SERVICE SCHEDULE for DOCUSIGN SIGNATURE
This Service Schedule was last updated on June 15, 2017. Unless otherwise defined in this Service Schedule, capitalized terms will have the meaning given to them in the Agreement.
“DocuSign Signature” means the on-demand electronic signature DocuSign Service, which provides online display, certified delivery, acknowledgement, electronic signature, and storage services for eDocuments via the Internet.
“Envelope” means an electronic record containing one or more eDocuments consisting of a single page or a group of pages of data uploaded to the System.
“EU Directive” means Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
“System” refers to the software systems and programs, the communication and network facilities, and the hardware and equipment used by DocuSign or its agents to make available the DocuSign Signature service via the Internet.
“Transaction Data” means the metadata associated with an Envelope (such as transaction history, image hash value, method and time of Envelope deletion, sender and recipient names, email addresses and signature IDs) and maintained by DocuSign in order to establish the digital audit trail required by DocuSign Signature.
2. ADDITIONAL USAGE LIMITATIONS AND CUSTOMER RESPONSIBILITIES
2.1 DocuSign’s provision of DocuSign Signature is conditioned on Customer’s acknowledgement of and agreement to the following:
- (a) DocuSign Signature facilitates the execution of eDocuments between the Parties to those eDocuments. Nothing in this Service Schedule may be construed to make DocuSign a party to any eDocument processed through DocuSign Signature, and DocuSign makes no representation or warranty regarding the transactions sought to be effected by any eDocument;
- (b) Between DocuSign and Customer, Customer has exclusive control over and responsibility for the content, quality, and format of any eDocument. All eDocuments stored by DocuSign on the System are maintained in an encrypted form, and DocuSign has no control of or access to their contents;
- (c) Certain types of agreements and documents may be excepted from electronic signature laws (e.g. wills and agreements pertaining to family law), or may be subject to specific regulations promulgated by various government agencies regarding electronic signatures and electronic records. DocuSign is not responsible or liable to determine whether any particular eDocument is subject to an exception to applicable electronic signature laws, or whether it is subject to any particular agency promulgations, or whether it can be legally formed by electronic signatures;
- (d) DocuSign is not responsible for determining how long any contracts, documents, and other records are required to be retained or stored under any applicable laws, regulations, or legal or administrative agency processes. Further, DocuSign is not responsible for or liable to produce any of Customer’s eDocuments or other documents to any third parties;
- (e) Certain consumer protection or similar laws or regulations may impose special requirements with respect to electronic transactions involving one or more “consumers,” such as (among others) requirements that the consumer consent to the method of contracting and/or that the consumer be provided with a copy, or access to a copy, of a paper or other non-electronic, written record of the transaction. DocuSign does not and is not responsible to: (i) determine whether any particular transaction involves a “consumer”; (ii) furnish or obtain any such consents or determine if any such consents have been withdrawn; (iii) provide any information or disclosures in connection with any attempt to obtain any such consents; (iv) provide legal review of, or update or correct any information or disclosures currently or previously given; (v) provide any such copies or access, except as expressly provided in the Documentation for all transactions, consumer or otherwise; or (vi) otherwise to comply with any such special requirements; and
- (f) Customer undertakes to determine whether any “consumer” is involved in any eDocument presented by its Authorized Users for processing, and, if so, to comply with all requirements imposed by law on such eDocuments or their formation.
3. eDOCUMENT STORAGE AND DELETION
3.1 During Term. Customer may retrieve electronic copies of its stored eDocuments at any time while this Service Schedule is in effect at no additional cost. DocuSign will store all completed eDocuments sent by Customer during the Term, by default. However, Customer has the option to change its Account settings to direct the deletion of all or certain designated eDocuments at an earlier date or periodic interval. If Customer fails to retrieve its eDocuments prior to the expiration or termination of the Service Schedule, Customer may request, no later than ninety (90) days after such expiration or termination, that DocuSign provide Professional Services to assist in retrieving completed eDocuments still remaining on the System, the details of which Professional Services will be set out in a SOW. After such ninety (90) day period, DocuSign shall have no obligation to maintain or provide any eDocuments and DocuSign shall have the right to delete all eDocuments in the System or otherwise in its possession or under its control and delete Customer’s Account.
3.2 DocuSign may retain Transaction Data for as long as it has a business purpose to do so, provided that any Transaction Data that constitutes Confidential Information of Customer will at all times maintain that status, and DocuSign will comply with its confidentiality obligations as provided in the Agreement.
