SECURITY ATTACHMENT for DOCUSIGN GEN
Service Attachment version date: April 5, 2019.
This Security Attachment for DocuSign Gen (“Security Attachment”) sets forth DocuSign’s commitments for the protection of Customer Data when it resides within DocuSign and is made part of the Service Schedule for DocuSign Gen.
As a Salesforce-native application, DocuSign Gen is subject to both Salesforce and DocuSign security programs and policies. For information on Salesforce security, visit their Trust Center. The terms of this Security Attachment outline the security technologies, policies, and practices that protect Customer’s documents and data within DocuSign. Unless otherwise defined in this Security Attachment, capitalized terms will have the meaning given to them in the Agreement.
1. DEFINITIONS
“Personnel” means all employees and agents of DocuSign involved in the performance of DocuSign Gen service.
“Process” or “Processing” means, with respect to this Security Attachment, any operation or set of operations that is performed upon Customer Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.
“Production Environment” means the System setting where software, hardware, data, processes, and programs are executed for their final and intended operations by end users of DocuSign Gen.
“Subcontractor” means a third party that DocuSign has engaged to perform all or a portion of the DocuSign Gen service on behalf of DocuSign or DocuSign’s Affiliates.
“Salesforce” means Salesforce.com Inc., who partners with DocuSign in the provision of DocuSign Gen to Customers. In order for Customer to use DocuSign Gen, Customer must have an account with Salesforce.
2. INFORMATION SECURITY PROGRAM
2.1 Information Security Program. DocuSign maintains and will continue to maintain a written information security program that includes policies, procedures, and controls governing the Processing of Customer Data through DocuSign’s sole control of the product DocuSign Gen (the “Information Security Program”). The Information Security Program is designed to protect the confidentiality, integrity, and availability of Customer Data by using a multi-tiered technical, procedural, and people-related control approach in accordance with industry best practices and applicable laws and regulations.
2.2 Permitted Use of Customer Data. DocuSign will not Process Customer Data in any manner other than as permitted or required by the Agreement.
2.3 Acknowledgement of Shared Responsibilities. The security of data and information that is accessed, stored, shared, or otherwise Processed via a multi-tenant cloud service such as DocuSign Gen are shared responsibilities between a cloud service provider and its customers. As such, the Parties acknowledge that: (a) DocuSign is responsible for the implementation and operation of the Information Security Program and the protection measures described in this Security Attachment; (b) Salesforce is responsible for its processing and storage of customer data, and its commitment to the Customer is governed by their own separate relationship with the Customer; and (c) Customer is responsible for properly implementing access and use controls and configuring certain features and functionalities of DocuSign Gen that Customer may elect to use DocuSign Gen in the manner that Customer deems adequate to maintain appropriate security, protection, deletion, and backup of Customer Data.
2.4 Applicability to Customer Data. This Security Attachment and the Information Security Program apply specifically to the Customer Data Processed via DocuSign Gen through DocuSign’s network and data centers. To the extent Customer exchanges data and information with DocuSign that does not meet the definition of Customer Data, DocuSign will treat such data and information in accordance with the confidentiality terms set forth in the Agreement.
3. SECURITY MANAGEMENT
3.1 Maintenance of Information Security Program. DocuSign will take and implement appropriate technical and organizational measures to protect Customer Data processed and stored in DocuSign and will maintain the Information Security Program in accordance with ISO 27001 standards or such other alternative standards that are substantially equivalent to ISO 27001 and other generally recognized industry standards for security, including, but not necessarily limited to, the following (or, as applicable, those issued by the following organizations)
(a) Open Web Application Security Project (“OWASP”) - see https://www.owasp.org;
(b) National Institute for Standards and Technology (“NIST”) - see http://csrc.nist.gov;
(c) ISO/IEC 27001; and
(d) Data Security Standards (“DSS”).
DocuSign may update or modify the Information Security Program from time to time provided that such updates and modifications do not result in the degradation of the overall security of DocuSign Gen.
