SERVICE SCHEDULE for DOCUSIGN SIGNATURE
This Service Schedule was last updated on December 15, 2016. Unless otherwise defined in this Service Schedule, capitalized terms will have the meaning given to them in the Agreement.
“DocuSign Signature” means the on-demand electronic signature DocuSign Service, which provides online display, certified delivery, acknowledgement, electronic signature, and storage services for eDocuments via the Internet.
“Envelope” means an electronic record containing one or more eDocuments consisting of a single page or a group of pages of data uploaded to the System.
“EU Directive” means Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
“System” refers to the software systems and programs, the communication and network facilities, and the hardware and equipment used by DocuSign or its agents to make available the DocuSign Signature service via the Internet.
“Transaction Data” means the metadata associated with an Envelope (such as transaction history, image hash value, method and time of Envelope deletion, sender and recipient names, email addresses and signature IDs) and maintained by DocuSign in order to establish the digital audit trail required by DocuSign Signature.
2. ADDITIONAL USAGE LIMITATIONS AND CUSTOMER RESPONSIBILITIES.
2.1 DocuSign’s provision of DocuSign Signature is conditioned on Customer’s acknowledgment of and agreement to the following:
(a) DocuSign Signature facilitates the execution of eDocuments between the Parties to those eDocuments. Nothing in this Service Schedule may be construed to make DocuSign a party to any eDocument processed through DocuSign Signature, and DocuSign makes no representation or warranty regarding the transactions sought to be effected by any eDocument;
(b) Between DocuSign and Customer, Customer has exclusive control over and responsibility for the content, quality, and format of any eDocument. All eDocuments stored by DocuSign on the System are maintained in an encrypted form, and DocuSign has no control of or access to their contents;
(c) Certain types of agreements and documents may be excepted from electronic signature laws (e.g. wills and agreements pertaining to family law), or may be subject to specific regulations promulgated by various government agencies regarding electronic signatures and electronic records. DocuSign is not responsible or liable to determine whether any particular eDocument is subject to an exception to applicable electronic signature laws, or whether it is subject to any particular agency promulgations, or whether it can be legally formed by electronic signatures;
(d) DocuSign is not responsible for determining how long any contracts, documents, and other records are required to be retained or stored under any applicable laws, regulations, or legal or administrative agency processes. Further, DocuSign is not responsible for or liable to produce any of Customer’s eDocuments or other documents to any third parties;
(e) Certain consumer protection or similar laws or regulations may impose special requirements with respect to electronic transactions involving one or more “consumers,” such as (among others) requirements that the consumer consent to the method of contracting and/or that the consumer be provided with a copy, or access to a copy, of a paper or other non-electronic, written record of the transaction. DocuSign does not and is not responsible to: (i) determine whether any particular transaction involves a “consumer”; (ii) furnish or obtain any such consents or determine if any such consents have been withdrawn; (iii) provide any information or disclosures in connection with any attempt to obtain any such consents; (iv) provide legal review of, or update or correct any information or disclosures currently or previously given; (v) provide any such copies or access, except as expressly provided in the Documentation for all transactions, consumer or otherwise; or (vi) otherwise to comply with any such special requirements; and
(f) Customer undertakes to determine whether any “consumer” is involved in any eDocument presented by its Authorized Users for processing, and, if so, to comply with all requirements imposed by law on such eDocuments or their formation.
3. eDOCUMENT STORAGE AND DELETION.
3.1 During Term. Customer may retrieve electronic copies of its stored eDocuments at any time while this Service Schedule is in effect at no additional cost. DocuSign will store all completed eDocuments sent by Customer during the Term, by default. However, Customer has the option to change its Account settings to direct the deletion of all or certain designated eDocuments at an earlier date or periodic interval. If Customer fails to retrieve its eDocuments prior to the expiration or termination of the Service Schedule, Customer may request, no later than ninety (90) days after such expiration or termination, that DocuSign provide Professional Services to assist in retrieving completed eDocuments still remaining on the System, the details of which Professional Services will be set out in a SOW. After such ninety (90) day period, DocuSign shall have no obligation to maintain or provide any eDocuments and DocuSign shall have the right to delete all eDocuments in the System or otherwise in its possession or under its control and delete Customer’s Account.
