DATA PROTECTION ATTACHMENT FOR DOCUSIGN SERVICES
Version date: September 20, 2021
This Data Protection Attachment for DocuSign Services (“DPA”) is incorporated into and made part of the Agreement. Unless otherwise defined in this DPA, capitalized terms will have the meaning given to them in the Agreement. In the event of any conflict between these documents, the following order of precedence applies (in descending order): (a) Binding Corporate Rules, (b) the alternative data transfer mechanism provided for under Section 6.2 of this DPA; (c) the body of the DPA; (d) any documents attached to the DPA; and (e) the Agreement.
“Applicable Data Protection Laws” means all data privacy or data protection laws or regulations that apply to the Processing of Personal Data under the Agreement.
“Binding Corporate Rules” means DocuSign’s Binding Corporate Rules for Processors, the most current version of which is available on DocuSign’s website at https://trust.docusign.com/en-us/trust-certifications/gdpr/bcr-p-processor-privacy-code/.
“Controller” and “Processor” (or equivalent terms) have the meanings set forth under Applicable Data Protection Laws.
“Data Incident” has the meaning as defined in the Security Attachment for DocuSign Services.
“Data Subjects” has the same meaning as the term “data subject” or equivalent term under Applicable Data Protection Laws.
“DocuSign Service Subprocessor” means a third party, other than the DocuSign contracting entity, which may Process Personal Data on behalf of the DocuSign contracting entity as part of the provision of the DocuSign Services.
“Personal Data” means such “personal data”, “personally identifiable information (PII)” or equivalent term under Applicable Data Protection Laws.
“Process/Processing” has the meaning set forth under Applicable Data Protection Laws and includes any operation or set of operations that is performed on Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
"Regulators” has the same meaning as the term “supervisory authority”, “data protection authority” or equivalent term under Applicable Data Protection Laws.
2.1 This DPA applies to DocuSign’s Processing of Personal Data on Customer’s or Customer Affiliate’s behalf (as applicable) for the provision of the DocuSign Services as specified in the Agreement. Unless otherwise expressly stated in the Agreement, this DPA is in effect and remains in force for the Term of the Agreement.
3. PROCESSING RESPONSIBILITY AND CUSTOMER’S INSTRUCTIONS
3.1 Customer is a Controller and DocuSign is a Processor for the Processing of Personal Data with respect to the DocuSign Services provided under the Agreement. Each Party is responsible for compliance with its own respective obligations under Applicable Data Protection Laws. For the avoidance of doubt, DocuSign is not responsible for complying with data protection laws applicable to Customer or Customer’s industry such as those not generally applicable to online service providers. Customer acknowledges and agrees that it has met all legal requirements necessary for DocuSign and/or the DocuSign Service Subprocessors to process Personal Data as authorized in the Agreement.
3.2 DocuSign will Process Personal Data only as necessary to provide the DocuSign Services in accordance with the terms of the Agreement or as instructed by Customer in writing, including in electronic form. Subject to Customer’s instructions being in accordance with Applicable Data Protection Laws, DocuSign will comply with such instructions to the extent and within such timeframes reasonably necessary for DocuSign to (a) comply with its Processor obligations under Applicable Data Protection Laws; or (b) assist Customer to comply with Customer’s obligations under Applicable Data Protection Laws relevant to Customer’s use of the DocuSign Services. DocuSign will follow such Customer’s instructions at no additional cost to Customer if DocuSign does not expect to incur additional charges or fees not reasonably covered by the fees for the DocuSign Services payable under the Agreement, including, without limitation, additional license or third-party contractor fees. If additional charges or fees are expected, DocuSign will promptly inform Customer upon receiving Customer’s instructions and the Parties will negotiate in good faith with respect to any such charges or fees. To the extent required by the Applicable Data Protection Laws, DocuSign will promptly inform Customer if, in DocuSign’s opinion, Customer’s instruction infringes Applicable Data Protection Laws. Customer acknowledges and agrees that DocuSign is not responsible for performing legal research and/or for providing legal advice to Customer.
3.3 Unless otherwise specified in the Agreement, Customer agrees it will not provide DocuSign with any sensitive or special categories of Personal Data that imposes specific data security or data protection obligations on DocuSign in addition to or different from those specified in this DPA (including any appendix to the DPA) or Agreement.