3.2 Background Checks and Training. DocuSign will conduct reasonable and appropriate background investigations on all Personnel in accordance with applicable laws and regulations. Personnel must pass DocuSign’s background checks prior to being assigned to positions in which they will, or DocuSign reasonably expects them to, have access to Customer Data. DocuSign will conduct annual mandatory security awareness training to inform its Personnel on procedures and policies relevant to the Information Security Program and of the consequences of violating such procedures and policies. DocuSign will conduct an offboarding or exit process with respect to any Personnel upon termination of employment, which will include the removal of the terminated Personnel’s access to Customer Data and DocuSign’s sensitive systems and assets.
3.3 Subcontractors. DocuSign will evaluate all Subcontractors to ensure that Subcontractors maintain adequate physical, technical, organizational, and administrative controls, based on the risk tier appropriate to their subcontracted services, that support DocuSign’s compliance with the requirements of this Security Attachment.
DocuSign will not transmit, exchange, or otherwise disclose Customer Data to any third parties except in accordance with the Agreement and this Security Attachment. Customer’s Account Administrators are responsible for controlling how DocuSign Gen shares information with third parties through configuration of Customer’s Account within DocuSign Gen.
3.4 Risk and Security Assurance Framework Contact. Customer’s account management team at DocuSign will be Customer’s first point of contact for information and support related to the Information Security Program. The DocuSign account management team will work directly with Customer to escalate Customer’s questions, issues, and requests to DocuSign’s internal teams as necessary.
4. PHYSICAL SECURITY MEASURES
4.1 General. DocuSign will maintain appropriate physical security measures designed to protect the tangible items, such as physical computer systems, networks, servers, and devices, that Process Customer Data. DocuSign will utilize commercial grade security software and hardware to protect the DocuSign Gen service and the Production Environment.
4.2 Corporate Access. DocuSign will ensure that: (a) access to DocuSign’s corporate facilities is tightly controlled through, at a minimum, physical access card identification; (b) all visitors to its corporate facilities sign in, agree to confidentiality obligations, and be escorted by Personnel while on premises at all times; and (c) that visitor logs are reviewed by DocuSign’s security team on a regular basis. DocuSign will revoke Personnel’s physical access to DocuSign’s corporate facilities upon termination of employment.
4.3 Data Center Access. DocuSign’s data centers are included in DocuSign’s ISO 27001 or equivalent certification. DocuSign will ensure that its commercial-grade data center service providers used in the provision of DocuSign Gen maintain an on-site security operation that is responsible for all physical data center security functions and formal physical access procedures in accordance with SOC 1 and SOC 2, or equivalent, standards. All data centers that house or store Customer Data will be subject to the following:
(a) Multi-factor physical security measures that have auditable entry/exit mechanisms that record the identity of any individual who enters and leaves the facility must be used.
(b) DocuSign’s servers in any such data centers will be stored in locked private cages. Only authorized Personnel will have access to the cages. Third-party vendors and guests must be escorted by authorized Personnel while in the cage.
(c) The following environmental security controls must be in place: (i) uninterruptible power supplies and secondary power supplies on all key systems; (ii) temperature and humidity controls for the heating, ventilation, and air conditioning equipment; (iii) heat and smoke detection devices and fire suppression systems; and (iv) periodic inspection by a fire marshal or similar safety official.
5. LOGICAL SECURITY
5.1 Access Controls. DocuSign will maintain a formal access control policy and employ a centralized access management system to control Personnel access to DocuSign’s Production Environment.
(a) DocuSign will ensure that all access to the Production Environment is subject to successful two-factor authentication globally from both corporate and remote locations and is restricted to authorized Personnel who demonstrate a legitimate business need for such access. DocuSign will maintain an associated access control process for reviewing and implementing Personnel access requests. DocuSign will regularly review the access rights of authorized Personnel and, upon change in scope of employment necessitating removal or employment termination, remove or modify such access rights as appropriate.
