SERVICE ATTACHMENT of DOCUSIGN EU ADVANCED SIGNATURE for DOCUSIGN SIGNATURE v161215

This Service Attachment was last updated on December 15, 2016. Unless otherwise defined in this Service Attachment, capitalized terms will have the meaning given to them in the Agreement.

1. DEFINITIONS.

“Archiving Policy” means all legal, functional, operational, technical and security rules that Customer must establish, implement and respect for the management of Signer identification.

“Certificate(s)” mean(s) the Certificate generated by DocuSign France via the Service for a Signer, used by that Signer to electronically sign an eDocument addressed thereto by an Authorized User, via the Service. Each Certificate contains information such as the identity of the Signer that includes the name and/or alias, the Public Key of the Signer, the lifecycle of the Certificate, the identity of the RA, and the signature of the issuing CA.

“Certification Authority” (or “CA”) is DocuSign France, the authority that generates Certificates and manages the Certificate lifecycle (issuance, renewal, revocation) on the request of the Registration Authority, in accordance with the rules and practices defined in its Certificate Policy(cies) and the associated Certification Practice Statement. The DocuSign contracting entity described in Section 12 (Contracting Entity, Governing Law and Venue) of the MSA acts as agent for DocuSign France as CA hereunder.

“Certificate Policy(ies)” mean(s) the set of rules published by the CA, and describing the general characteristics of the Certificates that it issues. A Certificate Policy describes the obligations and responsibilities of the CA, the RA, Signers, Certificate requesters and any other PKI component involved in the management of a Certificate lifecycle.

The Certificate Policy(ies) of DocuSign France and its(their) successive update(s) can be accessed on DocuSign France’s website, https://www.docusign.fr/societe/certification-policies and are an integral part of this Agreement.

“Delegated Registration Authority” (or “DRA”) means any entity expressly designated by the RA (Customer) in order to perform all or part of RA tasks in accordance with the applicable CP and Registration Policy.

“Documentation” means the commercial, functional and technical documentation relating to the Service and provided by DocuSign to Customer, including DocuSign France's applicable Certificate Policies. Documentation can be in a paper format, on a magnetic storage medium or in any other format used by DocuSign. Documentation provided by DocuSign may be offered in either English and/or French.

“DocuSign France” means DocuSign France SAS an Affiliate of DocuSign, Inc.

“DocuSign Signature” means DocuSign France’s Affiliate, DocuSign, Inc.’s on-demand electronic signature service, which provides online display, certified delivery, acknowledgement, electronic signature, and storage services for eDocuments via the Internet.

“eIDAS” means EU Regulation No. 910/2014.

“Party(ies)” means individually the Customer or DocuSign, and collectively the Customer and DocuSign.

“Private Key” means a mathematical key that is secret that is uniquely contained within a Device and remotely activated by the Signer to sign eDocuments. In the context of the Service, the Private Keys are generated for the only purpose of a single transaction and are erased after the completion of the said transaction.

“Registration Authority” (or “RA”) means the entity (here, Customer) in contractual relationship with the CA to register requests for issuance, renewal or revoking of Certificates, and to validate or reject them. The RA applies Signer identification and authentication procedures in accordance with the rules and practices defined in the Certificate Policy(cies). For the purposes herein, the RA is Customer.

“Registration Policy” means the procedures and rules defined and implemented by the Registration Authority (the Customer) in order to identify and authenticate Signers, to verify and store supporting documents for Signers registration and to register requests to issue, renew and revoke Signer Certificates.

“Service” means the DocuSign EU Advanced Signature service provided to the Customer by DocuSign France as trust service provider to offer Signers a service via the DocuSign Signature application to electronically sign eDocuments.

“Signer(s)” (or “Signatory”) mean(s) any individual who sign the eDocument(s) presented thereto after giving his/her/their consent according the Consent Protocol.

“Signer Identity” means the personal data (such as name(s), email address, telephone number) identifying the Signer(s) which are collected and defined by the Customer on the Service within DocuSign Signature.

“Transaction(s)” mean(s) the performance of a signature process, defined by a set of eDocuments submitted for electronic Signature by one or more Signer(s).