3.2 DocuSign may retain Transaction Data for as long as it has a business purpose to do so, provided that any Transaction Data that constitutes Confidential Information of Customer will at all times maintain that status, and DocuSign will comply with its confidentiality obligations as provided in the Agreement.
4. INFORMATION SECURITY AND PERSONAL DATA.
4.1 Customer Responsibilities. DocuSign Signature provides Customer with certain features and functionalities that Customer may elect to use, including the ability to retrieve and delete eDocuments in the System. Customer is responsible for properly (a) configuring DocuSign Signature, (b) using and enforcing controls available in connection with DocuSign Signature (including any security controls), and (c) taking such steps, in accordance with the functionality of DocuSign Signature, that Customer deems adequate to maintain appropriate security, protection, deletion, and backup of Customer Data, which include controlling the management of Authorized Users’ access and credentials to DocuSign Signature, controlling Customer Data that is Processed by DocuSign Signature and controlling the archival or deletion of eDocuments in the System. Customer acknowledges that DocuSign has no obligation to protect Customer Data, including Personal Data (defined below), located in DocuSign Signature that Customer elects to store or transfer outside of DocuSign Signature (e.g., offline or on-premise storage).
4.2 Information Security Program. DocuSign maintains a written information security program that includes policies, procedures, and controls governing the processing of Customer Data through DocuSign Signature in accordance with the terms of the Agreement (the “Information Security Program”). During the Term, DocuSign will take and implement appropriate technical and organizational measures to protect Customer Data located in DocuSign Signature and maintain its Information Security Program in accordance with ISO 27001 standards or such other alternative standards that are substantially equivalent to ISO 27001. DocuSign may update or modify the Information Security Program from time to time provided that such updates and modifications do not result in the degradation of the overall security of DocuSign Signature.
4.3 International Data Transfers.
(a) Data Storage and Transfer. If Customer is established in the European Economic Area or Switzerland (collectively "EEA"), it acknowledges that DocuSign may transfer Customer's Personal Data outside of the EEA for Processing. In such event, DocuSign shall ensure adequate protection for the Personal Data in accordance with the requirements of Articles 25 and 26 of the EU Directive by executing Standard Contractual Clauses approved by the European Commission for the benefit of the Customer ("Customer SCCs"). DocuSign represents that it has applied for Binding Corporate Rules ("BCRs") for Processors and Customer acknowledges and agrees that, with effect from the date that DocuSign's BCRs are approved by the competent data protection authority, the Customer SCCs shall immediately terminate and all Personal Data transfers made by DocuSign under this Agreement shall be conducted under, and in full compliance with, DocuSign's BCRs. The terms “Personal Data”, “Process/Processing”, “Controller”, “Processor”, “Subprocessor”, and “Data Subject” will have the meanings ascribed to them in the EU Directive.
(b) Customer SCCs. At all times, DocuSign shall remain solely liable and responsible to Customer for DocuSign, Inc.’s obligations under this Agreement. Furthermore, as between the parties, the parties acknowledge and agree (i) the Customer SCCs set forth in Service Attachment of the Standard Contractual Clauses (Processors), will apply to the Parties upon execution of the Order Form by Customer and DocuSign that will be considered execution of the Service Attachment of the Standard Contractual Clauses (Processors); (ii) Customer is the Controller of such Personal Data; (iii) DocuSign, Inc. is a Processor of such Personal Data; (iv) Customer will comply with its obligations as a Controller under the EU Directive; (v) DocuSign, Inc. will comply with its obligations as a Processor under this Agreement; and (vi) DocuSign, Inc. will only Process such Personal Data in accordance with Customer’s written instructions, consisting of the Agreement, and any subsequent written instructions given by Customer to DocuSign and acknowledged by DocuSign.