(b) DocuSign will monitor and assess the efficacy of access restrictions applicable to the control of DocuSign's system administrators in the Production Environment, which will entail generating system individual administrator activity information and retaining such information for a period of at least twelve (12) months.
(c) DocuSign will not use Customer Data from the DocuSign Gen service Production Environment in non-production environments without Customer’s express permission.
5.2 Auditing and Logging. With respect to system auditing and logging, DocuSign will do the following:
(a) DocuSign has access to the Salesforce logs and will therefore use and maintain an auditing and logging mechanism that, at a minimum, captures and records successful and failed user logons and logoffs (with a date and time stamp, user ID, application name, and pass/fail indicator). User access activities will be logged and audited periodically by DocuSign to identify unauthorized access and to determine possible flaws in Salesforce’s access control system.
(b) All application components that have logging capabilities (such as operating systems, databases, web servers, and applications) will be configured to produce a security audit log.
(c) Audit logs within DocuSign’s control will be configured for sufficient log storage capacity.
(d) Each log under DocuSign’s control will be configured so that it cannot be disabled without proper authorization and will send alerts for the success or failure of each auditable event.
(e) DocuSign’s security logs will be reviewed on a regular basis, and alerts with respect to deviations from normal activity will be reviewed by the appropriate DocuSign teams.
(f) DocuSign’s audit logs will survive system restarts and be retrievable for at least the then-most recent three (3) months. Any system audit log will be recovered when a notification of a log failure is received.
(g) Access to DocuSign’s security log files will be limited to authorized Personnel.
(h) In regard to DocuSign’s development, access to source code by team members must be reviewed at least every ninety (90) days.
(i) In regard to DocuSign’s support, DocuSign Gen will maintain a process to help assure that any individual leaving DocuSign’s team who provides support to Customer will lose access to Customer’s accounts and data upon termination of employment or as soon as reasonably possible after moving to another position within DocuSign.
5.3 Network Security. DocuSign will maintain a defense-in-depth approach to hardening its Production Environment against exposure and attack. DocuSign will maintain an isolated Production Environment that includes commercial-grade network management controls such as load balancers, firewalls, intrusion detection systems distributed across production networks, and malware protections. DocuSign will complement its Production Environment architecture with prevention and detection technologies that monitor all activity generated and send risk-based alerts to the relevant security groups.
5.4 Malicious Code Protection. DocuSign will ensure that: (a) its information systems and file transfer operations have effective and operational anti-virus software; (b) all anti-virus software is configured for deployment and automatic update; and (c) applicable anti-virus software is integrated with processes and will automatically generate alerts to DocuSign’s Cyber Incident Response Team for their investigation and analysis if potentially harmful code is detected. Data in transit and at rest with Salesforce will be subject to a separate information security program.
5.5 Code Reviews. DocuSign will maintain a formal software development life cycle that includes secure coding practices against OWASP and related standards and will perform both manual and automated code reviews. DocuSign’s engineering, product development, and product operations management teams will review changes included in production releases to verify that developers have performed automated and manual code reviews designed to minimize associated risks.
5.6 Vulnerability Scans and Penetration Tests. DocuSign will perform both internal and external vulnerability scanning and application scanning. Quarterly external scans and annual penetration tests against DocuSign Gen and DocuSign’s Production Environment will be conducted by external qualified, credentialed, and industry-recognized organizations. DocuSign will remedy vulnerabilities identified during scans and penetration tests in a commercially reasonable manner and timeframe based on severity. Upon Customer’s reasonable written request, DocuSign will provide third-party attestations resulting from vulnerability scans and penetration tests per independent external audit reports. For clarification, under no circumstance will Customer be permitted to conduct any vulnerability scans or penetration testing against the Production Environment.
6. STORAGE, ENCRYPTION, DISPOSAL AND ACCESS
6.1 Storage and Separation. Customer Data will be stored within the physical and logical infrastructure for the DocuSign Gen service at DocuSign’s colocation or data center facilities. Exceptions with respect to storage may only be made with Customer’s written authorization for specific purposes, such as, for example, extraction of Customer Data for storage on encrypted portable media. DocuSign will logically separate Customer Data located in the Production Environment from other DocuSign customer data.
