EU ADVANCED SIGNATURE ATTACHMENT for DOCUSIGN SIGNATURE
If you started your subscription to DocuSign Signature before March 27, 2019, please go here: (https://www.docusign.com/company/legacy-agreements) to review your terms.
If your use of the Service includes the use of DocuSign ID Verification, the provisions of Section 8 of this Attachment apply to you.
Service Attachment version date: March 27, 2019. Unless otherwise defined in this Service Attachment, capitalized terms will have the meaning given to them in the Agreement.
1. DEFINITIONS
“Archiving Policy” means all legal, functional, operational, technical, and security rules that Customer must establish, implement, and respect for the management of Signer identification.
“Certificate(s)” means the Certificate generated by DocuSign France via the Service for a Signer, used by that Signer to electronically sign an eDocument addressed thereto by an Authorized User, via the Service. Each Certificate contains information such as the identity of the Signer that includes the name and/or alias, the Public Key of the Signer, the life cycle of the Certificate, the identity of the RA, and the signature of the issuing CA.
“Certification Authority” (or “CA”) is DocuSign France, the authority that generates Certificates and manages the Certificate life cycle (issuance, renewal, revocation) on the request of the Registration Authority, in accordance with the rules and practices defined in its Certificate Policy(ies) and the associated Certification Practice Statement. The DocuSign contracting entity described in Section 12 (Contracting Entity, Governing Law and Venue) of the MSA acts as agent for DocuSign France as CA hereunder.
“Certificate Policy(ies)” means the set of rules published by the CA and describing the general characteristics of the Certificates that it issues. A Certificate Policy describes the obligations and responsibilities of the CA, the RA, Signers, Certificate requesters and any other PKI component involved in the management of a Certificate life cycle. The Certificate Policy(ies) of DocuSign France and its(their) successive update(s) can be accessed on DocuSign France’s website (https://www.docusign.fr/societe/certification-policies),and are an integral part of this Agreement.
“Delegated Registration Authority” (or “DRA”) means any entity expressly designated by the RA in order to perform all or part of RA tasks in accordance with the applicable Certificate Policy and Registration Policy.
“Documentation” means the commercial, functional, and technical documentation relating to the Service and provided by DocuSign to Customer, including DocuSign France’s applicable Certificate Policies. Documentation can be in a paper format, on magnetic storage medium or in any other format used by DocuSign. Documentation provided by DocuSign may be offered in English and/or French.
“DocuSign France” means DocuSign France SAS, an Affiliate of DocuSign.
“DocuSign Signature” means DocuSign’s on-demand electronic signature service, which provides online display, certified delivery, acknowledgement, electronic signature, and storage services for eDocuments via the Internet.
“eIDAS” means EU Regulation No. 910/2014.
“Private Key” means a mathematical key that is secret and that is uniquely contained within a device and remotely activated by the Signer to sign eDocuments. In the context of the Service, the Private Keys are generated only for the purpose of a single transaction and are erased after the completion of such transaction.
“Registration Authority” (or “RA”) means the entity in a contractual relationship with the CA to register requests for issuance, renewal, or revoking of Certificates, and to validate or reject them. The RA applies Signer identification and authentication procedures in accordance with the rules and practices defined in the Certificate Policy(ies). For the purposes herein, the RA is Customer.
“Registration Policy” means the procedures and rules defined and implemented by the Registration Authority in order to identify and authenticate Signers, to verify and store supporting documents for Signers’ registration, and to register requests to issue, renew, and revoke Signer Certificates.
“Service” means the DocuSign EU Advanced Signature service provided to the Customer by DocuSign France as trust service provider to offer Signers a service via DocuSign Signature to electronically sign eDocuments.
“Signer(s)” (or “Signatory”) means any individual who signs the eDocument(s) presented thereto after giving consent in accordance with the Service consent protocol.
“Signer Identity” means the personal data (such as names, email addresses, telephone numbers) identifying the Signers that is collected and defined by the Customer on the Service within DocuSign Signature.
“Transaction(s)” means the performance of a signature process, defined by a set of eDocuments submitted for electronic Signature by one or more Signers.
2. EU ADVANCED SIGNATURE
2.1 The parties acknowledge and agree that: (a) DocuSign France is a “trust service provider” for the purpose of providing Certificates under the Service; and (b) where Customer contracts with DocuSign for the provision of a Certificate under the Service and related certification services, DocuSign is authorized to act as an agent for and on behalf of DocuSign France for the purpose of contracting with Customer while DocuSign France is the entity providing the actual delivery of any Certificate under the Service; and (c) the use of the Certificate under the Service is conditional upon Customer adhering to the terms of this Service Attachment.