(c) Authentication Measures. Customer acknowledges that if it uses or enables authentication measures for use with DocuSign Signature such as, for example knowledgebase base authentication and SMS code based measures (“Authentication Measures”), DocuSign Signature may allow such Authentication Measures to access Personal Data located in DocuSign Signature for the interoperation of those Authentication Measures with DocuSign Signature. This Agreement does not apply to the Processing of Personal Data transmitted to or from such Authentication Measures that are provided by a third-party service provider. This Agreement does, however, apply to the Processing of Personal Data transmitted to or from any Authentication Measures provided by DocuSign (e.g. email and access code based Authentication Measures). Customer can enable or disable Authentication Measures. Customer is not required to use Authentication Measures in order to use DocuSign Signature.
(d) Correction, Blocking and Deletion. To the extent Customer, in its use of DocuSign Signature, is not familiar with DocuSign Signature functionality that may be used to correct, amend, block or delete Personal Data located in DocuSign Signature, as required by the EU Directive or requested by a Data Subject, DocuSign through DocuSign, Inc. will provide Customer with additional Documentation or customer support assistance to educate the Customer on how to take such actions in a manner consistent with the functionality of DocuSign Signature and in accordance with the terms of the Agreement. If DocuSign receives any request from any individual for records relating to that individual’s Personal Data located DocuSign Signature, DocuSign will advise such individual to submit its request to Customer. Customer will be responsible for responding to any such request using the functionality of DocuSign Signature.
(e) Subprocessors. DocuSign, Inc. may engage Subprocessors to provide parts of DocuSign Signature and related technical support services, subject to the restrictions of this Agreement. DocuSign through DocuSign, Inc. will ensure Subprocessors only Process Personal Data in accordance with the terms of this Agreement and that Subprocessors are bound by written agreement that require them to provide at least the level of data protection required by the Customer SCCs entered into by DocuSign, Inc. and Customer and/or DocuSign’s BCRs. Customer consents to DocuSign, Inc. subcontracting the Processing of Personal Data located in DocuSign Signature to Subprocessors identified in Appendix 3 of the Customer SCCs in accordance with this Agreement and the Customer SCCs. For the sake of clarity, Subprocessors will not have access to or use Personal Data located in eDocuments. Before appointing any new Subprocessors, DocuSign and/or DocuSign, Inc. will inform Customer of the appointment (including the name and location of such Subprocessor and the activities it will perform) either by electronic mail or via DocuSign Signature. If Customer objects to DocuSign and/or DocuSign, Inc.’s use of any new Subprocessors, Customer may, as its sole and exclusive remedy, terminate this Agreement by giving written notice to DocuSign within thirty (30) days of being informed by DocuSign and/or DocuSign, Inc. of the appointment of such Subprocessor.
4.4 Audit of Information Security Program. DocuSign uses external auditors to verify the adequacy of its Information Security Program. Upon Customer’s reasonable written request of no less than thirty (30) days’ notice during the Term, and no more than once per calendar year, DocuSign will provide Customer with third party attestations, certifications, and reports relevant to the establishment, implementation, and control of the Information Security Program, including DocuSign’s ISO 27001 certification, PCI DSS certification, and Service Organization Controls (SOC) reports. If Customer has entered into the Customer SCCs as described in Section 4.3, Customer may exercise the audit rights granted under clauses 5(f) and 12(2) of the Customer SCCs by: (a) instructing DocuSign, Inc. to provide the third party attestations, certifications, and reports described above in this Section 4.4; and/or (b) sending any audit requests to the data privacy officer, as described in Appendix 2 of the Customer SCCs.