6.2 Encryption Technologies. DocuSign will encrypt Customer Data in accordance with industry best practice standards and as follows:
(a) DocuSign and DocuSign Gen will encrypt information in transit using strong encryption techniques and standard security protocols (such as SSL, SSH, IPSEC, SFTP or secure channel signing and sealing) will be used for transmitting sensitive information (including Customer Data), with configurations that meet DSS standards with regard to data transmitted via the Internet and associated configuration baselines (i.e., ciphers and protocols). Any electronic transmission or exchange of data with DocuSign Gen will be conducted via secure means (using HTTPS, SFTP or an equivalent protocol), and capabilities to encrypt email transmission will be used when the receiving infrastructure supports such encryption.
(b) DocuSign will encrypt information at rest (inside the envelope data) using cryptographic mechanisms to protect the confidentiality and integrity of structured and unstructured data on all servers hosting DocuSign Gen and any Customer Data. AES-256 (or the most recent FIPS-approved methods) cryptographic keys will be generated to encrypt information at rest. Databases, object stores, and search indexes will be maintained on encrypted data files, file systems, or self-encrypting drives that use FIPS-approved methods.
(c) DocuSign will encrypt information of all DocuSign controlled data inside the enveloper for backup and recovery using a commercially supported encryption.
(d) DocuSign and the DocuSign Gen service will conduct encryption key management as follows:
(i) DocuSign shall maintain encryption key management policies, and only a limited group of DocuSign’s Personnel will have access to create, distribute, and destroy keys.
(ii) Management and usage of encryption keys for DocuSign Gen will be separate duties.
(iii) All public certificate authorities will meet prevalent industry standards and support all then-current, widely used operating systems.
(iv) Configurations for key strength will conform to DSS.
(v) Encryption of data at rest for DocuSign Gen will use FIPS 140-2 algorithms and storage standards will conform to NIST 800-111.
(vi) Configurations of encryption protocols, cipher suites, and related settings for encryption of data in transit will conform to DSS.
6.3 Disposal. DocuSign will maintain a data disposal and re-use policy for managing assets and implement industry-recognized processes and procedures for equipment management and secure media disposal, which includes erasing, destroying, and rendering unrecoverable all Customer Data under DocuSign’s control. Media sanitization on DocuSign Gen will be performed according to the standards identified in the NIST Guidelines for Media Sanitization, SP800-88. Disposal of data under Salesforce’s control will be governed by Salesforce’s information security program and their agreement with Customer.
7. INCIDENT RESPONSE AND BREACH NOTIFICATION
7.1 General. DocuSign will maintain a tested incident response program, which will be managed and run by DocuSign’s dedicated Global Incident Response Team. DocuSign’s Global Incident Response Team will operate to a mature framework that includes incident management and breach notification policies and associated processes. DocuSign’s incident response program will include, at a minimum: initial detection; initial tactical response; initial briefing; incident briefing; refined response; communication and message; formal containment; formal incident report; and post mortem/trend analysis.
7.2 Breach Notification. Unless notification is delayed by the actions or demands of a law enforcement agency, DocuSign shall report to Customer any unlawful access or unauthorized acquisition, use, or disclosure of Customer Data (a “Data Breach”) following determination by DocuSign that a Data Breach has occurred. DocuSign’s obligation to report a Data Breach under this Security Attachment is not and will not be construed as an acknowledgement by DocuSign of any fault or liability of DocuSign with respect to such Data Breach.