4. INFORMATION SECURITY AND PERSONAL DATA
4.1 Customer Responsibilities. DocuSign Signature provides Customer with certain features and functionalities that Customer may elect to use, including the ability to retrieve and delete eDocuments in the System. Customer is responsible for properly (a) configuring DocuSign Signature, (b) using and enforcing controls available in connection with DocuSign Signature (including any security controls), and (c) taking such steps, in accordance with the functionality of DocuSign Signature, that Customer deems adequate to maintain appropriate security, protection, deletion, and backup of Customer Data, which include controlling the management of Authorized Users’ access and credentials to DocuSign Signature, controlling Customer Data that is Processed by DocuSign Signature and controlling the archival or deletion of eDocuments in the System. Customer acknowledges that DocuSign has no obligation to protect Customer Data, including Personal Data (defined below), located in DocuSign Signature that Customer elects to store or transfer outside of DocuSign Signature (e.g., offline or on-premise storage).
4.2 Information Security Program. DocuSign maintains a written information security program that includes policies, procedures, and controls governing the processing of Customer Data through DocuSign Signature in accordance with the terms of the Agreement (the “Information Security Program”). During the Term, DocuSign will take and implement appropriate technical and organizational measures to protect Customer Data located in DocuSign Signature and maintain its Information Security Program in accordance with ISO 27001 standards or such other alternative standards that are substantially equivalent to ISO 27001. DocuSign may update or modify the Information Security Program from time to time provided that such updates and modifications do not result in the degradation of the overall security of DocuSign Signature.
4.3 Audit of Information Security Program. DocuSign uses external auditors to verify the adequacy of its Information Security Program. Upon Customer’s reasonable written request of no less than thirty (30) days’ notice during the Term, and no more than once per calendar year, DocuSign will provide Customer with third party attestations, certifications, and reports relevant to the establishment, implementation, and control of the Information Security Program, including DocuSign’s ISO 27001 certification, PCI DSS certification, and Service Organization Controls (SOC) reports.
4.4 Data Breach and Response Procedures.
- (a) Unless notification is delayed by the actions or demands of a law enforcement agency, DocuSign shall report to Customer: (i) any unlawful access, use, or disclosure of the Customer eDocuments or Transaction Data stored in DocuSign Signature; or (ii) unauthorized access, use, or disclosure to DocuSign Signature that results in loss, disclosure, or destruction of eDocuments or Transaction Data of the Customer (a “Data Breach”) promptly following determination by DocuSign that a Data Breach has occurred of Customer eDocuments or Transaction Data. The initial report will be made to Customer and sent to the appropriate party at the address and contact information set forth on the Order Form or within Account registration. DocuSign shall take reasonable measures to promptly mitigate the cause of the Data Breach and shall take reasonable corrective measures to prevent future Data Breaches. DocuSign’s obligation to report a Data Breach under this Section is not and will not be construed as an acknowledgement by DocuSign of any fault or liability of DocuSign with respect to such Data Breach.
- (b) As information is collected or otherwise becomes available to DocuSign and unless prohibited by law, DocuSign shall provide information regarding the nature and consequences of the Data Breach that are reasonably requested to allow Customer to notify affected individuals, government agencies and/or credit bureaus. Due to the encryption configuration and security controls associated with DocuSign Signature, DocuSign will not have access to or know the nature of the information contained within Customer’s eDocuments and, as such, the Parties acknowledge that it may not be possible for DocuSign to provide Customer with a description of the type of information or the identity of individuals that may be affected by a Data Breach. Customer is solely responsible for determining whether to notify impacted individuals and for providing such notice, and for determining if regulatory bodies or enforcement commissions applicable to Customer or Customer’s use of DocuSign Signature need to be notified of a Data Breach.
- (c) Customer agrees “Data Breaches” do not include: (a) unsuccessful access attempts or similar events that do not compromise the security or privacy of DocuSign Signature, including pings, port scans, denial of service attacks and other network attacks on firewalls or networked systems; or (b) accidental loss or disclosure of eDocuments or Transaction Data caused by Customer’s use of DocuSign Signature or Customer’s loss of Account authentication credentials.
4.5 Risk and Security Assurance Framework Contact. Customer’s account management team at DocuSign will be Customer’s first point of contact for information and support regarding DocuSign’s Information Security Program. The DocuSign account management team will work directly with Customer to escalate Customer’s questions, issues, and requests to internal DocuSign groups as necessary.