4.5 Data Breach and Response Procedures.
(a) Unless notification is delayed by the actions or demands of a law enforcement agency, DocuSign shall report to Customer: (i) any unlawful access, use, or disclosure of eDocuments or Transaction Data stored in DocuSign Signature; or (ii) unauthorized access, use, or disclosure to DocuSign Signature that results in loss, disclosure, or destruction of eDocuments or Transaction Data (a “Data Breach”) promptly following determination by DocuSign that a Data Breach has occurred. The initial report will be made to Customer and sent to the appropriate party at the address and contact information set forth on the Order Form or within Account registration. DocuSign shall take reasonable measures to promptly mitigate the cause of the Data Breach and shall take reasonable corrective measures to prevent future Data Breaches. DocuSign’s obligation to report a Data Breach under this Section is not and will not be construed as an acknowledgement by DocuSign of any fault or liability of DocuSign with respect to such Data Breach.
(b) As information is collected or otherwise becomes available to DocuSign and unless prohibited by law, DocuSign shall provide information regarding the nature and consequences of the Data Breach that are reasonably requested to allow Customer to notify affected individuals, government agencies and/or credit bureaus. Due to the encryption configuration and security controls associated with DocuSign Signature, DocuSign will not have access to or know the nature of the information contained within Customer’s eDocuments and, as such, the Parties acknowledge that it may not be possible for DocuSign to provide Customer with a description of the type of information or the identity of individuals that may be affected by a Data Breach. Customer is solely responsible for determining whether to notify impacted individuals and for providing such notice, and for determining if regulatory bodies or enforcement commissions applicable to Customer or Customer’s use of DocuSign Signature need to be notified of a Data Breach.
(c) Customer agrees “Data Breaches” do not include: (a) unsuccessful access attempts or similar events that do not compromise the security or privacy of DocuSign Signature, including pings, port scans, denial of service attacks and other network attacks on firewalls or networked systems; or (b) accidental loss or disclosure of eDocuments or Transaction Data caused by Customer’s use of DocuSign Signature or Customer’s loss of Account authentication credentials.
4.6 Risk and Security Assurance Framework Contact. Customer’s account management team at DocuSign will be Customer’s first point of contact for information and support regarding DocuSign’s Information Security Program. The DocuSign account management team will work directly with Customer to escalate Customer’s questions, issues, and requests to internal DocuSign groups as necessary.
5. SUBSCRIPTION PLANS AND FEES.
DocuSign Signature is made available on the basis of a prepaid subscription, which is subject to the restrictions set forth in the applicable Order Form.
5.1 “Seat Allowance” means the maximum number of Authorized Users that Customer may have active in its (“Seats”) Account. For purposes of determining usage of Seats:
(i) The number of Seats in use is determined by the total number of Authorized Users registered in Customer’s Account with access to DocuSign Signature at any time during the Term.
(ii) No two individuals may log onto or use DocuSign Signature as the same Authorized User, but Customer may unregister or deactivate Authorized Users and replace them with other Authorized Users without penalty, so long as the number of active Authorized Users registered at any one time does not exceed the number of Seats purchased.
5.2 “Envelope Allowance" means the cumulative number of Envelopes that may be sent by Authorized Users registered in Customer’s Account. There is no individual limit on number of Envelopes that may be sent by each Authorized User, so long as the total volume sent by all Authorized Users does not exceed the Envelope Allowance. For purposes of calculating Envelope usage:
(i). An Envelope is consumed when sent by an Authorized User, regardless of whether the Envelope has been received by any recipients or whether any recipients have performed any actions upon any eDocument in the Envelope;
(ii). Usage of a Powerform will be applied against the Envelope Allowance. A PowerForm will be deemed consumed at the time it is accessed by any user regardless of whether any actions are subsequently performed upon such Envelope. “Powerform” means an Envelope that may be accessed and completed by accessing a hyperlink (i.e. which does not need to be individually sent to each recipient);
(iii). An Envelope sent via bulk send or automated batch sending, including through a DocuSign API, will be applied against the Envelope Allowance.