7.3 Breach Response. DocuSign shall take reasonable measures within DocuSign’s control to mitigate the cause of any Data Breach and shall take reasonable corrective measures to prevent future Data Breaches. As information is collected or otherwise becomes available to DocuSign and unless prohibited by law, DocuSign shall provide information regarding the nature and consequences of the Data Breach that are reasonably requested to allow Customer to notify affected individuals, government agencies and/or credit bureaus. Due to the encryption configuration and security controls associated with DocuSign Gen, DocuSign will not have access to or know the nature of the information contained within Customer’s eDocuments and, as such, the Parties acknowledge that it may not be possible for DocuSign to provide Customer with a description of the type of information or the identity of individuals who may be affected by a Data Breach. Customer is solely responsible for determining whether to notify impacted individuals and for providing such notice, and for determining if regulatory bodies or enforcement commissions applicable to Customer or Customer’s use of DocuSign Gen need to be notified of a Data Breach.
8. INDEPENDENT ASSURANCES AND AUDITS
8.1 Independent Assurances. DocuSign uses independent external auditors to verify the adequacy of its Information Security Program. Upon Customer’s reasonable written request, DocuSign will provide Customer with third-party attestations, certifications, and unrestricted reports relevant to the establishment, implementation, and control of the Information Security Program, including DocuSign’s ISO 27001 certification, DSS certification, and SOC reports.
8.2 Regulatory Audit. If Customer’s governmental regulators require that Customer perform an on-site audit of DocuSign’s Information Security Program, as supported by evidence provided by Customer, Customer may at Customer’s expense, either through itself or a third-party independent contractor selected by Customer, conduct an on-site audit of DocuSign’s Information Security Program, including DocuSign’s data centers and corporate facilities relevant to the security of Customer Data (“Regulatory Audit”). Customer must submit any requests for an on-site Regulatory Audit to its DocuSign account management representative, who will work with DocuSign’s internal teams to schedule such audit. If a Regulatory Audit requires the equivalent of more than one business day of DocuSign Personnel’s time to support such audit, DocuSign may, at its discretion, charge Customer an audit fee at DocuSign’s then-current rates, which will be made known to Customer upon request, for each day thereafter. Any Regulatory Audit requested in relation to Customer Data in transit and at rest within Salesforce shall be governed by Salesforce’s commitments to Customers.
8.3 Audit for Data Breach. Following a Data Breach identified within DocuSign’s control, DocuSign will, upon Customer’s written request, promptly engage a third-party independent auditor, selected by DocuSign and at DocuSign’s expense, to conduct an on-site audit of DocuSign’s Information Security Program, including DocuSign’s data centers and corporate facilities relevant to the security of Customer Data. DocuSign will promptly provide Customer with the report of such audit.
8.4 Conditions of Audit.
(a) Audits conducted pursuant to this Security Attachment must: (i) be conducted during reasonable times and be of reasonable duration; (ii) not unreasonably interfere with DocuSign’s day-to-day operations; and (iii) be conducted under mutually agreed upon terms and in accordance with DocuSign’s security policies and procedures. DocuSign reserves the right to limit an audit of configuration settings, sensors, monitors, network devices and equipment, files, or other items if DocuSign, in its reasonable discretion, determines that such an audit may compromise the security of DocuSign Gen or the data of other DocuSign customers. Customer’s audit rights do not include penetration testing or active vulnerability assessments of the Production Environment or DocuSign Systems within their scope.
(b) In the event that Customer conducts an audit through a third-party independent contractor, such independent contractor must enter into a non-disclosure agreement containing confidentiality provisions substantially similar to those set forth in the Security Attachment to protect DocuSign’s Confidential Information.
(c) Customer must promptly provide DocuSign with any audit, security assessment, compliance assessment reports and associated findings prepared by it or its third-party contractors for comment and input prior to formalization and/or sharing such information with a third party.
8.5 Remediation and Response Timeline. If any audit performed pursuant to this Security Attachment reveals or identifies any non-compliance by DocuSign of its obligations under the Security Attachment, then (a) DocuSign will work to correct such issues; and (b) Customer may request feedback and information regarding corrective and remedial actions taken in relation to such audit for no more than sixty (60) days after the date upon which such audit was conducted.