3.5 With respect to DocuSign’s Processing of Personal Data of California Consumers under the California Consumer Privacy Act of 2018 (“CCPA”), the Parties agree that DocuSign acts as a CCPA service provider for Personal Data. Customer acknowledges that it is not selling Personal Data to DocuSign and DocuSign agrees that it will only use Personal Data for the purposes specified in this DPA and the Agreement. Additionally, each Party agrees it will take commercially reasonable steps to avoid any action under the Agreement that would cause the other Party to be deemed to have sold Personal Data under the CCPA.
4. PRIVACY INQUIRIES AND REQUESTS FROM DATA SUBJECTS
4.1 If Customer receives a request or inquiry from a Data Subject related to Personal Data Processed by DocuSign, Customer can either (a) access its DocuSign Services containing Personal Data to address the request or inquiry, or (b) to the extent such access is not available to Customer, contact DocuSign customer support for additional assistance to enable Customer to address the request or inquiry.
4.2 If DocuSign directly receives any requests or inquiries from a Data Subject, DocuSign will promptly pass on such request to Customer if the Data Subject has identified Customer as Controller of the Personal Data forming the base of the request or inquiry. DocuSign may advise the Data Subject to identify and contact the relevant Controller(s) which have uploaded or submitted the Data Subject’s Personal Data for Processing by the DocuSign Services. Notwithstanding the foregoing, Customer understands and agrees that as a Controller, Customer is solely responsible for responding to such Data Subject’s requests or inquiries and that DocuSign has no responsibility to respond to a Data Subject for or on the Customer’s behalf. Regarding any anonymized data or other data not considered Personal Data under Applicable Data Protection Laws, the Parties agree and acknowledge that DocuSign has no obligation as a Processor or under this DPA to re-identify or link information or take any other action which may result in such data being deemed Personal Data.
5. DOCUSIGN AFFILIATES AND THIRD-PARTY SUBPROCESSORS
5.1 Subject to the terms of this DPA and the Agreement, Customer acknowledges and agrees that DocuSign may engage DocuSign Service Subprocessors to Process Personal Data for or on behalf of DocuSign to provide the DocuSign Services. DocuSign will be liable for the performance of all its obligations under the Agreement whether or not it has delegated or subcontracted any of them to a DocuSign Service Subprocessor.
5.2 DocuSign Service Subprocessors are authorized by DocuSign to process Personal Data only in accordance with the terms of this DPA and the Agreement and are subject to the Binding Corporate Rules or bound by written terms at least as protective of Customer’s Personal Data as set forth in this DPA. A list of DocuSign’s DocuSign Service Subprocessors (including the name and location of such DocuSign Service Subprocessors and the activities it will perform) is available on DocuSign’s website at https://www.docusign.com/trust/privacy/subprocessors-list (the “Subprocessor List”), and notice regarding new DocuSign Service Subprocessors is made available through a subscription mechanism as described on the DocuSign website. Customer agrees to subscribe to the Subprocessor List in order for DocuSign to notify Customer of new DocuSign Service Subprocessor(s) for the applicable DocuSign Services.
5.3 Customer may object to DocuSign’s use of a new DocuSign Service Subprocessor to Process Customer’s Personal Data by giving written notice to DocuSign within thirty (30) days of being informed by DocuSign of such a new DocuSign Service Subprocessor. If Customer objects to the use of a new DocuSign Service Subprocessor in compliance with the foregoing, DocuSign has the right to cure the objection within thirty (30) days of DocuSign’s receipt of Customer’s objection through either of the following options (to be selected at DocuSign’s sole discretion): (a) DocuSign providing a commercially reasonable alternative to avoid the Processing of Personal Data by the objected DocuSign Service Subprocessor; or (b) DocuSign terminating the affected DocuSign Services involving use of the new DocuSign Service Subprocessor to Process Customer’s Personal Data and providing a prorated refund to Customer for any prepaid fees received by DocuSign under the Agreement corresponding to the unused portion of the Term of such terminated DocuSign Services following the effective date of termination, which is Customer’s sole and exclusive remedy for the terminated DocuSign Services.
