer Data located in its multi-tenanted Production Environment from other customer data.
8.2. Encryption Technologies. DocuSign encrypts Customer Data in accordance with industry best practice standards. All access and transfer of data to and from DocuSign Signature is via HTTPS and DocuSign only supports industry recognized and best practice cipher suites. All eContracts persisted on the Production Environment are encrypted with an AES 256-bit, or equivalent, encryption key.
8.3. Disposal. DocuSign maintains a data disposal and re-use policy for managing assets and implements
processes and procedures for equipment management and secure media disposal.
9. BUSINESS CONTINUITY AND DISASTER RECOVERY.
9.1. Continuity Plan. DocuSign maintains a written business continuity and disaster recovery plan addressing the availability of DocuSign Signature (“Continuity Plan”). The Continuity Plan includes elements such as: (a) crisis management, plan and team activation, event and communication process documentation; (b) business recovery, alternative site locations, and call tree testing; and (c) infrastructure, technology, system(s) details, recovery activities, and identification of the Personnel and teams required for such recovery. DocuSign conducts a test of the Continuity Plan on an annual basis.
9.2. DocuSign Signature Continuity. DocuSign’s production architecture for DocuSign Signature is designed to perform secure replication in near real-time to multiple active systems in geographically distributed and physically secure data centers located in the United States of America and European Union. Infrastructure systems for DocuSign Signature have been designed to eliminate single points of failure and minimize the impact of anticipated environmental risks. Each data center supporting DocuSign Signature includes full redundancy and fault tolerance infrastructure for electrical, cooling, and network systems. The Production Environment servers are enterprise scale servers with redundant power to ensure maximum uptime and service availability.
10. INCIDENT RESPONSE AND BREACH NOTIFICATION.
10.1. General. DocuSign maintains tested incident response program managed and run by DocuSign dedicated Global Incident Response Team. The incident response team operates to a mature framework, which includes incident management and breach notification policies and associated processes. DocuSign’s incident response program includes: initial detection; initial tactical response; initial briefing; incident briefing; refined response; communication and message; formal containment; formal incident report; and post mortem/trend analysis.
10.2. Breach Notification. Unless notification is delayed by applicable law or the demands of law enforcement, DocuSign will promptly report to Customer the deliberate unauthorized acquisition, access, use, disclosure or destruction of Customer Data (a “Breach”) following determination by DocuSign that a definite Breach has occurred. Any such report will be made to Customer and sent to the appropriate party at the address and contact information set forth on the Order Form or as otherwise provided by Customer. DocuSign’s obligation to report a Breach under this Section is not and will not be construed as an acknowledgement by DocuSign of any fault or liability of DocuSign with respect to such breach. The obligations in this Subsection (Breach Notification) will not apply to Unsuccessful Intrusions.
10.3. Breach Response Procedures.
(a) DocuSign will promptly take reasonable measures to mitigate the cause of any Breach and to prevent future Breaches of similar nature. As information regarding a Breach is collected or otherwise becomes available to DocuSign, DocuSign will provide additional detail regarding the nature and consequences of the Breach and the corrective and remedial actions being taken.
(b) Due to the encryption configuration and security controls associated with DocuSign Signature, DocuSign will not have access to or know the nature of the information contained within Customer’s eContracts and, as such, the parties acknowledge that it may not be possible for DocuSign to provide Customer with a description of the type of information or the identity of individuals that may be affected by a Breach. In the event of a Breach, Customer will be solely responsible for: (a) determining whether to notify impacted individuals or entities; (b) providing any notice deemed necessary by Customer; and (c) for determining if regulatory bodies or law enforcement applicable to Customer or Customer Data need to be notified.
11. CUSTOMER AUDIT RIGHTS.
11.1. Regulatory Audit. If an on-site audit of DocuSign is required by Customer’s governmental regulators, as supported by evidence and a written statement by Customer, Customer may, either itself or through a third party independent contractor selected by Customer and at Customer’s sole expense, conduct an on-site audit of DocuSign’s Information Security Program, including DocuSign’s data centers and corporate facilities relevant to the security of Customer Data (“Regulatory Audit”). Unless a different notice or frequency is required by Customer’s governmental regulators, a Regulatory Audit may be conducted by Customer once per year with at least 60 days’ advance written notice to DocuSign. If a Regulatory Audit requires the equivalent of more than two business days of DocuSign Personnel’s time to support such audit, DocuSign may charge Customer an audit fee at DocuSign’s then-current rates for each day thereafter.
11.2. Audit for Breach. Following any Breach of Customer Data, DocuSign will, upon Customer’s written request, promptly engage a third party independent auditor, selected by DocuSign and at DocuSign’s expense, to conduct an on-site audit of DocuSign’s Information Security Program, including DocuSign’s data centers and corporate facilities relevant to the security of Customer Data. DocuSign will promptly provide Customer with the report of such audit.
11.3. Conditions of Audit.
(a) Audits conducted by Customer pursuant to this Section (Customer Audit Rights) must: (i) be conducted during reasonable times; (ii) be of reasonable duration; (iii) not unreasonably interfere with DocuSign’s day-to-day operations; (iv) be conducted upon mutually agreed upon terms; and (v) made in accordance with DocuSign’s security policies and procedures. DocuSign reserves the right to limit an audit of any of the following: configuration settings, sensors, monitors, network devices and equipment, files, or any other items that DocuSign reasonably determines may compromise the security of DocuSign Signature or the data of other DocuSign customers. For clarification, Customer’s audit rights under this Section (Customer Audit Rights) do not include penetration testing or active vulnerability assessments of the Production Environment or DocuSign Systems within their scope.
(b) In the event that Customer conducts an audit through a third party independent contractor, such independent contractor must enter into a non-disclosure agreement containing confidentiality provisions substantially similar to those set forth in the Agreement to protect DocuSign’s confidential and proprietary information.
(c) Customer must promptly provide DocuSign with any audit, security assessment, compliance assessment reports and associated findings prepared by it or its third party contractors for comment and input prior to formalization and/or sharing with another third party.
11.4. Remediation and Response. If any audit performed pursuant to this Section (Customer Audit Rights) reveals or identifies any non-compliance by DocuSign of its obligations under the Agreement and this Appendix 2, then (a) DocuSign will work to promptly correct such issues; and (b) Customer may request feedback and information regarding corrective and remedial actions taken in relation to such audit for no more than 60 days after the date upon which such audit was conducted.
Appendix 3 to the Standard Contractual Clauses
Subprocessor(s):
Tier 1 Customer Support Call Center: SupportSave Solutions, Inc.
(a) Corporate address: 11132 Ventura Blvd, Suite 420, Studio City, CA 91604
(b) Service location: Cebu City, Philippines
[1] Parties may reproduce definitions and meanings contained in Directive 95/46/EC within this Clause if they considered it better for the contract to stand alone.
[2] Mandatory requirements of the national legislation applicable to the data importer which do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 13(1) of Directive 95/46/EC, that is, if they constitute a necessary measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others, are not in contradiction with the standard contractual clauses. Some examples of such mandatory requirements which do not go beyond what is necessary in a democratic society are, inter alia, internationally recognised sanctions, tax-reporting requirements or anti-money-laundering reporting requirements.
[3] This requirement may be satisfied by the subprocessor co-signing the contract entered into between the data exporter and the data importer under this Decision.