2.2 During the Term and subject to the terms and conditions of the Agreement, Customer will have the right to send eDocuments to Signers to be signed with the Service via the DocuSign Signature application. The right to use the Service is limited to Authorized Users, and Customer may not resell or otherwise provide or assist with the provision of the Service: (a) for the benefit of another party; (b) as a part of a service Customer offers to third parties; or (c) as a sublicensed or service bureau arrangement.
2.3 Certificate Policies. Customer acknowledges and agrees it has been or hereby is fully informed by DocuSign that:
(a) the Service is based on DocuSign France’s applicable Certificate Policies;
(b) that the Certificate Policies constitute essential commitments from DocuSign France and its delegated Registration Authorities to any third party relying on the Service;
(c) that the Certificate Policies have been or will be made available to Customer before the Order Start Date of the Service and can be accessed on DocuSign’s website, https://www.docusign.fr/societe/certification-policies; and
(d) that without limiting other provisions of the Agreement, these terms and conditions contain the essential commitments deriving from the Certificate Policies and are applicable to both Customer and DocuSign France in the context of the use of the Service.
2.4 Certification Services. DocuSign France, in its capacity as Certificate Authority, shall be responsible for the proper functioning of the Service’s components and the compliance of its Certificate management system and procedures with the provisions set forth in applicable Certificate Policy(ies). DocuSign France shall technically manage the life cycle of Signer Certificates throughout their validity period to meet the needs relating to the use of the Service, in accordance with the terms and conditions defined in the applicable Certificate Policies. The characteristics of the Signer Certificates as well as the terms and conditions applying to the management of their life cycles are defined in the applicable Certificate Policy(ies).
3. CUSTOMER RESPONSIBILITIES
3.1 Customer expressly acknowledges having received from DocuSign France (or DocuSign) all of the information it requires to assess whether the Service meets its needs and to take all necessary precautions for the implementation and operation of the Service.
3.2 This Agreement designates Customer as Registration Authority, and Customer hereby accepts such duties and responsibilities. In this capacity, Customer shall implement procedures to: (a) identify and authenticate Signers as required under Article 26 of eIDAS; (b) validate the accuracy of the information in requests prior to submitting Signer Certificate requests to the CA via the Service; and (c) protect all identity and authentication data provided by Signer in this process. Customer will develop a Registration Policy that will at minimum detail the responsibilities and procedures for an RA set forth in this Service Attachment that includes but is not limited to its identification and authentication requirements under Article 26 of eIDAS in a manner reasonably designed to meet the obligations set forth hereunder.
3.3 In its capacity as RA, Customer shall:
(a) Comply with its Registration Policy and provide written proof to DocuSign France, DocuSign, or any accredited auditing body appointed by DocuSign, to verify the compliance of the RA with its Registration Policy procedures and communicate the requested information to DocuSign;
(b) Promptly alert DocuSign when there is a security incident involving or relating to the RA service;
(c) Seek approval from DocuSign prior to designating any DRAs;
(d) Establish a written enforceable agreement with any DRAs that defines their obligations and responsibilities in accordance with the applicable Certificate Policies and Registration Policy;
(e) Take appropriate technical and organizational measures to manage the risks associated with its IT systems and networks; and
(f) Securely store and archive all supporting documents used for Signer identification, authentication, and registration for at least five (5) years.
3.4 The Service can be accessed by Customer by means of a secure remote connection. ACCORDINGLY, CUSTOMER IS SOLELY RESPONSIBLE FOR ANY AND ALL CONSEQUENCES ARISING FROM THE UNAUTHORIZED USE BY A THIRD PARTY OF ITS PRIVATE KEYS AND CUSTOMER CERTIFICATES ENABLING ACCESS TO THE SERVICE, REGARDLESS OF THE MEANS BY WHICH THEY WERE OBTAINED FROM CUSTOMER.
3.5 The registration of Signers for the issue of Signer Certificates is the exclusive responsibility of Customer in its capacity as Registration Authority. Customer is responsible for the accuracy and completeness of the information sent to DocuSign for the issuing of Signer Certificates. DocuSign does not verify any identification information and DocuSign (including DocuSign France) disclaims all liability regarding the accuracy of the Signer identification information communicated by Customer and contained in the Signer Certificates.
4. DOCUSIGN RESPONSIBILITIES
4.1 Trust Service Provider. DocuSign shall ensure: (a) its and its Affiliates’ data centers are secured and trustworthy in accordance with industry standards and use high-performance products in terms of reliability, security, and confidentiality; and (b) that electronic signatures created with the Service, subject to the Customer fulfilling its responsibilities under the Agreement, will conform with the definition of Advanced Electronic Signature set out in Article 26 of eIDAS.