2. EU ADVANCED SIGNATURE.

2.1 The parties acknowledge and agree that: (a) DocuSign’s Affiliate, DocuSign France, is a “trust service provider” for the purpose of providing a Certificate under the Service and related certification services under eIDAS; and (b) where Customer contracts with DocuSign for the provision of a Certificate under the Service and related certification services, DocuSign is authorized to act as an agent for and on behalf of DocuSign France for the purpose of contracting with Customer while DocuSign France is the entity providing the actual delivery of any Certificate under the Service, and (c) the use of the Certificate under the Service is conditional upon Customer adhering to the terms of this Service Attachment.

2.2 During the Term and subject to the terms and conditions of the Agreement, Customer will have the right to send eDocuments to Signers to be signed with the Service via the DocuSign Signature application. The right to use the DocuSign EU Advanced Signature Service is limited to Authorized Users, and Customer may not resell or otherwise provide or assist with the provision of the Service for the benefit of another party or as a part of a service Customer offers to third parties or as a sublicensed or service bureau arrangement.

2.3 Certificate Policies. Customer acknowledges and agrees it has been or hereby is fully informed by DocuSign France (or DocuSign) that:

(a) the Service is based on DocuSign France’s applicable Certificate Policies (CP);

(b) that those policies constitute essential commitments from DocuSign France and its delegated Registration Authorities to any third party relying on the Service;

(c) that those policies have been made available to Customer before the beginning of the Service and can be accessed on DocuSign’s website, https://www.opentrust.com/pc; and

(d) that without limiting other provisions of this Agreement, these terms and conditions contain the essential commitments deriving from those policies and are applicable to both Customer and DocuSign France in the context of the use of the Service.

2.4 Certification Services. DocuSign acknowledges and agrees that, DocuSign France, in its capacity as Certificate Authority, shall be responsible for the proper functioning of the Service’s components and the compliance of its Certificate management system and procedures with the provisions set forth in applicable Certificate Policy(ies). DocuSign France shall technically manage the lifecycle of Signer Certificates throughout their validity period to meet the needs relating to the use of the Service, in accordance with the terms and conditions defined in the applicable Certificate Policies. The characteristics of the Signer Certificates as well as the terms and conditions applying to the management of their lifecycles are defined in the applicable Certificate Policy(ies).

3. CUSTOMER RESPONSIBILITIES.

3.1 Customer expressly acknowledges having received from DocuSign France (or DocuSign) all of the information it requires to assess whether the Service meets its needs and to take all necessary precautions for the implementation and operation of the Service.

3.2 This Agreement designates Customer as Registration Authority, and Customer hereby accepts such duties and responsibilities. In this capacity, Customer shall implement procedures to identify, authenticate and validate requests to issue Signer Certificates, in accordance with its Registration Policy shared with DocuSign France (or DocuSign). In its capacity as RA, Customer shall perform the following duties:

(a) Develop a Registration Policy based on the template supplied by DocuSign France (or DocuSign);

(b) Coordinate and manage requests for Signer Certificates;

(d) Identify and authenticate Signers before establishing and submitting Signer Certificate requests to the CA via the Service;

(e) Protect in strict confidence all data used to identify and authenticate Signers;

(f) Maintain and update supporting documents and identity data used to identify and authenticate Signers;

(g) Submit accurate and complete information about the Signer to the CA in the Signature request;

(h) Permit audits upon request (by DocuSign France, DocuSign or any accredited auditing body appointed by DocuSign) during normal business hours to verify the compliance of the RA with its Registration Policy procedures and communicate the requested information to DocuSign;

(i) Promptly alert DocuSign France (or DocuSign) when there is a security incident involving or relating to the RA services;

(j) Identify and authenticate the DRAs it has designated;

(k) Establish a written enforceable agreement with the DRAs that defines their obligations and responsibilities in accordance with the applicable Certificate Policies, and Registration Policy;

(l) Monitor and manage DRAs in accordance with a procedure validated by the RA;

(m) Ensure that Customer networks are a trustworthy secure IT system that meets all the requirements and obligations of Customer under this Agreement;

(n) Establish secured communication with Signers while using the System;

(o) Define Signer management with DRAs in accordance with the Registration Policy;

(p) Securely store and archive all supporting documents used for Signer registration for at least five (5) years;

(q) Manage and protect the confidentiality and integrity of Signer’s personal identification data.