5. SUBSCRIPTION PLANS AND FEES
DocuSign Signature is made available on the basis of a prepaid subscription, which is subject to the restrictions set forth in the applicable Purchase Agreement.
5.1 “Seat Allowance” means the maximum number of Authorized Users that Customer may have active in its (“Seats”) Account. For purposes of determining usage of Seats:
- (i) The number of Seats in use is determined by the total number of Authorized Users registered in Customer’s Account with access to DocuSign Signature at any time during the Term.
- (ii) No two individuals may log onto or use DocuSign Signature as the same Authorized User, but Customer may unregister or deactivate Authorized Users and replace them with other Authorized Users without penalty, so long as the number of active Authorized Users registered at any one time does not exceed the number of Seats purchased.
5.2 “Envelope Allowance" means the cumulative number of Envelopes that may be sent by Authorized Users registered in Customer’s Account. There is no individual limit on number of Envelopes that may be sent by each Authorized User, so long as the total volume sent by all Authorized Users does not exceed the Envelope Allowance. For purposes of calculating Envelope usage:
- (i). An Envelope is consumed when sent by an Authorized User, regardless of whether the Envelope has been received by any recipients or whether any recipients have performed any actions upon any eDocument in the Envelope;
- (ii). Usage of a Powerform will be applied against the Envelope Allowance. A PowerForm will be deemed consumed at the time it is accessed by any user regardless of whether any actions are subsequently performed upon such Envelope. “Powerform” means an Envelope that may be accessed and completed by accessing a hyperlink (i.e. which does not need to be individually sent to each recipient);
- (iii). An Envelope sent via bulk send or automated batch sending, including through a DocuSign API, will be applied against the Envelope Allowance.
5.3 Calculation of Envelope Allowance. Unless otherwise set forth in the Purchase Agreement, the Envelope Allowance for each twelve (12) month period during the Order Term is calculated by multiplying the Seat Allowance times one hundred (100) Envelopes. For example, a three (3) year subscription for ten (10) Seats would result in an Envelope Allowance of one thousand (1000) Envelopes per year. An Envelope Allowance may be augmented by purchasing additional Seats (each of which supply an additional one hundred (100) Envelopes unless otherwise set forth in the Order Form) or additional batches of Envelopes, pursuant to a Purchase Agreement.
6. PCI DSS
6.1 DocuSign Signature may be ordered with payments functionality, and to the extent applicable, DocuSign represents that it is presently in compliance, and will remain in compliance with the current Payment Card Industry Data Security Standard (“PCI DSS”), developed and published jointly by American Express, Discover, MasterCard, and Visa (“Payment Card Brands”) for protecting individual credit and debit card account numbers or related data (“Cardholder Data”).
6.2 DocuSign acknowledges that Cardholder Data is owned exclusively by Customer, credit card issuers, the relevant Payment Card Brand, and entities licensed to process credit and debit card transactions on behalf of Customer, and further acknowledges that such Cardholder Data may be used solely to assist the foregoing parties in completing a transaction, supporting a loyalty program, providing fraud control services, or for other uses specifically required by law, the operating regulations of the Payment Card Brands, or this Service Schedule.
6.3 Customer represents that it is responsible for compliance with the PCI DSS, developed and published jointly by the Payment Card Brands for protecting Cardholder Data as it relates to their payment processes and use of Cardholder Data.
7. ADDITIONAL WARRANTIES AND DISCLAIMERS
7.1 Additional DocuSign Warranties. DocuSign warrants that: (a) DocuSign Signature will not introduce files, scripts, agents or programs intended to do harm, including, for example, viruses, worms, time bombs and Trojan horses (“Malicious Code”) into Customer's system; (b) the proper use of DocuSign Signature by Customer in accordance with the Documentation and applicable law will be sufficient to meet the definition of an “electronic signature” as defined in the Electronic Signatures in Global and National Commerce Act, 15 U.S.C. ch. 96 §§ 7001 et seq. (the “ESIGN Act”); and in Regulation 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market (“eIDaS”).
7.2 Disclaimer. Except for the express representations and warranties stated in this Section 7 and in the MSA, and subject to the additional limitations of liability therein, DocuSign: (a) makes no additional representation or warranty of any kind -- whether express, implied in fact or by operation of law, or statutory -- as to any matter whatsoever; (b) disclaims all implied warranties of merchantability and fitness for a particular purpose and the like; and (c) does not warrant that DocuSign Signature is or will be uninterrupted or error-free or meet Customer’s requirements. Customer has no right to make or pass on any representation or warranty on behalf of DocuSign to any third party.