5. INSPECTION
5.1 In its capacity as CA, DocuSign France has a duty to inspect Customer in its role as RA in order to confirm its compliance with the Registration Policy applicable to Signer Certificates. For this inspection, the CA may carry out, or select a mutually agreeable inspector to carry out, an annual compliance inspection on the Customer’s premises. Depending on inspector choice, the inspection may cover the following areas:
(a) Any obligation under Sections 3.2 or 3.3;
(b) Content and availability of the agreement between Customer and potential sub-contracting entities involved in the performance of Customer’s obligations;
(c) Management of eDocuments presented and made available to the Signer in connection with the signature workflow;
(d) If and only if RA has designated one or more Delegated Registration Authority pursuant to Section 3.3 above:
1. Monitoring of DRAs in accordance with the Registration Policy defined by the RA and the Contract between the RA and each DRA; and
2. Requirements to be met by DRAs regarding Signer authentication and identification and the secure transmission of Signer identification data to the Customer by DRAs.
5.2 If the inspection reveals a major case of noncompliance, Customer shall correct its procedures as soon as reasonably possible and, in any event, no later than the timeframe set by DocuSign France. If the correction has not been made within the timeframe set by DocuSign France, DocuSign France (or DocuSign as its agent and upon its instructions) may suspend services included in the operation of the Service until compliance is achieved. In this case, Customer cannot claim a breach by DocuSign France (or by DocuSign acting as DocuSign France agent) of its contractual obligations under this Agreement or claim any indemnity of any kind due to this suspension. Customer acknowledges and agrees that DocuSign France is permitted to suspend its performance under this Agreement whenever Customer is reasonably believed to be out of compliance with its obligations as the RA, and such suspension may continue until DocuSign France in its sole good faith discretion determines that the compliance failures have been remedied.
5.3 If it is suspected that the RA and/or one or more DRAs are in breach of this Agreement, or if a certification body or government authority makes the express request, DocuSign France also reserves the right to conduct, with reasonable advanced notice, an inspection on the premises of the RA and the relevant DRAs at any time to determine any noncompliance with this Agreement and/or the applicable Certificate Policies.
6. TERMINATION
Upon the expiration or termination of this Service Attachment for any reason: Customer shall promptly return to DocuSign, as of the expiry and/or effective termination date, any Documentation made available by DocuSign for the performance of this Service Attachment and any copies of any nature stored in any medium, including a digital medium, or, if applicable and if expressly requested by DocuSign, destroy the Documentation and any copies made in any medium.
7. THIRD-PARTY CLAIMS
In addition to the third-party claims obligations set forth in the Agreement, Customer will indemnify DocuSign and its Indemnified Parties from, and defend DocuSign and the Indemnified Parties against, any Claim to the extent arising from or related to: (a) any representations or warranties regarding the Service made by Customer to any third parties (including without limitation Signers) not authorized by DocuSign; and (b) non-performance of any obligations by Customer, in its capacity as Registration Authority, defined under this Service Attachment and the applicable Certificate Policy.
8. DOCUSIGN ID VERIFICATION
This Section defines the obligations of the parties when DocuSign EU Advanced Signature is used with DocuSign ID Verification. In such case, the above provisions shall apply and remain in full force and effect except to the extent they are revised as set forth in this Section 8.
8.1 Section 1 shall be amended by deleting the following definitions: “Archiving Policy” and “Delegated Registration Authority.”
8.2 Section 1 shall be amended by deleting the existing definition of “Registration Authority” and replacing it with the following definition:
“Registration Authority” (or “RA”) means the entity in a contractual relationship with the CA to register requests for issuance, renewal, or revoking of Certificates and to validate or reject them. The RA applies Signer identification and authentication procedures in accordance with the rules and practices defined in the Certificate Policy(ies). For the purposes herein, the RA is DocuSign.
8.3 Section 1 shall be amended by adding the following definitions:
"DocuSign ID Verification"" (or “IDV Service”) means the DocuSign Service that provides identification verification services to parties executing eDocuments using DocuSign Signature. The IDV Service allows a Customer to verify the identity of a Signer prior to Signer executing an eDocument sent by Customer through DocuSign Signature.
"ID Verification" means a transaction whereby a Signer’s identity is verified through the submission of Signer Identification through the IDV Service (e.g., the Signer’s name as provided by Customer is matched with the name associated with the Signer Identification).
"Identity Provider" (or "IDP") means the third-party service authorized to confirm the identity of a Signer by verifying a form of Signer Identification as part of the IDV Service.
"Proof of DocuSign Signature Application" (or "Certificate of Completion" or "COC") means a file generated via DocuSign Signature that contains information about eDocument signing activity, including information about the Signer and the result of a Signer Identity check made by the RA, the sender of the eDocument, and the unique identifier of the Transaction used to manage the eDocument. A dedicated COC associated with each eDocument, Signer, and sender is generated for the purpose of proving the validity of a Transaction.