5.3 Calculation of Envelope Allowance. Unless otherwise set forth in the Order Form, the Envelope Allowance for each twelve (12) month period during the Order Term is calculated by multiplying the Seat Allowance times one hundred (100) Envelopes. For example, a three (3) year subscription for ten (10) Seats would result in an Envelope Allowance of one thousand (1000) Envelopes per year. An Envelope Allowance may be augmented by purchasing additional Seats (each of which supply an additional one hundred (100) Envelopes unless otherwise set forth in the Order Form) or additional batches of Envelopes, pursuant to an Order Form.
(a) Seats. If Customer adds more Authorized Users than the amount permitted under the Seat Allowance then Customer hereby agrees that additional charges of one Seat per additional Authorized User for the remainder of the Order Term will become immediately due and payable. Additional Seats will be charged as a pro-rata portion (calculated based on the amount of time remaining in the Order Term) of the then-current list price for Seats under the applicable subscription type, or such other amount as is specified in the Order Form, and will include a pro-rata allocation of Envelopes.
(b) Envelopes. Customer hereby agrees that all Envelopes sent in excess of the Envelope Allowance during the Term will incur a per-Envelope overage charge at the then-current list price for the applicable subscription type, or such other amount as is specified in the Order Form. Envelope overage charges will be invoiced monthly in arrears.
5.5 Optional features, such as Authentication Measures or fax-back services, may be purchased on a subscription or per-use basis, as set out in the Order Form.
6. PCI DSS.
6.1 DocuSign Signature may be ordered with payments functionality, and to the extent applicable, DocuSign represents that it is presently in compliance, and will remain in compliance with the current Payment Card Industry Data Security Standard (“PCI DSS”), developed and published jointly by American Express, Discover, MasterCard, and Visa (“Payment Card Brands”) for protecting individual credit and debit card account numbers or related data (“Cardholder Data”).
6.2 DocuSign acknowledges that Cardholder Data is owned exclusively by Customer, credit card issuers, the relevant Payment Card Brand, and entities licensed to process credit and debit card transactions on behalf of Customer, and further acknowledges that such Cardholder Data may be used solely to assist the foregoing parties in completing a transaction, supporting a loyalty program, providing fraud control services, or for other uses specifically required by law, the operating regulations of the Payment Card Brands, or this Service Schedule.
6.3 Customer represents that it is responsible for compliance with the PCI DSS, developed and published jointly by the Payment Card Brands for protecting Cardholder Data as it relates to their payment processes and use of Cardholder Data.
7. ADDITIONAL WARRANTIES AND DISCLAIMERS.
7.1 Additional DocuSign Warranties. DocuSign warrants that: (a) DocuSign Signature will not introduce files, scripts, agents or programs intended to do harm, including, for example, viruses, worms, time bombs and Trojan horses (“Malicious Code”) into Customer's system; (b) the proper use of DocuSign Signature by Customer in accordance with the Documentation and applicable law will be sufficient to meet the definition of an “electronic signature” as defined in the Electronic Signatures in Global and National Commerce Act, 15 U.S.C. ch. 96 §§ 7001 et seq. (the “ESIGN Act”); and in Regulation 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market (“eIDaS”).
7.2 DISCLAIMER. EXCEPT FOR THE EXPRESS REPRESENTATIONS AND WARRANTIES STATED IN THIS SECTION 7 AND IN THE MSA, AND SUBJECT TO THE ADDITIONAL LIMITATIONS OF LIABILITY THEREIN, DOCUSIGN: (A) MAKES NO ADDITIONAL REPRESENTATION OR WARRANTY OF ANY KIND -- WHETHER EXPRESS, IMPLIED IN FACT OR BY OPERATION OF LAW, OR STATUTORY -- AS TO ANY MATTER WHATSOEVER; (B) DISCLAIMS ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND THE LIKE; AND (C) DOES NOT WARRANT THAT DOCUSIGN SIGNATURE IS OR WILL BE UNINTERRUPTED OR ERROR-FREE OR MEET CUSTOMER’S REQUIREMENTS. CUSTOMER HAS NO RIGHT TO MAKE OR PASS ON ANY REPRESENTATION OR WARRANTY ON BEHALF OF DOCUSIGN TO ANY THIRD PARTY.