3.3 The Service can be accessed by Customer via the System by means of a secure remote connection. Accordingly, CUSTOMER is solely responsible for any AND ALL harmful consequences arising from the UNAUTHORIZED use by a third party of its Private Keys and Customer Certificates enabling access the Service, regardless of the means by which they were obtained FROM Customer.

3.4 The registration of Signers for the issue of Signer Certificates is the exclusive responsibility of Customer in its capacity as Registration Authority. Customer is therefore responsible for the accuracy, updating and completeness of the information sent to DocuSign France (or DocuSign) for the issuing of Signer Certificates. Neither DocuSign

France nor DocuSign) verifies any identification information and each of DocuSign France and DocuSign disclaims all liability regarding the accuracy of the Signer identification information communicated by Customer and contained in the Signer Certificates.

4. DOCUSIGN RESPONSIBILITIES.

4.1 Trust Service Provider. DocuSign represents and warrants that its Affiliates’ data centers are secured and trustworthy in accordance with industry standards and uses high-performance products in terms of reliability, security and confidentiality. Electronic signatures created with the Service, subject to the Customer fulfilling its responsibilities under the Agreement, will conform with the definition of Advanced Electronic Signature set out in Article 26 of eIDAS.

5. AUDIT.

5.1 In its capacity as CA, DocuSign France has a duty to audit and monitor Customer in its role as RA in order to ensure its compliance with the Registration Policy applicable to Signer Certificates. For this audit, the CA may carry out or select an auditor to carry out an annual compliance audit on the Customer’s premises. Depending on auditor choice, the audit should cover the following areas:

(a) Content and availability of the agreement between Customer and potential sub-contracting entities involved in the performance of Customer’s obligations;

(b) RA management of Signer identification and authentication data;

(d) Management of eDocuments presented and made available to the Signer in connection with the signature workflow;

(e) RA monitoring of DRAs (if the RA has designated Delegated Registration Authority) in accordance with the Registration Policy defined by RA and the contract between the RA and each DRA;

(f) Requirements to be met by DRAs regarding Signer authentication and identification and the secure transmission of Signer identification data to the Customer by DRAs;

(g) Management and protection of the Customer’s log relevant to Registration Authority activity;

(h) Archives protection for data relevant to Registration Authority activity.

5.2 If the audit reveals a major case of non-compliance, Customer shall correct its procedures immediately. If the correction has not been made within the timeframe set by DocuSign France, DocuSign France (or DocuSign as its agent and upon its instructions) may suspend services included in the operation of the Service until compliance is achieved. In this case, Customer cannot claim a breach by DocuSign France (or by DocuSign acting as DocuSign France agent) of its contractual obligations or claim any indemnity of any kind due to this suspension. Customer acknowledges and agrees that DocuSign France is permitted to suspend its performance under this Agreement whenever Customer is reasonably believed to be out of compliance with its obligations as RA and such suspension may continue until DocuSign France in its sole good faith discretion determines that the compliance failures have been remedied.

5.3 If it is suspected that the RA and/or one or more DRA are in breach of this Agreement, or if a certification body or government authority makes the express request, DocuSign France also reserves the right to conduct an unannounced audit on the premises of the RA and the relevant DRAs at any time, to determine any noncompliance with this Agreement and/or the applicable Certificate Policies.

6. TERMINATION.

Upon the expiration or termination of this Service Attachment for any reason:

6.1 Customer shall promptly return to DocuSign, as of the expiry and/or effective termination date, any Documentation made available by DocuSign for the performance of this Service Attachment and any copies of any nature stored in any medium, including a digital medium, or, if applicable and if expressly requested by DocuSign, destroy the Documentation and any copies made in any medium.

6.2 The Parties shall meet within fifteen (15) days of receiving notification of the termination of this Service Attachment to determine the conditions in which the Service will be terminated. Within fifteen (15) days of the date of this meeting, the Parties must formally determine the conditions in which the Service will be terminated.

7. THIRD PARTY CLAIMS.

In addition to the third party claims obligations set forth in the Agreement, Customer will indemnify DocuSign, and its Affiliates’, employees, directors, agents, and representatives from, and defend the Indemnified Parties against, any Claim to the extent arising from or related to: (a) any representations or warranties regarding the Service made by Customer to any third parties (including without limitation Signers) not authorized by DocuSign; and (b) non-performance of any of obligations by Customer, in its capacity as Registration Authority, defined under this Agreement and the applicable Certificate Policy (CP).