5.4 If and to the extent the Processing of Personal Data by DocuSign involves a cross-border transfer of Personal Data to any DocuSign Service Subprocessor(s) in a country not recognized as providing an adequate level of protection for Personal Data, the Parties agree that prior to any such transfers taking place, DocuSign will implement with such DocuSign Service Subprocessor(s) appropriate cross-border transfer safeguards in accordance with the Applicable Data Protection Laws.
6. CROSS-BORDER DATA TRANSFERS
6.1 DocuSign may Process Personal Data globally as necessary to perform the DocuSign Services. To the extent such global access involves a transfer of Personal Data subject to cross-border transfer obligations under Applicable Data Protection Laws within the DocuSign group, the Binding Corporate Rules apply to the Processing of Personal Data by DocuSign and/or its Affiliates as part of the provision of DocuSign Services under the Agreement. The Binding Corporate Rules are incorporated by reference into this DPA, and DocuSign agrees to use commercially reasonable efforts to maintain the regulatory authorization of the Binding Corporate Rules or other appropriate cross-border transfer safeguards for the duration of the Agreement. If Customer has subscribed to be informed of changes to the Binding Corporate Rules through the subscription mechanism described on the DocuSign Alerts page of the DocuSign website, DocuSign will inform Customer of any subsequent material changes to its Binding Corporate Rules through the applicable subscription alerts.
6.2 In the event that the Binding Corporate Rules (including the protections provided therein) together with necessary supplemental measures are deemed inadequate by Regulators for cross-border transfers of Personal Data under Applicable Data Protection Laws, the Parties shall enter into the standard contractual clauses as approved by the European Commission.
7. INFORMATION AND ASSISTANCE
7.1 Upon prior written request, DocuSign will provide to Customer reasonable assistance and information regarding the DocuSign Services provided under the Agreement to assist Customer in (a) Customer conducting a privacy impact assessment of the DocuSign Services, and (b) an investigation by any Regulator(s) to the extent that such investigation relates to Customer’s use of the DocuSign Services and Personal Data Processed by DocuSign in accordance with the Agreement.
8. SECURITY SAFEGUARDS
8.1 DocuSign will safeguard Personal Data with appropriate technical, physical, and organizational measures designed to prevent Data Incidents. Additional details regarding the specific security measures that apply to the DocuSign Services are as described in the Binding Corporate Rules and the Agreement. All DocuSign employees, as well as any DocuSign Service Subprocessors that Process Personal Data, are subject to appropriate written confidentiality obligations, including training on information protection, and compliance with DocuSign policies concerning protection of Confidential Information.
8.2 Customer shall be responsible for properly implementing access and use controls and configuring certain features and functionalities of the DocuSign Services that Customer may elect to use and agrees that it will do so in accordance with this DPA and the Agreement in such manner that Customer deems adequate, including, without limitation, maintaining appropriate security, protection, deletion, and backup of its own Personal Data.
9. AUDIT RIGHTS
9.1 The Binding Corporate Rules and Agreement set forth Customer’s audit rights as permitted under this DPA. Upon completion of any audit, Customer will provide DocuSign with a copy of the audit report or other summary (“Audit Report”), which is subject to the confidentiality terms of the Agreement. Customer may use the Audit Report only for the purposes of meeting its regulatory audit requirements and/or confirming compliance with the requirements of this DPA.
9.2 Unless otherwise set forth in the Agreement, each Party will bear its own costs in relation to audits, unless DocuSign promptly informs Customer upon reviewing Customer’s audit request that it expects to incur additional charges or fees in the performance of such audit that are not covered by the fees payable under the Agreement, including without limitation additional license or third-party contractor fees. The Parties will negotiate in good faith with respect to any such charges or fees.
9.3 Without prejudice to the rights set forth in Section 9.1 above, if the requested audit scope is addressed in a SOC, ISO, NIST, PCI DSS, HIPAA or similar audit report issued by a qualified third-party auditor within the prior twelve months and DocuSign provides such report to Customer confirming there are no known material changes in the controls audited, Customer agrees to accept the findings presented in the third-party audit report in lieu of requesting an audit of the same or materially similar controls covered by the report.