"Signer Identification" means any data identifying Signer that is collected by Customer through the Service for the purposes of confirming the identity of such Signer. Such data may include a government-issued identification (e.g., a passport) or identification issued to Signer by a bank or national authority (e.g., an electronic ID), or Signer-held certificate (e.g., an electronic national ID card or equivalent delivered by a national authority).
8.4 The title of Section 2 shall be deleted and replaced as follows:
2. EU ADVANCED SIGNATURE WHEN EXECUTING WITH DOCUSIGN ID VERIFICATION
8.5 Section 2.1 shall be deleted and replaced as follows:
2.1 The parties acknowledge and agree that: (a) DocuSign France is a “trust service provider” for the purpose of providing Certificates and DocuSign is the RA under the Service; and (b) where Customer contracts with DocuSign for the provision of a Certificate under the Service and related IDV Services, DocuSign is authorized to act as an agent for and on behalf of DocuSign France for the purpose of contracting with Customer while DocuSign France is the entity providing the actual delivery of any Certificate under the Service; and (c) use of the Certificate under the Service is conditioned on Customer adhering to the terms of this Service Attachment.
8.6 Section 2.3 shall be deleted in its entirety and the remaining subsections of Section 2 shall be renumbered accordingly including any references thereto.
8.7 Section 2.4 shall be deleted and replaced as follows:
2.4 Certification Services. DocuSign France, in its capacity as CA, and DocuSign, in its capacity as RA, shall be responsible for the proper functioning of the Service’s components and the compliance of its Certificate and Signer Identity management system and procedures with the provisions set forth in applicable Certificate Policy(ies). DocuSign France and DocuSign shall technically manage the life cycle of Signer Certificates and its associated Signer Identity throughout their validity period to meet the needs relating to use of the Service, in accordance with the terms and conditions defined in the applicable Certificate Policy(ies). The characteristics of the Signer Certificates as well as the terms and conditions applying to the management of their life cycles are defined in the applicable Certificate Policy(ies).
8.8 Section 3.2 shall be deleted in its entirety and the remaining subsections of Section 3 shall be renumbered accordingly including any references thereto.
8.9 Section 3.3 shall be deleted and replaced as follows:
3.3 When using the Service, Customer shall securely store and archive the COC for at least five (5) years.
8.10 Section 3.5 shall be deleted and replaced as follows:
3.5 Customer is exclusively responsible for the collection of: (i) Signer Identification for the issuance of Signer Certificates and ID Verification with DocuSign ID Verification, and (ii) Signer email addresses to contact Signer with DocuSign Signature.
Customer is responsible for the accuracy and completeness of the information sent to DocuSign. DocuSign does not verify Signer email addresses, and DocuSign, including DocuSign France, disclaims all liability regarding the accuracy of the Signer Identification provided by Customer in the DocuSign Signature application.
8.11 Section 4 shall be deleted and replaced as follows:
4.1 Trust Service Provider. DocuSign shall ensure: (a) its and its Affiliates’ data centers are secured and trustworthy in accordance with industry standards and use high-performance products in terms of reliability, security, and confidentiality; and (b) that electronic signatures created with the Service, subject to the Customer fulfilling its responsibilities under the Agreement, will conform with the definition of Advanced Electronic Signature set out in Article 26 of eIDAS.
DocuSign verifies Signer’s name as provided by Customer with the IDV Service. DocuSign France then issues a Certificate, and upon Signer’s consent to the terms of the Certificate, enables the Signer to sign the eDocument.
4.2 Proof of ID Verification. In its capacity as CA, DocuSign France has a duty to prove the Certificate issuance for a Signer including proof of ID Verification. DocuSign as RA shall keep the following information during five (5) years after ID Verification occurs:
(a) Signer’s email address;
(b) Signer’s full name, as provided by Customer;
(c) Name of IDP;
(d) Country of issued ID;
(e) ID Verification date;
(f) Signer IP address at transaction time;
(g) Type of identification verified, including:
(i) Government ID, in which case DocuSign must keep the ID number;
(ii) Electronic ID, in which case DocuSign must keep the unique identifier of the Signer from IDP;
(iii) Signer-held certificate, in which case DocuSign must keep the certificate serial number with CA Issuer Distinguished Name, Online Certificate Status Protocol token or Certificate Revocation List serial number, and Certificate Revocation List Issuer Distinguished Name.
8.12 Section 5 shall be deleted in its entirety and the remaining Sections shall be renumbered accordingly including any references thereto.
8.13 Section 6 shall be amended by adding new text to the end as follows:
Any proof of ID Verification shall be kept by DocuSign in accordance with the time period defined in Section 4.2