10. INCIDENT NOTIFICATION AND MANAGEMENT
10.1 DocuSign has implemented controls and policies designed to detect and promptly respond to Data Incidents. DocuSign shall, without undue delay, report to Customer any Data Incident upon becoming aware that a Data Incident has occurred, to the extent not otherwise prohibited under applicable law. DocuSign’s obligation to report a Data Incident under this DPA is not and will not be construed as an acknowledgement by DocuSign of any fault or liability of DocuSign with respect to such Data Incident. Customer is solely responsible for determining whether to notify impacted Data Subjects and for providing such notice, and for determining whether Regulators need to be notified of a Data Incident as may be required for Customer’s own business and activities. Notwithstanding the foregoing, Customer agrees to coordinate with DocuSign on the content of Customer’s intended public statements or required notices for affected Data Subjects and/or notices to relevant Regulators regarding the Data Incident.
10.2 DocuSign will promptly define escalation paths to investigate such incidents in order to confirm if a Data Incident has occurred, and to take reasonable measures designed to identify the root cause(s) of the Data Incident, mitigate adverse effects and prevent a recurrence.
10.3 The details of the Data Incident response and notification procedure set forth in the Security Attachment for DocuSign Services shall apply accordingly.
11. DOCUSIGN PRIVACY CONTACT
12. RETURN OR DISPOSAL
12.1 Prior to termination or expiration of the Agreement for any reason, Customer may delete its Personal Data Processed by the DocuSign Services in accordance with the terms of the Agreement. At Customer’s prior written request and upon termination of the DocuSign Services, DocuSign will promptly return (including by providing available data retrieval functionality) or delete copies of Personal Data on DocuSign systems and DocuSign Services environments, except as otherwise stated in the Agreement or unless applicable laws require storage of the Personal Data for longer.
12.2 For Personal Data stored in Customer’s service environment, or for the DocuSign Services for which no bulk data retrieval functionality is provided by DocuSign as part of the DocuSign Services, Customer is advised to take appropriate action to back up or otherwise store separately any Personal Data while the DocuSign Services environment is still active prior to termination.
EUROPEAN DPA APPENDIX
This European DPA Appendix (“EU Appendix”) is incorporated into and made part of the DPA. Unless otherwise defined in this EU Appendix, capitalized terms will have the meaning given to them in the main body of the DPA.
1. DESCRIPTION OF PROCESSING
1.1 Duration. The duration of the Processing of Personal Data will be the same as the Term of the Agreement, except as otherwise agreed to in writing by the Parties or required by Applicable Data Protection Laws.
1.2 Processing Activities. DocuSign may Process Personal Data as necessary to perform the DocuSign Services, including where applicable for hosting and storage; backup and disaster recovery; service change management; issue resolution; applying new product or system versions, patches, updates and upgrades; monitoring and testing system use and performance; IT security purposes including incident management; maintenance and performance of technical support systems and IT infrastructure; and migration, implementation, configuration and performance testing. Additionally, DocuSign may collect, retain, use, disclose and otherwise Process Personal Data for the following additional business purposes: (a) to comply with Customer’s written instructions, as Customer may provide to DocuSign from time to time pursuant to the Agreement and the DPA; (b) to disclose Personal Data to its employees, contractor personnel, advisers or DocuSign Service Subprocessors who have a need to know the Personal Data in order to provide the DocuSign Services and are under confidentiality obligations at least as restrictive as those described under the Agreement; (c) to comply with Applicable Data Protection Laws or any request from a Regulatory or other governmental or regulatory body (including subpoenas or court orders); and (d) to exercise or defend legal claims.
1.3 Categories of Personal Data. In order to perform the DocuSign Services, depending on the DocuSign Services Customer has ordered, DocuSign may Process some or all of the following categories of Personal Data: contact information such as name, address, telephone or mobile number, email address, and passwords; goods and services provided; unique IDs collected from mobile devices; and IP addresses.
1.4 Categories of Data Subjects. Categories of Data Subjects whose Personal Data may be Processed in order to perform the DocuSign Services may include, among others, Customer’s Account Administrator, Authorized Users, representatives and end users, including without limitation Customer’s employees, contractors, partners, suppliers, customers and clients.